Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
Slim-Csrf with Slim 3
Aug 25, 2015 @ 09:49:48

In a post to his site Rob Allen shows you how to help secure your Slim 3-based applications with the help of the slim3-csrf package. A CSRF (cross-site request forgery) attack happens when another site requests a page in your application, possibly performing an action.

In addition to the core Slim framework, we also ship a number of add-ons that are useful for specific types of problems. One of these is Slim-Csrf which provides CSRF protection. This is middleware that sets a token in the session for every request that you can then set as an hidden input field on a form. When the form is submitted, the middleware checks that the value in the form field matches the value stored in the session. If they match, then the all is okay, but if they don't then an error is raised.

He shows how to add the middleware to your Slim 3 application and how to add the token to each form. The library generates random values for both the name of the token and the value making it compatible with applications that may involve multiple browser windows. He also shows you how to validate the token, either using the built-in "Guard" handling or manually by deferring the check to the route.

tagged: slim3 csrf token package library install configure validate

Link: http://akrabat.com/slim-csrf-with-slim-3/

Andrew Embler:
Q&A: Using Composer in a concrete5 Package
Aug 21, 2015 @ 11:30:46

Andrew Embler has posted a guide to his site showing you how to use Composer with concrete5 to integrate third party libraries quickly and easily. concrete5 is an open source content management system under the MIT license and is flexible and easy to extend.

Let's say I'm creating a statistics package and I want to use LavaCharts in it. For those who don't know, LavaCharts is a PHP library that abstracts Google's JavaScript Chart API to PHP. Instead of writing JavaScript, you build your charts with object-oriented PHP. It's nice. LavaCharts is available through Composer, so I'll include it that way.

He uses this particular package as an example, showing you how to create the composer.json file to include the LavaCharts library and run Composer to install it. He then shows the integration of the package with the concrete5 CMS instance, including the Composer autoloader in the "on start" handling. From there it's just a matter of referencing the library via its namespace and using it to populate and generate the resulting chart.

tagged: composer lavacharts tutorial integration library package concrete5 cms

Link: http://andrewembler.com/2015/08/q-using-composer-concrete5-package/

Matt Stauffer:
Login Throttling in Laravel 5.1
Aug 03, 2015 @ 08:35:57

Matt Stauffer has posted the eleventh part in his series looking at new features of the latest release of the Laravel framework (well, version 5.1). In this tutorial he shows you how to setup and configure the login throttling for your Laravel-based application with the help of the Laravel Throttle package.

Whether or not you know it, any login forms are likely to get a lot of automated login attempts. Most login forms don't stop an automated attack trying email after email, password after password, and since those aren't being logged, you might not even know it's happening.

The best solution to something like this is to halt a user from attempting logins after a certain number of failed attempts. This is called login throttling, or rate limiting. Graham Campbell wrote a great package called Laravel Throttle to address this in previous versions of Laravel, but in Laravel 5.1 Login throttling comes right out of the box.

He shows how to use the ThrottleTrait in your AuthController to have some of the "behind the scenes" work done for you. He shows you how to update your view to relay the possible error message back to the user (and includes a quick screencast of the result). He ends the post with a quick look at what the throttling functionality is doing under the covers: creating a temporary cache item based on username+IP address as a "lock" indicator. Finally, he points out two properties you can find on the auth controller to give a bit more detail on the current configuration: lockout time and max login attempts.

tagged: laravel login throttle tutorial authcontroller laravelthrottle package cache username ipaddress

Link: https://mattstauffer.co/blog/login-throttling-in-laravel-5.1

ServerGrove Blog:
Introduction to the PHAR format
Jul 31, 2015 @ 12:15:44

The ServerGrove blog has posted an introduction to the PHAR format, a built-in method to use PHP and create self-contained functional scripts as a single *.phar file making it much easier to transport.

In the last years there is a trend in the PHP community to release tools, especially command line utilities, as PHAR files, so you can package an entire PHP application into a single file for convenience. But, how PHAR files work? In this post we will try to explain it.

They cover a few of the basic topics first: what is a PHAR file and a few examples of them being provided by major PHP projects. They then get into the creation of an archive, showing how to make a super simple PHAR "Hello World" archive, created with just a bit of PHP. They then get into the structure behind the archive and get into detail on each section (stub, manifest, file contents and signature).

tagged: phar format introduction archive package

Link: http://blog.servergrove.com/2015/07/30/introduction-phar-format/

Alejandro Celaya:
Working with custom column types in Doctrine. Enums.
Jul 30, 2015 @ 08:37:45

Alejandro Celaya has a post to his site showing you how to work with custom types in Doctrine, more specifically with the "enum" type.

Doctrine is currently the most used ORM in PHP. It makes it very easy to work with databases in an object oriented way. It comes with a set of built-in column types that map database types with PHP types. For example, the datetime column type, persists the value of an entity column as a datetime in the database and handles it as a DateTime object when the entity is hydrated.

Type conversions work both ways, so column types take care of casting database to PHP types and vice versa. In this article I'm going to explain how to define custom column types so that we can persist our own objects into the database and hydrate them back.

He points out that, while PHP itself lacks the "enum" data type, you can simulate it with a library like this. He uses this library to create a custom Doctrine object type that mimic enums in the getting and setting of a value to one of a few options. In this case it's values representing the CRUD methods. He shows the code to link the Type back to the Action which then gives it understanding of what the valid enum values can be. He also points out another package that he published recently that takes some of the work out of creating the boilerplate code for the enum.

tagged: package action tutorial enum type doctrine custom library

Link: http://blog.alejandrocelaya.com/2015/07/28/working-with-custom-column-types-in-doctrine-enums/

Remi Collet:
New "remi-php70" repository
Jul 24, 2015 @ 12:09:05

Remi has announced the release of the remi-php7 repo, available for Fedora ≥ 21 and Enterprise Linux ≥ 6.

Current version is PHP 7.0.0beta2 with about 25 extensions which are already compatible. This repository provides development versions which are not suitable for production usage. [...] As for other remi's repositories, it is disabled by default, so the update is an administrator choice.

This repository can be installed just like other similar remi repos via the "yum" command to add the repository to the list of available ones, then another to upgrade the PHP installation.

tagged: php7 remi repository available package yum install beta2

Link: http://blog.remirepo.net/post/2015/07/24/New-remi-php70-repository

Freek Van der Herten:
Speed up a Laravel app by caching the entire response
Jul 20, 2015 @ 08:12:55

Freek Van der Herten has written up a tutorial for his site showing the Laravel users out there how to cache their entire response to speed up the overall performance of their application.

A typical request on an dynamic PHP site can do a lot of things. It’s highly likely that a bunch database queries are performed. On complex pages executing those queries and hydrating them can slow a site down. The response time can be improved by caching the entire response. The idea is that when a user visits a certain page the app stores the rendered page.

With a little help from his package it's easy to enable. Just install the package, add the service provider and you're ready to go. All successful responses will be cached unless told otherwise and cache files will be written out to files by default. He does point out that caching like this, while handy and a nice "quick fix" shouldn't be used in place of proper application tuning methods though. He also links to two other external technologies that could be used for the same purpose: Varnish and Nginx's own cache handling.

tagged: laravel application response cache output serviceprovider package

Link: https://murze.be/2015/07/speed-up-a-laravel-app-by-caching-the-entire-response/

Matt Stauffer:
Using Github authentication for login with Laravel Socialite
Jul 17, 2015 @ 10:17:25

In a tutorial posted to his site Matt Stauffer shows you how to integrate Laravel with GitHub's authentication to link a user's profile to your application, made possible through the Socialite package.

Laravel's Socialite package makes it simple to authenticate your users to Facebook, Twitter, Google, LinkedIn, GitHub and Bitbucket. You can authenticate them for the purpose of connecting their pre-existing user account to a third-party service, but you can also use it as your primary login mechanism, which we'll be talking about here. I'm working on a new little micro-SaaS that is purely dependent on GitHub in order to operate, so there's no reason to set up any user flow other than just GitHub.

He starts with just a bit of insight into the overall flow of an OAuth connection with an application (which this is) and the pieces involved. Next he helps you get Socalite installed and working with your Laravel application. With this in place he shows you how to create a simple GitHub application and configure your Laravel instance with the provided client ID/secret and redirect URL. He adds in some routes to handle the two page requests and the controller methods to process the input. He makes a simple "users" migration to hold user information and a model to match. Finally he shows the result, stepping through the authorization flow, complete with screenshots.

tagged: laravel github social authentication login socalite package tutorial

Link: https://mattstauffer.co/blog/using-github-authentication-for-login-with-laravel-socialite

Matt Stauffer:
Sublime Text (3) for PHP Developers
Jun 29, 2015 @ 09:25:55

Matt Stauffer has posted a set of helpful hints for developers using Sublime Text (3) to help make them more efficient and writing code much easier.

A lot of folks in the PHP community have been checking out PHPStorm lately, including myself and most of the developers I work with. We love the code intelligence we get from PHPStorm, but still miss the speed, quick boot-up, and convenience of Sublime Text. Before I blindly assume PHPStorm is the only way to go, I wanted to see: Can I bring the things a PHP-focused IDE provides PHP developers back to Sublime Text and get the best of both worlds?

He starts with a list of "must haves" for him to be able to move from PHPStorm, features it provides that Sublime, an editor not IDE, might not come with out of the box. Most of his suggestions use the Package Control functionality in Sublime so you'll need that installed to try out his examples. He then shows several tools you can install including:

  • Sublime PHP Companion (package)
  • AllAutocomplete (package)
  • Cmd-click for function definition
  • Integrating Code sniffing and PHP_CodeSniffer
  • DocBlockr (package)
  • Git helpers

...and many more. If you're a Sublime Text user, definitely take a look at his list and see if you can find something to help make your development easier.

tagged: sublimetext phpstorm editor ide features package tips integration

Link: https://mattstauffer.co/blog/sublime-text-3-for-php-developers

Frank de Jonge:
Packages vs. Components: The Dependency Problem.
Jun 26, 2015 @ 11:12:18

In a new post to his site Frank de Jonge makes a distinction between packages versus components, pointing out that components are always packages but packages are not always components, and what it really boils down to is a problem of dependency.

The PHP landscape has fully transitioned into its Package Age™ [...] However, due to PHP's nature, there are some problems. While packages are great for re-use outside of frameworks, dependencies are still an issue. Namespaces resolve conflicts between classnames, but they do not offer a solution to package versioning. Especially in a framework-context, this can become very problematic. A real-world-example for this is Guzzle.

In his Guzzle example he describes the main problem - when packages restructure or make changes incompatible with prior versions and dependencies conflict and both must be installed. He also points out that, while this is bad for just packages, it can be made even worse working with components (his name for framework-based packages). Problems he mentions are the previously mentioned dependency conflicts but also some unexpected quirks with how Composer chooses to install packages. He gives an example of this second one with the installation of the Symfony EventDispatcher component and how, upon closer inspection, Composer seems to be installing two versions of the library at once.

tagged: package component dependency problem conflict versions guzzle eventdispatcher

Link: http://blog.frankdejonge.nl/packages-vs-components/