Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

David Sklar:
Fixing Broken UTF-8
Aug 27, 2015 @ 10:48:29

David Sklar has a post to his site showing you how to fix broken UTF-8 characters in content being passed through the normal string functions.

When working on the i18n bits of Learning PHP 7, I had a problem. My example showing how plain string functions such as strtolower() and strtoupper() mangle multibyte UTF-8 characters was making the book formatting/rendering pipeline barf. The processing tools are expecing nicely formatted, valid, UTF-8 encoded HTMLBook files. It didn’t like the mangled invalid UTF-8 characters in my example output.

To fix this, I wrote the following function to replace invalid UTF-8 sequences with the Unicode Replacement Character (U+FFFD).

He includes the code for this method that walks through the string, character by character, and checks the bytes it contains to see how it needs to be translated. There's plenty of comments in it too, explaining what it's doing as it goes along.

tagged: fix broken utf8 character function example unicode replacement

Link: http://www.sklar.com/php/2015/08/25/fixing-broken-utf8/

MyTechBuilder.com:
Optional Value Control-flows in PHP using Traits and Magic-methods
Jun 18, 2015 @ 09:44:02

The MyBuilderTech.com site has a new tutorial posted talking about the use of traits and magic methods for optional value handling.

Recently I have been interested in experimenting with different ways to handle optional values. Their are many examples that exist demonstrating the use of the Maybe/Optional structure within the PHP landscape. I would instead like to focus my attention on only looking into the concept of 'orElse', which I have found to be a prominent control-flow whilst using these types of value. Typically, in an imperative mind-set we are accustom to evaluating a value, and based on its existence - defined as falsely in this regard - follow a different course of action, and by-way result.

He gives an example of where a value is checked for null and something else happens when it is. This is a common practice in PHP development, but he's more interested in other ways of handling. The first of these ways is with traits. His example shows an "OrElse" trait that can be used to perform the same evaluation but does some extra magic based on the method name called (his example is "findByIdOrElse"). If the trait method isn't for you, he also offers another possible solution around the use of composition. In this case he uses the same trait but makes it a part of its own class that's then given the object to work with (his "repository").

The post ends with one more "bonus" method for handling optional values - a simple function ("_or") that evaluates the arguments given and returns the first that's "truthy".

tagged: optional value control flow trait magicmethod function truthy

Link: http://tech.mybuilder.com/optional-value-control-flows-in-php-using-traits-and-magic-methods/

Simon Holywell:
Memoization or function cache
May 18, 2015 @ 11:09:17

Simon Holywell's latest post shares an interesting feature of PHP's static function handling that lets you cache the results of a function call to improve performance.

A little known feature of PHP’s static keyword is that it allows for memoization or function caching. This is a process whereby a functions heavy lifting can be cached so that subsequent calls are faster. It is possible to store any value in a memoized way such as arrays or even objects. This is done without any external side effects - that is to say that the code calling the function will require no changes to support memoization.

He includes an example of this in action, showing the use of a "static" keyword on a variable over two function calls. He goes through and explains how it works and the flow of the simple function. He builds this up a bit and shows the same functionality in the handling (and parsing) of a JSON document. He then gets more into the "real world" usage of this kind of static handling, pointing out that it can be very useful for caching without the need for an external service (like memcache or redis). His final example shows the caching of a function call using the same method and dependent on the arguments provided.

tagged: function cache static example tutorial memoization

Link: https://www.simonholywell.com/post/2015/05/memoization-or-function-cache/

Anthony Ferrara:
Security Issue: Combining Bcrypt With Other Hash Functions
Mar 13, 2015 @ 09:32:02

Anthony Ferrara has a new post today looking at a potential security issue in PHP applications when using bcrypt with encryption and other hashing functions. His findings have to do with some research he did on long passwords and denial of service attacks they might lead to.

The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe against DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It's a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn't be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

To find out exactly how things are processed he gets down into the C code behind the PHP functionality in the crypt function. He discovers something interesting about the way it determines the length of the input password. It loops over the key, taking one byte at a time but resetting when it comes across a null byte. While this method is safe in itself, he points out the real issue - using pre-hashing before the bcrypt password checking to, possibly, allow for longer passwords.

The problem is that this method could lead to those null bytes and cause issues with the password checking, especially if opting for the use of raw data. He includes a simple script to illustrate this problem, finding a few collisions for his made up key and "random looking" password. Thankfully, he includes a method for checking to ensure the hash doesn't contain a null byte. He points out that not all hashing combinations are at risk and suggests a few alternatives that can keep your application 100% safe.

The underlying problem is that combining cryptographic operators that weren't designed to be combined can be disastrous. Is it possible to do so safely? Yes. Is it a good idea to do it? No. This particular case is just one example where combining operations can be exceedingly dangerous.
tagged: bcrypt hash function combination issue crypt null byte

Link: http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

Julien Pauli:
On PHP function calls
Jan 22, 2015 @ 09:58:39

Julien Pauli has a new post today sharing an interesting function optimization he found using the Blackfire execution profiler.

This blog post is a technical explanation of a PHP optimization found with BlackFire profiler into a PHP script. The related post is located here : http://blog.blackfire.io/owncloud.html

He found that a replacement of a call to strlen with an isset optimized the script by about 20%. It's not typical though, he explains. He points out that the optimization worked so well because the call was part of a loop. He gets into some of the "under the covers" details of why this speed boost happens and even includes the op code output showing the difference. He then starts getting deep into the internal code for PHP and walks through each step made in the evaluation of a string's length. He finishes the post looking at isset (not technically a function) and how it handles its data checking. He also includes information about opcode caching and how to best maximize its impact.

tagged: function call strlen loop isset internals opcode cache performance

Link: http://jpauli.github.io/2015/01/22/on-php-function-calls.html

Joe Watkins:
Mocking PHP
Jan 19, 2015 @ 12:23:39

In his latest post Joe Watkins talks about mocking PHP. No, not making fun of the language but rather mocking internal PHP functions and methods as a part of unit testing your application.

I work on a vast PHP code base, it is 3M LOC of PHP alone. It's somewhere between legacy and modern, work is ongoing. [...] When I joined the current project there were many many tests, they relied upon the kind of unholy magic that runkit allows you to perform, for the most part this worked okay for a while. However, runkit inexplicably caused many of the tests to fault, either at shutdown, or at random.

[...] So we were in a bit of a jam, I've always found runkit to be quite awkward, and now I'm staring its source code in the face knowing it represents a road block to my goal of running the latest stable versions of PHP, with the first decent optimizer that ever existed for Zend. I tackled the problem with code, code which I was allowed by my gracious employer to open source (the uopz extension).

He goes on to talk about what the actual root problem he was trying to solve was (dodging code with built-in functions), the "obvious" way to solve it using runkit or the more modern solution that uses the uopz extension. He provides an example of it in use mocking the fopen function with a "uopz_function" wrapper.

tagged: mock internal method function extension uopz unittest

Link: http://blog.krakjoe.ninja/2015/01/mocking-php.html

Liip Blog:
Functional Programming in PHP
Nov 06, 2014 @ 12:20:35

On the Liip blog today there's a tutorial from Gilles Crettenand giving you an overview of functional programming in PHP. While PHP is not normally used as a functional language, it is possible to simulate the same effect.

Functional programming has gained a lot of traction those 3 to 5 last years. [...] Those [frameworks and languages] are all cool and shiny new toys, but we can benefit from some techniques without having to learn a new tool, just by applying some principles to our everyday PHP! But first of all, what exactly is functional programing?

He starts off with some of the basics of functional programming, some of the difficulties that can come with it and, of course, the advantages it can provide. From here he starts in with code examples. He shows how functions become "first-class citizens" and how they can be applied to various elements. He illustrates this with a few array manipulation examples. Next up are "utility functions" for evaluating the data given (like "any" or "all"). He ends the post looking at the idea of "memoization", or the caching of the results of function calls against data. He shows how to accomplish this with static local variables in PHP and includes a wrapper you can pass any callable function into and have the results cache automatically.

tagged: functional programming introduction language function cache

Link: http://blog.liip.ch/archive/2014/11/05/functional-programing-in-php.html

Anthony Ferrara:
What's In A Type
Oct 24, 2014 @ 13:55:39

In a new post to his site Anthony Ferrara takes on the topic of typing in PHP, discussing some of the main ideas around the current typing scheme and the discussions being have about potential changes.

There has been a lot of talk about typing in PHP lately. There are a couple of popular proposals for how to clean up PHP's APIs to be simpler. Most of them involve changing PHP's type system at a very fundamental level. So I thought it would be a good idea to talk about that. What goes into a type?

He starts at the highest level, covering what "typing" is in general and some of the tradeoffs that come with being a strongly typed versus weakly typed language. He then gets into PHP's two "semi-independent type systems" - one for objects and one for everything else. He includes some code examples to illustrate and how, for the non-object handling, context means everything for how the types are switched. He also talks about polymorphism, the chaos that could come from scalars becoming objects and a current RFC suggesting the addition of "safe casting" functions to PHP to provide less "magic" when shifting values from one type to another.

tagged: type switching casting rfc proposal function weak strong

Link: http://blog.ircmaxell.com/2014/10/whats-in-type.html

Joshua Thijssen:
Internal PHP function usage: revisited
Aug 06, 2014 @ 11:53:34

Joshua Thjissen has revisited some of his PHP internal function statistics, an update from this previous post with some results showing the most (and least) used internal PHP functions in several large projects from GitHub.

A lot of people are asking about functions like isset, empty, print, echo etc, as they are not present in the current result list. The thing is, is that these are not really functions, but language constructs. This means that PHP treats them a bit different than normal functions, and this results sometimes in seemingly “strange” behaviour when trying to use them like regular functions.

He's updated his results, though, to reflect the usage of these "functions" and shared the numbers. Not surprisingly, these constructs show up pretty highly in the new "top 22" list he's produced. With the inclusion of the constructs, the number one item on the list is now "isset" by a very large margin. The full results can be found in this gist.

tagged: internal function usage statistics github revisit construct language

Link: https://www.adayinthelifeof.nl/2014/08/05/internal-php-function-usage-revisited/

Joshua Thijssen:
Internal PHP function usage
Jul 28, 2014 @ 10:05:39

Curious about the usage of the various "internal" (built-in, not user defined) functions in use is a wide range of PHP applications, Joshua Thijssen did some research on GitHub and has shared the results on his site today.

How many internal PHP functions (things like count(), strpos(), array_merge() etc), does PHP have? Depending on which version you use, and how many extensions you have loaded, somewhere between 1000 and 2000 would be a good guess. But how many of these internal functions are you REALLY using?

He created a custom script to fetch the results of a custom query (one that found repos with over fifty stars), grabbed the source and parsed the results looking for these internal functions. He shares the results of his parsing from 967 repos in the remainder of the post, including: the top ten most called, some interesting facts found in the results and some of the "bad" ones in wide use (like "exec" and "mysql_connect").

tagged: internal function usage statistics github parse query

Link: https://www.adayinthelifeof.nl/2014/07/25/internal-php-function-usage/