As Openwall.com has reported, a flaw has been found in PHP's mt_rand functionality that allows the prediction of the result with just some of the other results.

With the functionality added in October, our php_mt_seed PHP mt_rand() seed cracker is no longer just a proof-of-concept, but is a tool that may actually be useful, such as for penetration testing. It is now a maintained project with its own homepage: http://www.openwall.com/php_mt_seed/.

They include a bit of illustration code showing how the see cracker works - generating 10 "random" numbers between 0 and 9. An example of running the "php_mt_seed" command against these values is shown along with the time to crack (just under 20 seconds). There's also an example of cracking when you don't know all 10 numbers in the sequence too. This further reinforces the best practice of not using mt_rand when you need strong random numbers for the security related functionality of your application (something like openssl_random_pseudo_bytes is a much better option).

David Adams has published a recent post that wonders if ORM abstraction is a "pipe dream" when it comes to abstraction. ORM stands for "object relational mapper" and is commonly used as a layer between the application and a dta source to work with the data as objects, not directly with it. He instead investigates replacing the ORM layer with multiple instances of repository pattern-structured code to abstract thing even more.

I was recently introduced to the repository pattern, a type of abstraction and organizational technique. The idea being, create a repository for each of your models to retrieve and persist to and from. A supposed benefit of the repository pattern is the ability to abstract your ORM and create different implementations for Eloquent, Doctrine, Propel, etc. This abstraction intrigued me. I set off to put this idea into practice and see what it took. Here are my findings.

He looks into how Doctrine handles its entities and tries to mimic some of the logic, including the calls to "save" and "flush". He also looks at how to handle a few other common ORM-ish topics like relationships, validation and observers. Unfortunately, he hit a wall with his solution and wasn't able to figure out a good Repository-based solution.

<p. Gonzalo Ayuso wanted to look into BDD (behavior driven development) in PHP and was looking around for a tool to fit his needs. He didn't find one right away and so decided to create a simple one as a proof of concept to try out the method for himself.

I want to write as less code as I can (it’s only a proof of concept), so I will reuse the assertion framework or PHPUnit. As I’ve seen when studying Behat, we can use the assertion part as standalone functions. We only need to include vendor/phpunit/phpunit/PHPUnit/Framework/Assert/Functions.php file.

He includes the sample code showing his basic interface - a string calculation object being passed into a closure for evaluation by the PHPUnit assertion methods. He also includes an example of using it along with Mockery for creating a mock object and testing based on that.

Anthony Ferrara has a new post to his site about a concept from functional programming - monads - and how he's tried to bring them to PHP with a bit of proof of concept code.

Lately I've been playing around with some functional languages and concepts. I have found that some of these concepts are directly applicable in the OOP code that I've been writing. One of those concepts that I think is worth talking about is the Monad. This is something that every functional developer tries to write a tutorial on, because it's such a cool but hard to grasp concept. This post is not really going to be a Monad tutorial per se, but more of a post about bringing the general concept to OOP, and what that looks like.

He starts off with a brief definition of what a "monad" is, defining it as a sort of "state container." He then gets into the examples (using this code) showing how to create a Monad and bind functionality to it. He walks through some examples of the transformations you can do with it and introduces the ListMonad as an alternative for looping.

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

Benjamin Eberlei has a suggestion for testing your application without having to mess around with creating new resources just for testing - use mocks.

Much talking is going on about Unit testing, Mocks and TDD in the PHP world. For the most this discussions surround object-oriented PHP code, frameworks and applications. Yet I would assert that the reality for PHP developers (me included) is dealing with PHP 4, PHP 5 migrated, or non-object oriented legacy applications which are near to impossible to bring under test.

He includes a "proof of concept" for a replacement mysql_query function (as created inside of Runkit) that sets up a "mocker" object that returns a "hello world" message when the mysql_query function is called.