Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

October 2015 Issue Released - Integrating Extensions
Oct 01, 2015 @ 11:12:46

The php[architect] magazine has released their latest edition, their issue for October 2015 - "Integrating Extensions":

This issue shows you how to use Solr search directly from PHP and put it to good use, explains how PHAR files work to bundle PHP applications in a single file, and provides a case study in using libfann from PHP to create and train a neural network.

Also, you can read up on how to prepare for PHP 7, learn PHP type casting peculiarities, migrate from WordPress to Sculpin, a chat with Stefan Koopmanschap, and more.

This month's issue also includes a free article so you can get a sampling of the magazine: Casting Tales in PHP. You can pick up just this issue or grab a year long digital/print/combo subscription directly from the php[architect] website.

tagged: phparchitect magazine october2015 extensions issue release

Link: https://www.phparch.com/magazine/2015-2/october/

Matthew Weier O'Phinney:
Fixing Version Issues When Running Composer from a Branch
Sep 11, 2015 @ 10:55:04

Matthew Weier O'Phinney has posted an article to his site showing you how to fix version issues in branches when using Composer packages and libraries in your applications.

For the Zend Framework component repositories, we occasionally need to backport changes to the 2.4 LTS releases. This requires checking out a branch based off the last LTS tag, applying patches (often with edits to translate PHP 5.5 syntax to PHP 5.3), and running tests against PHP 5.3 and 5.4.

Of course, to run the tests, you need the correct set of dependencies installed. If you have any component dependencies, that means running a composer update to ensure that you get the 2.4 versions of those components. And that's where my story begins.

He talks about some of the issues he's come across when testing components and Composer, not understanding that the environment has changed, does not load the correct versions of the necessary libraries. He first tried to fix the dependencies himself, adjusting the version numbers required but with no luck. Finally he stumbled across something on the Composer site that helped: the ability to define a "root version" environment variable that made it adhere to the versions he needed.

tagged: composer dependency branch issue incompatible environment variable

Link: https://mwop.net/blog/2015-09-09-composer-root.html

September 2015 Issue Released - Security Boot Camp
Sep 02, 2015 @ 12:19:02

The latest issue of the php[architect] magazine has been released for September 2015. In this latest issue they focus on security in PHP along with the same columns you know and love.

In this issue, we have an overview of the various techniques that malicious users can use to attack your application, a deep dive into how passwords can be stored securely and how PHP’s built in password functions make this easier, a look at how to setup a PHP based Intrusion Detection System, and how to use PDO to guard against SQL injection attacks

Elsewhere, there’s a look at how to think like a functional programmer, an introduction to using Sculpin for generating a static site, an interview with Elizabeth Naramore, and more.

This month's issue includes articles like:

  • Basic Intrusion Detection with Expose (Greg Wilson) (read this one free here)
  • Keep Your Passwords Hashed and Salted (Leszek Krupi?ski)
  • Leveling Up: DeLoreans, Data, and Hacking Sites (David Stockton)

...as well as the "Education Station", "Community Corner" and "finally{}" columns from returning authors. You can purchase your copy of this month's issue directly from the php[architect] website either as a single issue or as a part of a subscription.

tagged: phparchitect magazine sept2015 security issue release

Link: https://www.phparch.com/magazine/2015-2/september/

BitExpert Blog:
Running pdepend on PHP7
Aug 18, 2015 @ 09:57:19

On the BitExpert blog there's a post that shows you how to use the pdepend tool on PHP7, an automated tool that shows you the "quality of your design in the terms of extensibility, reusability and maintainability".

Being a good citizen of the PHP community we do test out internal libs against the current PHP7 codebase. So far we had no issues but then at one day one of our Jenkins PHP7 jobs failed. After investigating a bit it turned out that the problem was not part of our codebase but part of of pdepend. The pdepend process died with the error message that "T_CHARACTER and T_BAD_CHARACTER are no longer defined" which is true. The error was already reported as an issue on Github.

Unfortunately, as the problem here is a change to the core PHP language itself, there's not much of a workaround other than to just not run those certain jobs. He outlines how they handle detecting the tests that have problems, but only when run on PHP7. This allows them to run all of the tests and allow the automated system do to its work. When/if the problem is fixed in pdepend, all that's needed is to remove this one check and they're good to go.

tagged: pdepend phpdepend php7 skip test version error github issue

Link: https://blog.bitexpert.de/blog/running-pdepend-on-php7/

June 2015 Issue Released - APIs (and it's free!)
Jun 02, 2015 @ 13:48:38

php[architect] has a new post about the release of their latest issue (June 2015) - "APIs" - and how it's been made free for download.

That's right-thanks to Nexmo, June's issue on APIs is free of charge for the month! [...] The promise of Application Programming Interfaces (APIs) is really bearing fruit in today's Web. Of course, we are not talking about internal APIs but of HTTP-based ones that allow us to interact with external systems-whether its saving or searching images in Flickr, getting weather conditions, or transcoding video. For many tasks, if you sign up to use the right APIs, you can build a fully functional application by writing PHP scripts which coordinate the workflow and communications between APIs.

This issue includes articles like:

  • "SPOIL Your Users with Great Helper Libraries" (Keith Casey)
  • "High-Performance PHP APIs" (Simone Di Maulo)
  • "Putting the Pieces Together: Building APIs with Aura (and Other) Libraries" (Ian Littman)
  • "The API Toolbox" (Tim Lytle)

If you've ever been interested to see what php[architect] is all about or want to find out more about making and working with great APIs, be sure to grab your free copy today!

tagged: phparchitect magazine june2015 issue release api free nexmo

Link: http://www.phparch.com/2015/06/june-issue-on-apis-free-download/

Blackfire.io Blog:
How Blackfire leverages Docker
May 01, 2015 @ 10:08:34

The Blackfire.io PHP debugging service (from SensioLabs) has a new post to thier blog today talking about how the service makes use of Docker to build the environments for testing out their users' code.

As you may know, Blackfire was represented at the SymfonyLive conference in Paris. During this event, several people came to us and asked how we use Docker at Blackfire.io. One of our goals is to make profiling straightforward for anyone, and it means that we need to be able to easily test our product on a lot of different platforms. And Docker gives us the ability to spin up new containers in milliseconds.

Moreover, our website relies a lot on different tools, so containers can also help us reach an iso-production development environment. But Docker is only available on Linux and a big part of the Blackfire's team is using MacOS X. So how one using MacOS X can use the best of both worlds?

The post goes on to talk about their use of the boot2docker tool and how they can use it to help with the environment customization most developers want out of their testing. They show how it updates the network settings, works with file sharing, allows for multiple domain names/containers and solutions to some other common issues including no container access, no name resolution and a "bonus" section with a Skydock plugin for custom DNS naming.

tagged: blackfireio docker example common issue boot2docker

Link: http://blog.blackfire.io/how-we-use-docker.html

April 2015 Issue Released - Front-End Polish
Apr 14, 2015 @ 11:05:47

php[architect] magazine has officially released their April 2015 edition - "Front-End Polish".

It’s safe to say that a majority of PHP programmers prefer working on “back end” code. Many interesting problems live in that domain. But we can’t forget that the front end—usually HTML, CSS, and JavaScript—is where users will interact with our applications. The joy or frustration they experience trying to get a task done affects their perception of how good (or poor) your solution is for a long time. Even if you don’t want to be a front end designer or developer, you must be familiar with User Experience and the technologies used in the user interface (UI) to understand how people will use it, to help reduce sources of frustration, and to prevent errors.

Articles in this month's issue include:

  • Object Oriented JavaScript (Part the Second)
  • The Browser Capabilities Project in 2014
  • UX Without the Process
  • PHP Conference Newbies 101

Head over to the php[architect] website to pick up a (print or digital) copy of your own!

tagged: phparchitect magazine april2015 frontend issue release

Link: http://www.phparch.com/magazine/2015-2/april/

March 2015 Issue Released - DB Migration
Mar 16, 2015 @ 12:50:49

php[architect] magazine has released their March 2015 edition of their magazine - DB Migration:

Because databases store the data our applications, they need proper care and feeding too. In “DB Migrations”, David Berube shares what he’s learned to properly design your databases, Harrie Verveer looks at “Database Versioning with Liquibase”, and Patrick Schwisow shows you how to consolidate Doctrine Migrations that have gotten unwieldly.

Other topics included in this month's edition include a "deep dive" into PHP extensions, object oriented Javascript, bitwise math and much more. You can pick up your own copy - either virtual (PDF) or in print - from the php[architect] website.

tagged: paprchitect magazine march2015 issue release db migration

Link: http://www.phparch.com/magazine/2015-2/march/

Anthony Ferrara:
Security Issue: Combining Bcrypt With Other Hash Functions
Mar 13, 2015 @ 09:32:02

Anthony Ferrara has a new post today looking at a potential security issue in PHP applications when using bcrypt with encryption and other hashing functions. His findings have to do with some research he did on long passwords and denial of service attacks they might lead to.

The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe against DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It's a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn't be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

To find out exactly how things are processed he gets down into the C code behind the PHP functionality in the crypt function. He discovers something interesting about the way it determines the length of the input password. It loops over the key, taking one byte at a time but resetting when it comes across a null byte. While this method is safe in itself, he points out the real issue - using pre-hashing before the bcrypt password checking to, possibly, allow for longer passwords.

The problem is that this method could lead to those null bytes and cause issues with the password checking, especially if opting for the use of raw data. He includes a simple script to illustrate this problem, finding a few collisions for his made up key and "random looking" password. Thankfully, he includes a method for checking to ensure the hash doesn't contain a null byte. He points out that not all hashing combinations are at risk and suggests a few alternatives that can keep your application 100% safe.

The underlying problem is that combining cryptographic operators that weren't designed to be combined can be disastrous. Is it possible to do so safely? Yes. Is it a good idea to do it? No. This particular case is just one example where combining operations can be exceedingly dangerous.
tagged: bcrypt hash function combination issue crypt null byte

Link: http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

Brian Moon:
Using socket_connect with a timeout
Mar 12, 2015 @ 09:38:00

In a new post to his site Brian Moon has shared a problem he had with sockets and timeouts and having them perform the same way every time. He walks through the symptoms he was seeing and provides his own solution in the end.

So, it seems that when you try and connect to an IP that is routable on the network, but not answering, the TCP stack has some built in timeouts that are not obvious. This differs from trying to connect to an IP address that is up, but not listening on a given port. [...] After a lot of messing around, a coworker pointed out that in production, the failures were happening for an IP that was routable on the network, but that had no host listening on the IP.

After some testing, Brian figured out that his problem was using localhost for testing and not an actual non-host server. He made the switch and figured out how to set the timeouts low and work with error state checking to make things more stable. He explains a bit more about how the code in his solution works. You can find his solution in this gist on GitHub.

tagged: socket connect timeout issue stable consistent failure localhost

Link: http://brian.moonspot.net/socket-connect-timeout