PHPMaster.com has posted the latest tutorial in their series covering RESTful APIS - part four of "REST - Can you do More than Spell it?" In this latest part of the series, they focus on something very key to RESTful services, the HTTP spec (and headers).

We're getting close to the end now, and the only thing remaining is to discuss a little more about the protocol you'll most likely use in any RESTful application that you write. Because HTTP is so often used with REST, that's the protocol I'd like to focus on.

He goes through the structure of a typical (raw) HTTP header and talks about some of the more common headers and what actions/settings they represent. He includes examples of setting headers (with header, naturally) and a curl example showing how to set the request headers. The tutorial is finished off with a brief mention of custom HTTP headers and the the good and bad that comes with them.

While not specific to PHP, security is something that all developers need to think about in their applications. To that end, the Infosec Institute has published this guide to helping you prevent SQL injection attacks that could come in via the HTTP headers of requests to your site.

During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren't they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the application?

They start by describing the different kinds of headers that the attacks could come in on - GET, POST, cookies and the other HTTP headers. According to some results, the HTTP headers option is the least protected in most common applications. He includes some good examples of headers that might contain malicious data such as:

• X-Forwarded-For
• User-agent
• Referer

Techniques are also included showing you tools and methods to help test your own applications including some in-browser tools and external applications (like Sqlmap, Nessus, WebInspect, SkipFish and Wapiti) with some average scores from running them on various coverage scores.

Lorna Mitchell has a new post to her blog today showing how to use the functionality provided by the pecl_http extension to make an OAuth2 connection to Google.

I've written about Google and OAuth before, but that was OAuth v1.0, and they are introducing OAuth2 for their newer APIs; in this example I was identifying myself in order to use the Google Plus API. [...] OAuth 2 doesn't need an extension or any particular library as it doesn't have the signing component that OAuth 1 had, and OAuth 2 also has fewer round trips. It does require SSL however, because the requests are in the clear.

She includes some code snippets with an example of a connection - making a request to the remote HTTPS resource, adding some parameters to the URL (including the response type, your client ID and a redirect url). The response then contains the "code" value you'll need to make the second request to fetch the access token you'll need on future requests. You can find out more about the interface she's accessing in these docs about the Google Plus API.

In this recent post to her blog, Lorna Mitchell shows how to use the Jira REST API (provided as a part of some of the newer versions of the tool) to create a "dashboard" of the latest items added to the tracker.

Today what you get is an example of integrating with JIRA's REST API, because their recent "upgrade" locked me out of the issue listings pages completely and I really do need to be able to see a list of bugs! Their bug editing screen is quite usable, so it's just the list that I need here, but you could easily call their other API methods as you need to. These examples are PHP and use the Joind.in Jira tracker), parsing the JSON results and displaying the results as a simple list, looping with a foreach and outputting some HTML.

Artur Ejsmont has a recent post to his blog showing how to get a MongoDB PECL extension to compile in a 32bit OSX environment (Snow Leopard).

Here is a quick step by step guide on how to get mongodb and PHP5.2 mongo pecl extension going on your MacOSX in 32bit mode! NOTE: 32 bit mongodb binaries have 2GB address space limit so you wont be able to process too much on your laptop. You will still be able to code and connect to remote instances just fine.

His process includes five steps - well, eight if you count the optional "install MongoDB" ones too - complete with the commands you'll need to get things compiled, ready for copy and paste. You can find the MongoDB PECL package here.

Mike Wallner has shared a quick and easy HTTP caching technique in a new post to his blog today. The key is in using the PEAR HTTP_Header package.

Ever watched youself browsing e.g. a web forum? Noticed that you viewed the same page several times? Well, this means extraordinary and useless load for your server if there's no caching mechanism implemented in the web application. Even if there is some file or db cache you can still improve performance with implementing some http cache.

With a few simple lines of code using HTTP_Header, you can tell your scripts how long to set the "expires" header to on your requests. This increment (in seconds) is relayed to the browser to tell it when to next fetch the page and not reload from cache.

In this recent post to his blog Stefan Koopmanschap shares some of the troubles (and a solution) when he was dealing with getting the Geoip PECL extension installed on his Zend Server setup in OSX.

Today I needed to get a client application up and running on my local system. This application uses the Geoip PECL package, so I needed to get this up and running. This turned out to be slightly more difficult than just a PECL install, as you're missing some libraries by default, so here is my log of things to do to get it up and running.

He gives the complete list of steps his followed including downloading the source and his way around this "System could not load this extension" issue. The trick was to recompile the source with the correct architecture. By default his extension was built with i386 instead of 64-bit but updating some of the CFLAGS settings (and a few other environment variables) got things compiling correctly.

Robert Basic has continued his series looking at using Dbus in PHP with this latest post to his blog - using the foundation he's created before to make a chat bot that will listen and respond to commands on a Jabber network.

Now that we know how to use DBus to communicate with Pidgin from PHP and how to listen to DBus signals, it's time to put it all together by creating a simple chat bot! Nothing fancy, just a simple script that runs somewhere on some server and, by using a Pidgin account, can respond to some basic queries we send it.

His new code listens for an incoming message on the "PurpleInterface", grabs the name of the sender and calls a "PurpleConvImSend" method with the conversation object and the message to send. You can find the complete source for the project on his github account.

Robert Basic has put together a new tutorial on his blog showing how he connected PHP and Pidgin (the popular chat client) with the help of the DBus extension.

Earlier this week I got an idea of trying to communicate with Pidgin, a chat client, via the terminal. [...] Surely I wasn't the first one to come up with this idea and after a bit of a googling found out that Pidgin's libpurple has a nice API for that, exposed via D-Bus. I first planned to write some scripts for this in Python or C, but when I finally sat down over the weekend to hack on this, realized there is a PHP D-Bus extension, thanks to Derick Rethans!

He goes through the whole process you'll need to get it up and working on your system - installing the extension via PECL, creating a DBus proxy to the Pigdin interface and getting a list of the currently connected users. You can find the first versions of this code in his account on github.

In a recent post to his blog Chris Hartjes looks at the idea of better HTTP Request/Response functionality in PHP, more than just the superglobal handling and PECL HTTP extension it has now.

I think the fact that we have $_POST and $_GET lulls some of us into the false sense that we should have $_PUT and $_DELETE objects, since that would map to the commonly-desired set of HTTP verbs that REST likes to use. But what should be inside those things, or should we be moving towards a more Pythonesque solution where a Request object, as part of core or via a only-really-for-the-brave- PECL extension?

He mentions opinions from other PHP community members (Laura Thompson and Elizabeth Smith) and a bit about what he (and I'm sure other developers) are looking for in a more full-featured request/response handling feature.