Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

ServerGrove Blog:
Introduction to the PHAR format
Jul 31, 2015 @ 12:15:44

The ServerGrove blog has posted an introduction to the PHAR format, a built-in method to use PHP and create self-contained functional scripts as a single *.phar file making it much easier to transport.

In the last years there is a trend in the PHP community to release tools, especially command line utilities, as PHAR files, so you can package an entire PHP application into a single file for convenience. But, how PHAR files work? In this post we will try to explain it.

They cover a few of the basic topics first: what is a PHAR file and a few examples of them being provided by major PHP projects. They then get into the creation of an archive, showing how to make a super simple PHAR "Hello World" archive, created with just a bit of PHP. They then get into the structure behind the archive and get into detail on each section (stub, manifest, file contents and signature).

tagged: phar format introduction archive package

Link: http://blog.servergrove.com/2015/07/30/introduction-phar-format/

SitePoint PHP Blog:
Boxing up your Apps as Phars Quickly and Easily with Box
Jun 16, 2015 @ 08:44:27

The SitePoint PHP blog has a new tutorial posted showing you how to easily package up your application with Box to make phar files without the extra hassle of building them yourself.

In this tutorial, we’ll use Box to package a PHP application into a Phar, in order to make it easily distributable and globally installable via Composer.

For his example he uses the PHP portion of the FolderBuilder project and makes a command-line executable that can return the information for a directory as JSON data. He starts by installing the "box" executable command on a local VM and defines the simple configuration file, a "box.json" with some basic settings. He then clones the FolderBuilder project, updates the configuration for the correct locations and files and executes the "build" command. The result is a phar file that contains the PHP script functionality. He also updates the configuration to make the result executable with a "chmod" setting, removing the need to call it with the PHP command line version. He ends the post showing how to test it out, taking the results and dropping them into FolderBuilder to make sure they're 100% correct.

tagged: tutorial build phar archive easy box commandline tool

Link: http://www.sitepoint.com/boxing-apps-phars-quickly-easily-box/

Pádraic Brady:
Self-Updating PHARs: Stable phar-updater packages now available
Jun 03, 2015 @ 08:28:12

Pádraic Brady has a new post to his site today talking about creating self-updating phars in PHP using his package created based on previous recommendations.

In all seriousness, phar-updater is my implementation of recommendations I made in a previous blog post around self-updating PHAR files. Those recommendations were, predictably for me, largely concerned with self-updating from a security perspective. Implementing it brought ease of use and flexible integration to the fore also. It can be surprising what a little extra work, testing and packaging can accomplish for reuse compared to throwing code into one file and calling it a day. It’s been integrated into Humbug with nary an issue.

The package makes it simple to integrate the self-update functionality into your existing phar package deployment including updating running versions, enforcement of TLS connections and allows for configuration of updates based on version numbers. You can see his own example in his Humbug package's "SelfUpdate" class.

tagged: phar selfupdate package pharupdater packagist composer

Link: http://blog.astrumfutura.com/2015/06/self-updating-phars-stable-phar-updater-packages-now-available/

Three Devs & A Maybe:
Episode 66 - Easy Like Sunday Morning
Jun 01, 2015 @ 08:36:01

The Three Devs & A Maybe podcast has posted their latest episode, #66 - Easy Like a Sunday Morning, with hosts Michael Budd, Fraser Hart, Lewis Cains and Edd Mann.

This week on a early Sunday morning recording, we start off podcast discussion with A/B testing and Google Analytics/Experiments. We then move on to touch upon distributing PHP console applications within PHAR's, application security and Google's recent IO conference. Following this we bring up a couple of small projects Edd is currently working on, relating to Morse Code and Colour detection algorithms. Finally, we wrap up the show by discussing the current Space Beer Cave competition that is still underway, and how one contestant is running away with the prize at this time.

Other topics mentioned include Box PHP, Ghostery and the missing mcrypt extension. You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy the show, be sure to subscribe to their feed or over in iTunes to get the latest shows as they're released.

tagged: threedevsandamaybe podcast ep66 abtesting phar console googleio color

Link: http://threedevsandamaybe.com/easy-like-sunday-morning/

Pádraic Brady:
Securely Distributing PHARs: Pitfalls and Solutions
Mar 04, 2015 @ 11:46:10

Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

  • Distribute the PHAR over HTTPS
  • Enforce TLS verification
  • Sign your PHAR with a private key
  • Avoid PHAR Installer scripts
  • Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.
tagged: secure distribution phar solution tls https privatekey installer selfupdates

Link: http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/

PHPUnit: Migration from PEAR to PHAR
Jan 14, 2015 @ 13:48:34

On The PHPcc's site today Sebastian Bergmann, the creator of the popular PHPUnit unit testing framework, shows you how to move to using the tool's phar file and away from the previously used PEAR install method.

In April 2014 I announced that I would shut down pear.phpunit.de on December 31, 2014. The motivation behind this move was to simplify the release process of PHPUnit by getting rid of an outdated distribution channel. I was afraid that I would leave users of my software behind by this move. [...] I am relieved that the shutdown of pear.phpunit.de went as smooth as it did. [...] In this article I show you how to make the transition from using PHPUnit from a PEAR package to using PHPUnit from a PHP Archive or using Composer as easy and convenient as possible.

There's three main steps to the migration from PEAR to the Composer-based phar installation:

  • Uninstalling PEAR Packages
  • Using PHPUnit from a PHP Archive (PHAR)
  • Installing PHPUnit with Composer

He includes the commands and configuration files/settings you'll need to make the transition happen. He also mentions that older versions are still available if there's a need but only on GitHub/Packagist as phar packages, not via PEAR.

tagged: phpunit migration pear phar packagist composer tutorial

Link: http://thephp.cc/news/2015/01/phpunit-migration-from-pear-to-phar

Community News:
PHPUnit Announced End of Life on PEAR Installation Method
Apr 21, 2014 @ 10:29:53

There's a new addition to the GitHub wiki that's quite important for the PHPUnit users out there. Sebastian Bergmann has officially announced the end of life for the PEAR version of the installer for the popular PHPUnit tool.

Since PHPUnit 3.7, released in the fall of 2012, using the PEAR Installer was no longer the only installation method for PHPUnit. Today most users of PHPUnit prefer to use a PHP Archive (PHAR) of PHPUnit or Composer to download and install PHPUnit. Starting with PHPUnit 4.0 the PEAR package of PHPUnit was merely a distribution mechanism for the PHP Archive (PHAR) and many of PHPUnit's dependencies were no longer released as PEAR packages. Furthermore, the PEAR installation method has been removed from the documentation. We are taking the next step in retiring the PEAR installation method with today's release of PHPUnit 3.7.35 and PHPUnit 4.0.17.

Included in this end of life, they'll also be decommissioning pear.phpunit.de to happen no later than the end of 2014.

tagged: pear phpunit install method composer phar download

Link: https://github.com/sebastianbergmann/phpunit/wiki/End-of-Life-for-PEAR-Installation-Method

Hasin Hayder:
Create personalized phar files in PHP
Jan 15, 2014 @ 09:32:42

Hasin Hayder has a quick post talking about the creation of personalized phar files (packaged up PHP applications) using the Box Project tool.

Created a screencast to show how you can create phar files, most importantly personalized phar files to store some information inside it and protect it using user’s password. Those information is usable only when user providers a correct password. For packaging, I have used http://box-project.org which is an excellent phar packager. I’ve also used two functions from Josh Hartman’s blog to encrypt and decrypt data using Rijndael algorithm.

You can watch the full screencast over on YouTube. It walks you through the entire process of creating a simple script, using the two functions (mc_encrypt and mc_decrypt) to handle the encryption and defining the Box configuration JSON to create the package.

tagged: phar file tutorial screencast boxproject encryption password

Link: http://hasin.me/2014/01/14/create-personalized-phar-files-in-php

Sebastian Bergmann:
Using PHPUnit from a PHP Archive (PHAR)
Oct 08, 2012 @ 10:18:52

PHPUnit, the popular PHP unit testing tool, has undergone some changes in its methods of deployment. First it was integrated into the Composer/Packagist dependency management system and now it's been implemented as a phar archive. Sebastian Bergmann explains how to use it in his latest post.

Downloading a single file to use PHPUnit? Not an idea that is too phar out anymore! Starting with version 3.7.5, PHPUnit seems to finally work correctly when packaged as a PHP Archive (PHAR).

He includes a list of steps you can follow to pull down the latest code and use the phar branch that executes with the archive file instead of the local "phpunit" executable. Of course, you can still (as always) install PHPUnit via the PEAR process as well.

tagged: phpunit phar archive tutorial checkout execute


Box - Making Creating PHARs Easier
Aug 24, 2012 @ 10:33:52

There's a new project on Github that wants to help making your phar archives for your PHP applications. The process is a little obtuse right now and Box wants to simplify it.

Box is a library and command line application for simplifying the PHAR creation process. [Features include] creating new PHARs with a simple configuration file, add and replace files in existing PHARs, extract existing PHARs, with option to cherry pick files and verify PHAR signatures.

The project is still relatively young but it looks like it's off to a good start. Phar files are a powerful tool to have in a PHP developer's arsenal but developing them can be a pain. Hopefully something like this can make life easier.

tagged: project phar build manage creation github