Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Symfony Blog:
Preparing your Applications for PHP 7 with Symfony Polyfills
May 19, 2017 @ 11:07:50

The Symfony blog has posted an article showing you how to prepare your applications for a migration to PHP 7 with the help of various polyfill libraries. These libraries make it possible to use PHP 7 functionality in non-PHP 7 applications if the function in use isn't defined.

According to the May 2017 PHP Stats, 53% of PHP developers use PHP 7.0 or 7.1, but only 10% of Composer packages require PHP 7.0 or higher. In fact, 1 in 4 packages still require PHP 5.3, which is used by less than 1% of developers.

[...] Upgrading your development machines is usually a simple task, but upgrading the rest of the infrastructure (servers, tools, etc.) usually requires more resources. This is where Symfony Polyfills can help you preparing the code of your application for PHP 7.

The article briefly explains what polyfills are and how to load in the current Symfony set via a Composer install. There've provided functionality for PHP versions 5.4 through 5.6 as well as PHP 7.0 and 7.1 to ensure you have the most up to date functionality at your fingertips.

tagged: php7 application symfony polyfill library functionality composer tutorial

Link: http://symfony.com/blog/preparing-your-applications-for-php-7-with-symfony-polyfills

Paragon Initiative:
Preventing Timing Attacks on String Comparison with a Double HMAC Strategy
Nov 09, 2015 @ 12:07:19

The Paragon Initiative has a post showing you how to prevent timing attacks when comparing strings using a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.

One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).

He points out that while the has_equals approach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functions coming in PHP 7 (ployfill available for this too).

tagged: prevent timing attack double hmac comparison hashequals polyfill

Link: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy

Joe Watkins:
What Polly Really Wants
Sep 16, 2015 @ 11:49:03

Joe Watkins has a post to his site talking about polyfills and pthreads and some feedback he received during his work on the extension that allows for multi-threaded handling in PHP.

Recently a fellow githubber opened an issue for pthreads, they are writing a static analysis suite for PHP, and are attempting to integrate pthreads into their code. First thing to say is, I don't know where that will lead him. But it does give him the problem that a lot of environments don't have pthreads available, and or they aren't using a thread safe interpreter.

In the issue, he made the suggestion that we have a compatibility layer, a polyfill. I confess, this had never occurred to me before. Not only does it solve his problem but it actually serves as a useful tool ... I shall explain.

He starts by answering a question he's gotten a lot during his work on pthreads: "what's a good use case for threading?" Instead he answers a question that follows the intent a bit more: "What kind of code lends itself to threading?" He talks about units of work and separation of responsibility and how it "avoids synchronization" that could be caused by unforeseen circumstances. He instead recommends that, for most applications, true multi-threading probably isn't needed and a polyfill that simulates the functionality is probably good enough.

tagged: polyfill pthreads thread multithread synchronization

Link: http://blog.krakjoe.ninja/2015/09/what-polly-really-wants.html