Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Developer Zone:
Developing a Z-Ray Plugin 101
Nov 04, 2015 @ 10:44:13

The Zend Developer Zone has posted a tutorial showing you the basics of creating a plugin for Z-Ray, the tool from Zend that provides details and metrics around the execution of your application.

One of the great things about Z-Ray is the ability to extend it to display any info you want about your app. This is done by creating plugins. In this tutorial I’m going to describe how to create a new Z-Ray plugin. I’ll be supplying code snippets to insert in the various plugin files but of course feel free to replace it with your own code when possible.

They start by describing how Z-Ray shows its data and offering two options - the default panel or a custom panel. They choose the custom panel and show you how to:

  • create the template for the panel
  • make the module directory and zray.php
  • and Modules.php file to define the plugin

There's also a section on how the Z-Ray plugin traces through the execution of your application, illustrating with a DummyClass. They include the code to set up the Trace and define which methods and actions to watch. Finally they relay this information back out to the custom panel view via Javascript collection and the code to show the results.

tagged: zray plugin custom performance dummyclass execution tracer tutorial

Link: http://devzone.zend.com/6826/developing-a-z-ray-plugin-101/

Creating flamegraphs with XHProf
Jul 30, 2015 @ 10:08:27

The Platform.sh blog has a post showing you how to create flamegraphs with XHProf for your application's execution and overall performance. A "flamegraph" is just a different sort of graph stacking up the execution times for the methods and functions in your application so they look more like a "flame" than just numbers.

One of the most frequent needs a web application has is a way to diagnose and evaluate performance problems. Because Platform.sh already generates a matching new environment for each Git branch, diagnosing performance problems for new and existing code has become easier than ever to do without impacting the behavior of a production site. This post will demonstrate how to use a Platform.sh environment along with the XHProf PHP extension to do performance profiling of a Drupal application and create flamegraph images that allow for easy evaluation of performance hotspots.

While they show it at work on a Platform.sh instance, the method can be altered slightly to work with your own application with the right software installed. Their example uses the brendangregg/FlameGraph library to do the majority of the graphing work. He shows how to have the code switch on XHProf during the execution and where to put the file for later evaluation. They include the resulting directories and files created from the execution and how to view the resulting (SVG-based) graphs directly in a browser.

tagged: xhprof flameframe execution performance graph tutorial platformsh

Link: https://platform.sh/2015/07/29/flamegraphs/

Lorna Mitchell:
Code Reviews: Before You Even Run The Code
Jun 02, 2015 @ 09:50:01

Lorna Mitchell has posted a list of helpful tips to perform good code reviews on submissions before even trying to run the code for correctness.

I do a lot of code reviewing, both in my day job as principal developer and also as an open source maintainer. Sometimes it seems like I read more code than I write! Is that a problem? I'm tempted to say that it isn't. To be a good writer, you must be well-read; I believe that to be a good developer, you need to be code-omnivorous and read as much of other people's code as possible. Code reviews are like little chapters of someone else's code to dip into.

She offers several tips you can follow to make the reviews you do more effective including:

  • Ensuring you understand the change
  • Are the changes where you'd expect?
  • Does the commit history make sense
  • Evaluate the diff to ensure the changes themselves are valid

She only then recommends trying out the code. Following the suggestions above can help ferret out issues that may be hidden by just running the code and not fully looking into the changes.

tagged: code review suggestion list opinion before execution

Link: http://www.lornajane.net/posts/2015/code-reviews-before-you-even-run-the-code

Qandidate.com Blog:
Fault tolerant programming in PHP
Jul 17, 2014 @ 10:44:04

The Qandidate.com blog has a new post today looking at fault tolerant programming in PHP applications. Essentially, this means writing your code so that error conditions are handled gracefully and with as little impact as possible.

In your application, every time you call an "external" service you are vulnerable to the failure in that service. That either might be a third party API being down, your database being unresponsive or unexpected errors from the 3rd party library you are using. With many developers and companies being interested in composing applications out of microservices at the moment, guarding for failures because of broken dependencies gets even more important.

They describe a situation where data is coming from an external source (an inventory service) and a timeout or connection failure occurs. They propose a sort of "circuit breaker" to be put in place to protect the application, fail fast on error and maybe even retry until the request is successful. They also point out a library from oDesk, Phystrix, that allows for fault tolerant execution through a wrapper that traps errors and deals with them instead of just breaking. This is the first part of a series, so in part two they'll show the library in use along with the React HTTP client.

tagged: fault tolerant application phystrix library execution failure

Link: http://labs.qandidate.com/blog/2014/07/14/fault-tolerant-programming-in-php/

Lorna Mitchell:
PHP 5.6 Benchmarks
May 19, 2014 @ 09:32:18

Lorna Mitchell has put together a set of benchmarks for PHP 5.6 comparing them to the three previous minor versions, PHP 5.5, 5.4 and 5.3 based around the same setup as her previous benchmarks of PHP 5.4.

A while ago I did some benchmarks on how different versions of PHP perform in comparison to one another. This isn't a performance measure in absolute terms, this was just benchmarking them all on the same laptop while it wasn't doing anything else, and averaging the time it took to run the benchmark script. Recently I ran it again for versions PHP 5.3 through PHP 5.6 and I thought I'd share my results.

There's a steady drop in execution time over the series of versions, with PHP 5.6 coming in the shortest. She also includes the actual numbers of the results in case you'd like to chart them out yourself.

tagged: php56 benchmark previous version execution time

Link: http://www.lornajane.net/posts/2014/php-5-6-benchmarks

Chris Jones:
Tracing Silex from PHP to the OS with DTrace
Nov 06, 2013 @ 12:31:23

Continuing on with his look at using DTrace in with PHP, Chris Jones has a new post in the series showing how to add traces to Silex-based applications, including sample output.

In this blog post I show the full stack tracing of Brendan Gregg's php_syscolors.d script in the DTrace Toolkit. The Toolkit contains a dozen very useful PHP DTrace scripts and many more scripts for other languages and the OS. For this example, I'll trace the PHP micro framework Silex, which was the topic of the second of two talks by Dustin Whittle at a recent SF PHP Meetup. His slides are at Silex: From Micro to Full Stack.

He includes a brief guide to getting the DTrace support up and running based on instructions in a previous post based on some pre-build Oracle linux packages. He links to the latest DTrace Toolkit and the downloads page to get the latest version of Silex. He sets up a super-basic Silex application (one route, "hello") and shows how to run the DTrace against it. His sample output shows both the PHP files being called and the functions/methods called inside them resulting in an output over a thousand lines long.

tagged: silex dtrace trace execution oracle package toolkit tutorial

Link: https://blogs.oracle.com/opal/entry/tracing_silex_from_php_to

Composer still susceptible to remote code execution via MITM
Oct 03, 2013 @ 11:26:15

In this recent post to Reddit.com, a point is brought up about the popular PHP package manager, Composer about it being susceptible to a common attack called the "Man in the Middle". This issue on the project's Github repository talks more about it:

Composer runs code from HTTP sources without validating the source of the download or the code downloaded. As such, trivial man-in-the-middle attacks through any number of vectors (dns, networking, local server exploit, etc) will result in execution of code of an attackers choosing at the userlevel of the user running composer. (Typically a developer account)

Replace getcomposer.org for a given network perspective by replacing it with a malicious http instance (eg by changing the DNS locally, at the lan, at an isp or hosting provider dns resolver, or globally or equally easily by replacing a route to the legitimate server (eg arpspoof)) . The http server instance is configured to serve a malicious /composer.phar and a /version url that produces random data. When users run self-update, the malicious code will be downloaded and run as the user that is executing the self-update command.

As of yet some patches and ideas have been proposed to correct this issue, but it hasn't been resolved and is currently listed as a "blocker" on the project. One suggestion, signing packages, seems to be the front-runner in the current discussion, something that package managers for other languages have already implemented (like npm for Node.js and pip for Python).

tagged: composer package manager remote code execution attack maninthemiddle mitm

Link: http://www.reddit.com/r/PHP/comments/1nkmw8/composer_still_susceptible_to_remote_code/

SitePoint PHP Blog:
Running Tasks in the Cloud with IronWorker
Sep 13, 2013 @ 10:37:09

On the SitePoint PHP blog today there's a new tutorial showing you how to run tasks "in the cloud" using PHP and the Iron Worker service.

In this article I’m going to show you how we can use IronWorker to run code in the Cloud, just as if it were being run inside our PHP application’s code. There are a number of advantages to running tasks in the cloud, for example: processor-intensive tasks can be offloaded from your web server, better fault tolerance and the execution of your code isn’t blocked waiting for long-running tasks

The tutorial uses a Ruby-based CLI tool and this PHP Package to setup and execute the tasks. They walk you through the creation of a first task script and help you create the ".worker" file it needs to execute. With the IronWorker PHP package, you can quickly create these workers and configure things like schedule, data to send or - as their last example shows - send emails directly from the worker.

tagged: ironworker cloud task execution ironio

Link: http://www.sitepoint.com/running-tasks-in-the-cloud-with-ironworker/

Facebook invents a PHP virtual machine
Aug 08, 2013 @ 10:20:54

On JavaWorld.com there's a new article posted about an update Facebook has made to their HipHop virtual machine (HHVM) version that is supposed to execute PHP nine times faster than its normal rate.

Social networking giant Facebook has taken another step at making the PHP Web programming language run more quickly. The company has developed a PHP Virtual Machine that it says can execute the language as much as nine times as quickly as running PHP natively on large systems.

An engineering manager for Facebook pointed out the goal of the update - "to make PHp run really, really quickly." The HHVM compiles down the PHP code into C and executes it directly, removing the need for the PHP interpreter.

HHVM is the next step for Facebook. Under development for about three years, HHVM actually works on the same principle as the JVM (Java Virtual Machine). HHVM has a JIT (just-in-time) compiler that converts the human readable source code into machine-readable byte code when it is needed. (The previous HipHop, renamed HPHPc, has now been retired within Facebook.)

You can find out more about the HipHop virtual machine over on Facebook.

tagged: facebook virtual machine hiphop vm execution compile

Link: http://www.javaworld.com/javaworld/jw-07-2013/130726-facebook-invents-php-virtual-machine.html

Pádraic Brady:
Getting Ahead In Security By Watching The Neighbours
Jan 18, 2013 @ 11:53:52

In his latest post Padraic Brady talks some about the recent security issues that happened with Ruby on Rails that allowed for remote code execution and how, if you use code blindly, you could be in for a similar fate.

Code execution vulnerabilities are, by definition, hideous monsters. The ability for external inputs to enter an execution context (i.e. injecting or manipulating code that is executed on the server) can be difficult to spot through the haze of convenience that such machinations are often designed to deliver. In Rail’s case, that convenience was to automatically cast data entries in XML or YAML inputs into Ruby types including, unfortunately, Symbols and Objects.

These types of “buried” code execution vulnerabilities are still easy to locate in PHP, at least, because you are still restricted to normal code execution pathways in the absence of Ruby’s dark magic, e.g. eval(), include(), require_once(), system() and, let’s not forget, unserialize().

He talks about how, if you're not careful with the code (third party libraries) that you use in your applications - or don't adhere to good security practices in your own - you could be vulnerable to a similar style of attack. After some investigation on his part, he discovered an issue related to this in the Symfony2 YAML parser (now fixed with a new release).

To summarise…

Pay attention to competing applications or frameworks – their problems may also be your problems. If you’re worried about arbitrary code execution vulnerabilities then audit your code. You can even, as a sanity check, use grep to find uses of functions like eval(), unserialize(), etc and analyse where their parameters’ might originate from.

tagged: rubyonrails security vulnerability code execution yaml symfony2