Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
HTTPoxy Vulnerability Announcement
Jul 19, 2016 @ 12:40:10

Recently a major security vulnerability was announced centering around the the HTTP "Proxy" header and how incorrect handling could result in major issues with external requests. In the PHP ecosystem, a major HTTP library - Guzzle - was vulnerable (along with any application using it). However, according to Michael Dowling, a lead developer on the project, a new release has already been made to correct the problem.

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict [between the "Proxy" and "HTTP_Proxy" headers]. This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.

The main HTTPoxy site as more information about how you can test to see if your application is vulnerable and what software/server configurations are typically vulnerable. There's also more language-specific information on the page as well as some immediate mitigations for various web server types.

tagged: httpoxy http proxy header vulnerability announcement guzzle webserver

Link: https://httpoxy.org/

Alejandro Celaya:
Dispatch REST-like requests with a single controller class in Zend Expressive
Jun 27, 2016 @ 10:21:25

In a new post to his site Alejandro Celaya shows you how to dispatch REST-like requests in Zend Expressive using a single-controller method.

I was digging into Zend Expressive and how to use controllers that allow me to share dependencies between different routes, instead of having to use different middlewares every time. Abdul wrote a great article on this subject that you can find here, which also became part of Expressive's cookbook some time later.

This is a perfect approach that easily allows to reuse some code, but then I thought how to do something similar in a rest environment, having a single class with different dispatchable methods that will be called depending on the request's HTTP method. This is a possible solution based on ZF2's AbstractRestfulController.

He starts by creating an AbstractRestController class to handle the basics of the REST handling, essentially matching verbs to their actions. He then extends this with a RestUserController class that overrides the necessary methods for only the HTTP verbs you want to change. He then shows how to register the route so it can be used by any request verb type (GET, POST, PUT, etc).

tagged: zendexpressive tutorial rest request verb http zendframework2 abstractcontroller

Link: http://blog.alejandrocelaya.com/2016/06/24/dispatch-rest-like-requests-with-a-single-controller-class-in-zend-expressive/

Rob Allen:
Slim 3.4.0 now provides PSR-7!
May 09, 2016 @ 09:48:10

Rob Allen has a post to his site announcing the latest release of the Slim Framework - v3.4.0 - and an update that allows for full PSR-7 support, telling Composer that the framework fully supports it now as well.

I've been neglecting Slim's PR queue recently, so this weekend I dedicated a lot of time to merging all the good work that our contributors have done. As a result, I'm delighted to release version 3.4.0! This release has a larger set of changes in it than I would have ideally liked which is a direct consequence of having gone two months between releases rather than one.

One particularly interesting addition that we have a made this release is adding a provide section to our composer.json file. [...] This means that we have informed Composer that Slim provides a valid implementation of the interfaces in psr/http-message-implementation virtual package that defines the PSR-7 interfaces.

This basically means that if you're using other libraries/tools that require a PSR-7 compatible system to work correctly, they'll detect that Slim fully supports it.

tagged: slimframework slim3 psr7 support http message implementation composer

Link: https://akrabat.com/slim-3-4-0-now-provides-psr-7/

Lorna Mitchell:
OAuth2 with PHP's built in Streams Functions
Jan 07, 2016 @ 10:56:54

In a quick post to her site Lorna Mitchell reminds us that you can modify the options on the internal PHP streams (like for HTTP requests), more specifically to add a "Bearer" token value for OAuth2 integration.

For OAuth2, all I had to be able to do was to send an Authorization header with my web request from PHP. My second-favourite way of making API calls from PHP is to use PHP's stream handling, so I did that. It's not code you see very often but it's super-simple and it works on every PHP platform I've tried so far

She gives a few lines of code to show how to modify the options to add in the token value, basically using an array of options and a call to stream_context_create to create the context. This can then be used in future calls (like the file_get_contents she shows) to automagically send this information along with the request.

tagged: oauth2 http stream request builtin options bearer tutorial

Link: http://www.lornajane.net/posts/2016/oauth2-phps-built-streams-functions

SitePoint PHP Blog:
Breaking Free from Guzzle5 with PHP-HTTP and HTTPlug
Nov 09, 2015 @ 09:35:41

In a new tutorial from the SitePoint PHP blog editor Bruno Skvorc shows you how to "break free" from using the Guzzle HTTP client (which has become, by far, the most popular) and make it simpler to go with another option. He highlights the HTTPlug library that makes it easy to do just that.

In a previous series, we built a PHP client for Diffbot. The client works well and is in relatively widespread use – we even tested it on a live app to make sure it’s up to par – but it depends heavily on Guzzle 5.

There are two problems with this: Guzzle 6 is out, and supports PSR 7. [...] Someone implementing our client in their app might already have a preferred HTTP client in use, and would like to use theirs rather than Guzzle. [...] Coincidentally, there is a new project allowing us to do just that: HTTPlug.

He walks you through the installation of the library via Composer and covers what all kinds of functionality it contains. HTTPlug provides an "entry point" and unified interface for the HTTP client of your choosing, complete with interface packages to wrap the most common functionality. He shows how to refactor his Diffbot code to use the package, replacing the previous Guzzle dependency using the virtual package definition HTTPlug provides. He also updates some of the tests to use the HTTPlug package types rather than relying on Guzzle's object return types.

tagged: guzzle http client httplug library abstract tutorial

Link: http://www.sitepoint.com/breaking-free-from-guzzle5-with-php-http-and-httplug/

Cees-Jan Kiewiet:
ReactPHP: HTTP Client
Nov 05, 2015 @ 12:05:14

Cees-Jan Kiewiet has a post on his site focusing on the HTTP client side of the functionality offered by the ReactPHP. In this post he covers the basics of installation and usage with plenty of code examples (and screencasts of it in action).

Aside from a HTTP component ReactPHP also has a HTTP Client component that lets your send out HTTP requests. It is incredibly handy when you need to communicate with for example elasticsearch's REST API, AWS platform through their SDK or the RIPE Atlas API.

He walks you through the simple installation of the library (via Composer) and the code to send a simple request to an example.com domain, returning the HTML contents of the page. He then gets to some more complex examples: sending two requests at the same time, streaming the response body as it arrives and an example based on community feedback - streaming Twitter data. He ends the post with a community example showing the use of the Buzz HTTP client to make simple requests.

tagged: reactphp http client example stream twitter screencast

Link: http://blog.wyrihaximus.net/2015/11/reactphp-http-client/

SitePoint PHP Blog:
Build a Superfast PHP Server in Minutes with Icicle
Sep 17, 2015 @ 11:21:44

The SitePoint PHP blog has posted a new tutorial by Christopher Pitt showing you how to build a PHP server "super fast" with the help of the Icicle/http library and some event-driven programming techniques.

Event-based programming is a strange topic for PHP developers. In a language as procedural; events are little more than function calls. Nothing happens between events, and all meaningful code is still blocking.

Languages like JavaScript show us what PHP could be like if event loops were at the center. Some folks have taken these insights and coded them into event loops and HTTP servers. Today we’re going to create an HTTP server, in PHP. We’ll connect it to Apache to serve static files quickly. Everything else will pass through our PHP HTTP server, based on Icicle.

They start off showing you how to configure your Apache server to rewrite the requests (only for non-existent files) to the PHP handler. From there, he helps you get the Icicle/http library installed and create a simple HTTP server with it's included functionality. He shows how to set up routing using the LeagueRoute package and return correct HTTP response codes based on the result of the request. Finally he shows the use of the LeaguePlates library to render more complex views than just plain-text results.

tagged: tutorial http server icicle league plates route

Link: http://www.sitepoint.com/build-a-superfast-php-server-in-minutes-with-icicle/

Davey Shafik:
GuzzleHTTP VCR
Aug 24, 2015 @ 10:54:54

Davey Shafik has published a post about library he's created that's a sort of "recorder" for connections made with the Guzzle HTTP client - the Guzzle VCR.

A few days ago I pushed out a very small library to help with testing APIs using Guzzle: dshafik/guzzlehttp-vcr. [...] This is a simple middleware that records a request’s response the first time it’s made in a test, and then replays it in response to requests in subsequent runs.

The handler works by recording the responses from the API (ex: the JSON response data) and records them to files (again, JSON). A one-line call turns the "recording" on and points to a directory where the cached files should be stored. He shows how to use it in the constructor of your Guzzle client, setting it up as the "handler" for the requests. He also includes an example of a few unit tests that make use of the recording feature to check the response of a /test endpoint.

tagged: guzzle http client vcr recording response json cache handler

Link: http://daveyshafik.com/archives/69384-guzzlehttp-vcr.html

Phil Sturgeon:
Avoid Hardcoding HTTP Status Codes
Aug 17, 2015 @ 12:55:53

Phil Sturgeon has a post to his site with a good recommendation for those working with APIs and those "magic numbers" that are HTTP status codes - avoid hard coding them in your applications and tests.

A lot of things in programming are argued to death, but one subject where people almost unanimously agree is that magic numbers can be a pain in the ass, and they should be avoided whenever possible. Sadly when it comes to HTTP status codes, people keep on hardcoding them, and it leads to all sorts of confusion. [...] What is 409? If you answer without looking it up on Dash or HTTP Status Dogs then you are a machine.

He shows two implementations of this idea, one in Ruby and the other in Symfony, where the status code value is represented by a constant rather than by a number. The constant correlates to the HTTP status code (number) but the constant makes it easier to read and understand the code. He points out two libraries that can be substituted into your current testing to replace those hard coded values with more expressive versions: lukasoppermann/http-status and Teapot.

tagged: avoid hardcode http status code opinion expressive teapot httpstatus

Link: https://philsturgeon.uk/http/2015/08/16/avoid-hardcoding-http-status-codes/

Matthew Weier O'Phinney:
On PSR7 and HTTP Headers
Jul 29, 2015 @ 09:47:59

Matthew Weier O'Phinney has a new post to his site talking about PSR-7 and HTTP headers and how they (headers) are handled in the structure of this PHP-FIG specification.

Yesterday, a question tagged #psr7 on Twitter caught my eye: "When I call $request->getHeader('Accept') for example, I was expected that I'll get [an array] but, in reality I got [a string]. Is this correct?" In this post, I'll explain why the behavior observed is correct, as well as shed a light on a few details of header handling in PSR-7.

He talks about the planning that went into PSR-7 and how they had to work around some of the "flexibility" (quirks) in the HTTP specification. This was especially true when it came to repeated headers. He also walks through their thoughts on multiple header handling and that custom header values are allowed. Because of these two things, they decided to treat all headers as collections and, despite there being separators already in the values. Instead they collected headers of the same types into these collections, some containing only one value while others could contain multiple. Back to the question - this explains why the "Accept" header they desired was still in its comma-separated form and not split into the array they expected.

The [...] example provides another good lesson: Complex values should have dedicated parsers. PSR-7 literally only deals with the low-level details of an HTTP message, and provides no interpretation of it. Some header values, such as the Accept header, require dedicated parsers to make sense of the value.
tagged: psr7 http header collection separator multiple single

Link: https://mwop.net/blog/2015-07-28-on-psr7-headers.html