Nikita Popov has posted the fourth part of the "PHP's Source Code for PHP Developers" series he and Anthony Ferrara have been posting. In this latest article in the series, Nikita looks specifically at PHP's array implementation and how it's handed "behind the scenes".

Welcome back to the fourth part of the "PHP's Source Code for PHP Developers" series, in which we'll cover how PHP arrays are internally represented and used throughout the code base.

He starts with an obvious foundation: "everything's a hash table" (even properties, classes and yes, arrays). He describes what a hash table is and talks about two of the most commonly used versions of it in the PHP source - HashTable and Bucket. He gets into their usage a bit and compares this to the corresponding PHP code that uses a standard array.

Following this recent post from Anthony Ferraara about the source code of the PHP language itself, Nikita Popov is working with him and has produced the second part of the series, a look at finding the internal function definitions for the PHP functions you use every day.

In the previous part ircmaxell explained where you can find the PHP source code and how it is basically structured and also gave a small introduction to C (as that's the language PHP is written in). If you missed that post, you probably should read it before starting with this one. What we'll cover in this article is locating the definitions of internal functions in the PHP codebase, as well as understanding them.

He starts with a basic example - a string function, strpos. He shows a handy searching trick to help find the actual function definition and which matches should be given priority. He lays out a typical skeleton of a PHP function definition and gets into some detail as to what this particular function does (in C). He briefly mentions the Zend Engine functions and a look ahead to finding classes and methods.

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values - a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn't a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."

Alexey Zakhlestin has a new post today with some of his own thoughts on the suggestion for a built-in web server (RFC) that's been floating around lately - a tool that would act as a simple server right out of the box without much in the way of configuration.

There are a lot of talks today about "Built-in web server" [for PHP] RFC by Moriyoshi Koizumi. There is a nice discussion on Hacker News (and 2 threads on reddit: here and here). So, here's couple of cents from me.

Alexey agrees with the suggestion and notes it'd be a welcome addition to the PHP toolset. He also reminds developers that it wouldn't (and shouldn't) be used in production.

PHPBuilder.com has posted a list of resources that they offer to help both beginning and experienced PHP developers to further their knowledge:

PHP is one of the most popular scripting languages used to develop applications on the web today. As a result, internet.com has a multitude of PHP resources throughout our network of websites. Here are some of our best PHP resources, along with some featured tutorials and out-of-network resources that you may not know about.

The grouping of links also include external resources like the main PHP site and Zend's website.

Greg Beaver, noting some issues that Derick Rethans had pointed out about namespace support for upcoming PHP versions, has posted about a patch he submitted to solve the problem simply.

The issue Derick pointed out:

In PHP 5.3 this would alias the class Interval in the namespace PEAR::Date to the class Interval. For now, this code would work just fine. However, if PHP would introduce a class "Interval" at some point in the future (and PHP can do this as it owns the global namespace) then the above code would suddenly stop working.

Greg's patch makes it possible to "override" the internal class if need be, making it so that code currently working wouldn't break. All it takes is to "use" is like you normally would and and the magic happens behind the scenes.

In this post on the Dokeos blog, there's a comparison of the mbstring function and the iconv library as it pertains to their use on multi-byte strings.

I was wondering today why use mbstring rather than iconv in Dokeos, and honestly I didn't remember exactly why I had chosen mbstring in the past, but finding information about the *differences* between the two. [...] Searching a bit more, I found a PPT presentation from Carlos Hoyos on Google.

Essentially, it boils down to how the library is integrated - mbstring is bundled and iconv is pulled from an external source. So, if you're looking for maximum portability, he recommends mbstring.

On the Stubbles blog, Frank Kleine offers some advice to developers looking to use the Reflection API - "don't trust it".

If you try to get informations about parameters from methods of internal classes - forget that. Examining several internal classes my key findings are: either there is no information about parameters available and the reflection API says the method does not have any parameters, or the information about the parameter is wrong.

He includes code examples along side the output from the script to illustrate his point.

With all of the good news they've posted about the mysqlnd driver, the developers behind the Internet Super Hero blog know that there will be bugs that come up in the driver. So, they've addressed the right way to find and deal with these issues in a new blog entry.

he bad news: mysqlnd might have bugs. How to report and debug these bugs - using mysqli_debug() - is subject of this posting.

They step you through the process for finding out what's causing the problems (internal versus external debugging) and how to make client traces with the mysqi extension to make it even easier for the developers to track down the problem. They also suggest a few things to send along with your bug report - like the PHP code calling it or the SQL you're using to select/update/insert/delete the data from your database.

Today, Pierre-Alain Joye has fomally announced his "retirement" from working with the PEAR project as a lead developer. He's making a shift to work mainly towards other graphics/imaging work he's been developing and to continue work with his current extensions (and a few new ones on the way).

I spoke with him on some of the things that had lead up to making this decision and he mentioned it as a two-fold reason: one was some personal conflict between other PEAR developers and himself and the other an issue of time and interest in the project. He still wants to see it succeed, but just doesn't see the time in his life right now to do his part. Pierre will continue to work with the PECL extensions and on the PHP internals groups to help improve and develope them towards future versions. Some of the extensions he lists as the ones currently in his development are things like GD, xmlwriter, Zip (of course), and filter.

It is just a normal process, things and people change. I would have preferred a slower switch, as I was working on my leave (giving lead for many of my packages to other friends).

Pierre's PEAR work can be seen on this page of his blog and includes all of his PEAR and PECL work as well as PHP internals and Pimp/Cairo/GD development work.

You can also check out the decision in his own words over on his blog.