Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Blog:
Building Secure Web Applications in PHP
Sep 21, 2015 @ 16:15:56

The Paragon Initiative has posted an article to their blog talking about how to build secure applications in PHP. Rather than try to get into the specifics of specific vulnerabilities, they stay relatively high level and stick with concepts to keep in mind and steps you can follow to ensure your development practices are secure.

Whether you're planning the development of a brand new application or trying to prevent legacy code from causing a costly data breach, if you're going to be writing PHP, where should you begin? That is the question we will attempt to answer, in detail.

The article starts with an "easy way out" for those that don't feel like they know enough or just don't have the resources they need: hire consultants. With that out of the way, the article mentions two root causes for insecure apps: lack of knowledge about security and bad development habits. They then get into some suggestions about how you can learn to understand and prevent vulnerabilities in your own applications. They focus in on a few key places for PHP developers to pay attention to, complete with some charts showing the parts of the flow. The post ends with some advice on what do to if your site is compromised anyway and how to move forward.

tagged: secure application advice common issues developer

Link: https://paragonie.com/blog/2015/09/building-secure-web-applications-in-php

Evert Pot:
PSR-7 is imminent, and here's my issues with it.
Mar 04, 2015 @ 09:26:37

Evert Pot has written up a new post today with some of his thoughts about what's wrong with the PSR-7 proposal in the PHP-FIG. PSR-7 relates to a standardized interface for HTTP request and response handling.

PSR-7 is pretty close to completion. PSR-7 is a new 'PHP standard recommendation', put out by the PHP-FIG group, of which I'm a member of. [...] PSR-7 gets a lot of things right, and is very close to nailing the abstract data model behind HTTP, better than many other implementations in many programming languages.

But it's not perfect. I've been pretty vocal about a few issues I have with the approach. Most of this has fallen on deaf ears. I accept that I might be a minority in feeling these are problems, but I feel compelled to share my issues here anyway. Perhaps as a last attempt to sollicit change, or maybe just to get it off my chest.

He breaks up his thoughts into a few different categories, each with a summary and sometimes some code to help make his point a bit more clear. He talks about immutability, how objects will be immutable and shows an example of change in how Silex would have to function to follow the standard (with before/after). He then goes on to talk about the "issue with streams" and how the current proposal could allow for changing of the incoming request into a new one with new headers...not immutable. He ends the post talking about PSR-7's stance on buffering responses and how, even if his project doesn't adopt the PSR in the strictest sense, they may still take some inspiration from it.

tagged: psr7 issues opinion phpfig http standard request response

Link: http://evertpot.com/psr-7-issues/

Symfony Blog:
The Symfony 500 + 100 Challenge
Dec 12, 2014 @ 12:48:08

The Symfony blog pas posted something they're calling the Symfony 500 + 100 Challenge, an effort to kickstart some backlog cleanup of the number of issues currently in the project's backlog.

The end of the year is approaching, and we think that this is the best time to do some backlog cleaning before fresh starting the new year. Right now there are 728 pending issues in symfony/symfony repository and 177 issues in symfony/symfony-docs.

Some of those issues were reported a long time ago and they probably refer to Symfony versions that are no longer maintained. Others would have been fixed but not closed and there could also be some duplicates. That's why we ask your help to review all the pending issues in order to close irrelevant issues and achieve much more manageable levels: 500 issues or less for symfony/symfony and 100 issues or less for symfony/symfony-docs.

If you're interested in helping out, they've included a few steps to get you started locating and claiming an issue for you to work on. They also make suggestions on how to report back issues found on bugs, feature requests and general discussion items.

tagged: symfony challenge 500+100 issues bugfix featurerequest discussion

Link: http://symfony.com/blog/the-symfony-500-100-challenge

HHVM Blog:
HHVM 3.1.0
May 30, 2014 @ 11:56:54

On the HHVM blog today they've announce the release of the latest version of the popular project, version 3.1.0. This version fixes a few issues (including a segfault) and crossed into their semi-annual "lockdown" to work directly on the project.

If you remember last time we focused on framework unit tests, performance, and growing beards. This time, our frameworks were in good shape thanks to Fred and our Open Academy students, but our github story was not as pretty. At the start of lockdown we had 60 pull requests and nearly 450 issues. So our focus this time was github health and of course as always, perf.

In the end they closed out 251GitHub issues and made things 16% more efficient in the process. They list out some of the updates in this release including:

You can grab this latest release from the pre-build packages page on the GitHub project account.

tagged: hiphop vm hhvm release version github issues

Link: http://hhvm.com/blog/5195/hhvm-3-1-0

HipHop VM Blog:
Compatibility Update
Apr 22, 2014 @ 09:16:38

The HipHop VM blog has a new post today with some updates around the compatibility work they're doing getting popular PHP projects to work 100% on the platform (and have all unit tests pass).

Earlier this year we set an ambitious goal of passing the PHPUnit test suites of 20 popular frameworks by the end of June; at the time, we were passing on only 6! With a huge amount of help from the community (especially our OpenAcademy students), we’re proud to have hit this goal more than 2 months early, and we have more frameworks expected to reach 100% shortly.

Included in their list of projects/frameworks are things like Assetic, Composer, Doctrine2, Guzzle (v3), Laravel, Mockery and Monolog. Now that they've made significant strides to get the HHVM up to a greater level of compatibility, they're going to focus in on the issues list from GitHub to resolve problems there.

tagged: compatibility update framework project unittest bugs issues

Link: http://hhvm.com/blog/4841/compatibility-update

Manuel Stosic:
Understanding Zend Framework 3...before it's out!
Oct 31, 2013 @ 09:22:33

Manuel Stosic has a new post today talking about the upcoming Zend Framework v3 (not "coming soon", but coming) and three places you can follow to keep up on the latest in this version as it develops.

ZF3 is not close around the corner. It's still many, many months ahead. But there are reasons why you should bother and get information about ZF3 as soon as possible. If you understand why changes are introduced - and most of them are explained, some will be explained at a later point i guess - then you can spot errors in todays code already! You can improve your current code by knowing what's going to be "in" a couple of months away.

The three resources he points to are the Google Moderator group for ideas around the framework, issues on the Github repository tagged for ZF3 and a series of planned Google Hangouts where core developers will talk about the work on this new version and answer questions from those watching.

tagged: zendframework3 google moderator github issues hangouts

Link: http://samminds.com/2013/10/understanding-zend-framework-3-before-its-out/

Software Gunslinger:
PHP is meant to die
Apr 05, 2013 @ 10:47:40

In this new post, titled "PHP is meant to die", the author looks at one weakness he sees in the PHP language - how PHP handles long running scripts and functionality.

In my opinion, a lot of the hatred that PHP receives misses the utter basic point: PHP is meant to die. It doesn’t mean that a perfectly capable (to some extent) programming language will disappear into nothingness, it just means that your PHP code can’t run forever. Now, 13 years after the first official release in 2000, that concept still looks valid to me.

He talks about some of the "dying" that PHP is good at (like making general website-related requests) but notes that if you try to have it do much more, PHP acts up. He points to the complexity of web-based applications and notes that, while PHP is good for some of it, it's not a fit for all functionality. He also covers the bringing of processes to the foreground that are best left in the background and how - despite the best of intentions - making a PHP daemon to solve the problem isn't a viable option.

Do you see the pattern? I’ve inherited projects where PHP was used for daemons or other stuff that’s not just regular websites (yes, I’m a hired keyboard), and all of them shared that same problem. No matter how good or clever your idea looked on paper, if you want to keep the processes running forever they will crash, and will do it really fast under load, because of known or unknown reasons. That’s nothing you can really control, it’s because PHP is meant to die. The basic implementation, the core feature of the language, is to be suicidal, no matter what.
tagged: die memory issues longrunning process daemon problem

Link: http://software-gunslinger.tumblr.com/post/47131406821/php-is-meant-to-die

Jonathan Hill:
What Is Wrong With PHP's Semaphore Extension
Dec 14, 2012 @ 11:08:18

In this recent post to his site Jonathan Hill takes a look at the PHP semaphore extension and talks about some of the issues he's had with it.

He lists five different pain points he discovered when trying to use the extension:

  • Lack of a true Semaphore
  • Undefined error handling
  • Undefined behavior of sem_get()
  • Cannot disable semaphore auto-releasing
  • A semaphore may be deleted when other processes are waiting to acquire it

The semaphore extension provides a PHP-based wrapper for the System V IPC family of functions (including semaphores, shared memory and inter-process messaging).

tagged: issues semaphore extension systemv functionality


Community News:
PHPBestPractices.org - A Short Practical Guide
Aug 23, 2012 @ 10:07:01

There's another site tossing their hat into the "best practices in PHP" ring (the other being PHP The Right Way) with what they call a "short, practical list for common and confusing tasks" in PHP - PHPBestPractices.org.

[Outdated tutorials and information is] one of the reasons why new PHP programmers are so frequently blamed for ugly, outdated, or insecure code. They can't help it if the first Google result was a four year old article teaching a five year old method! This document tries to address that. It's an attempt to compile a set of basic instructions for what can be considered best practices for common and confusing issues and tasks in PHP. If a low-level task has multiple and confusing approaches in PHP, it belongs here.

The site has sections for topics like:

If you're interested in helping out and adding more content to the site, contain the maintainer and let him know.

tagged: guide bestpractices common issues confusing


Lorna Mitchell's Blog:
Using JIRA's REST API to Create a Dashboard
Mar 28, 2012 @ 10:57:56

In this recent post to her blog, Lorna Mitchell shows how to use the Jira REST API (provided as a part of some of the newer versions of the tool) to create a "dashboard" of the latest items added to the tracker.

Today what you get is an example of integrating with JIRA's REST API, because their recent "upgrade" locked me out of the issue listings pages completely and I really do need to be able to see a list of bugs! Their bug editing screen is quite usable, so it's just the list that I need here, but you could easily call their other API methods as you need to. These examples are PHP and use the Joind.in Jira tracker), parsing the JSON results and displaying the results as a simple list, looping with a foreach and outputting some HTML.

tagged: jira rest api pecl http extension issues dashboard