Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jelle Raaijmakers:
Dissecting a spammer’s spam script
Apr 19, 2016 @ 13:48:37

In this post to his site Jelle Raaijmakers dives into a script that's commonly injected into vulnerable sites and used by spammers to send messages without the knowledge of the site owner.

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. Spammers abuse known flaws in unsecured websites and applications to break into a server and install scripts that are able to send loads of spam.

[...] Everyone running a mildly popular WordPress site knows that exploits can be really easily introduced by installing plugins from a less than reputable source – or by not keeping your plugins up to date. Sometimes, a zero-day exploit for a popular WordPress plugins becomes known and thousands of installations worldwide are infected at once.

He then goes through a script he found in an infected WordPress instance of his own on a shared hosting provider. He talks about what these kinds of scripts usually look like (an encoded eval injected into current scripts) and the process he followed to dissect it:

  • Step 1: determine method of obfuscation
  • Step 2: introduce newlines
  • Step 3: replace the $j10 values
  • Step 4: concatenate constant strings
  • Step 5: replace function invocations
  • Step 6: prettify the PHP code
  • Step 7: remove default $j10 argument
  • Step 8: decode the $pate payload
  • Step 9: replace $_POST references
  • Step 10: map function and variable names

It's not a super simple process, but in the end he's left with the complete PHP script that loads a remotely defined configuration, tries to send the emails and even retries if there's a failure. He includes a few noteworthy things about the script including STMP connection auto-detection and DNS lookups over UDP.

tagged: spammer script dissection reverse engineer email spam security

Link: https://jelleraaijmakers.nl/2016/04/dissecting-spammers-spam-script

Rob Allen:
Using Composer with shared hosting
Dec 28, 2015 @ 09:25:44

Rob Allen has a post to his site talking about using Composer with shared hosting, showing how to use this popular tool even if you're on a shared hosting environment and don't have direct SSH or shell access.

I've seen this sentiment a few times now, so this seems like a good time to point out that you do not need SSH access to your server in order to use Composer. In fact, I don't run Composer on a live server (regardless of whether it's using shared hosting) and it's not on my list of things to do in the near future.

What you do need is a process where you handle your Composer dependencies on your own computer where you have PHP running.

He gives two possible solutions to the problem: either commit your dependencies or create some kind of build script that can execute the Composer install for you on deploy. He gives details on both of these solutions including the process for installing the dependencies with an automated FTP script (run at deploy rather than committed).

tagged: composer shared hosting ftp deploy script commit dependency

Link: https://akrabat.com/using-composer-with-shared-hosting/

Michelangelo van Dam:
Installing PHP 7 on OS X Yosemite
Dec 07, 2015 @ 09:40:34

Michelangelo van Dam has a post to his site, now that PHP 7 is released, showing you how to get it installed on OSX (Yosemite) for your local development.

Yesterday was the release of PHP7.0.0 and I wanted to have it on my mac as fast as possible. Since I'm still using Mac OS X Yosemite I will post here the steps to upgrade my platform, it might be useful for you too.

He starts with the requirements needed for the installation including XCode to be able to compile the PHP from scratch and the latest download of PHP 7 from php.net. He then talks about the benefits of compiling your own installation and shares a script that he uses to compile the PHP version he wants (based on a command line option). Once this is run the typical make and make install are executed and, if all goes well, your output for a /opt/php7/bin/php -v will look the same as his.

tagged: install php7 osx yosemite script compile custom module

Link: http://www.dragonbe.com/2015/12/installing-php-7-on-os-x-yosemite.html

Freek Van der Herten:
Zero downtime deployments with Envoy
Nov 23, 2015 @ 10:52:36

In this post to his site Freek Van der Herten shares an Envoy script that can be used to deploy an application to a remote server with (or without I suppose) one key thing: downtime.

Envoy is Laravel’s official task runner. Using a Blade style syntax tasks can be defined that can be run both locally and remotely. At Spatie, we’ve been using Envoy for quite some time to deploy code on production servers. [...] [Our trusty Envoy scriot] had a big downside: the application would be down for close to a minute. This week I took the time to solve that issue.

He talks about the changes he made to their deployment process towards using a symlink-based system as suggested by this guide. The result is an updated script that follows the same flow. He steps through the changes he made to the script and tweaks used to get the best performance out of the deploy process.

tagged: downtime deployment laravel envoy automation symlink update script

Link: https://murze.be/2015/11/zero-downtime-deployments-with-envoy/

Alejandro Celaya:
Working with sub-namespaced modules in Zend Framework 2 the right way
Aug 20, 2015 @ 10:56:26

Alejandro Celaya has a post showing how he recommends working with sub-namespaced modules in a Zend Framework 2 application. It's based on a previous series of articles on the same topic but improves the methods for handling.

The solution provided in those articles was functional, but it introduced some new problems to deal with. It happens that after some time working with sub-namespaced modules I have found the best way to solve those new problems, and I wanted to write this new article explaining it.

He starts with the two main problems with the use of sub-namespaced modules: the autoloading of the module's files and how it resolves the locations of view scripts. Fortunately, the solution to both issues turns out to be "really easy". Composer's autoloading means that just changing the directory structure helps there and and update to the controller_map value helps with locating view files.

tagged: subnamespaced modules zendframework2 autoload view script location

Link: http://blog.alejandrocelaya.com/2015/08/14/working-with-sub-namespaced-modules-in-zend-framework-2-the-right-way/

Matthew Weier O'Phinney:
Deployment with Zend Server (Part 3 of 8)
Sep 03, 2014 @ 09:34:51

Matthew Weier O'Phinney has posted the third article in his "Deploying Zend Server Tips" series today. In this tip he talks about file permissions and execution of shell commands.

In the first tip, I detailed writing deployment scripts. One of the snippets I shared was a chmod routine. [...] The code is fine; what I did not share is where in the deployment script you should invoke it. As I discovered from experience, this is key.

He points out that the deployment is run under a different user than the web server user. Future writes to those files by the web server could fail because of it, so he recommends running the permission change as the last step of the deployment script. If this ti was interesting and you'd like to check out more, you can find them in the first and second parts of the series.

tagged: zendserver deployment tips series part3 chmod script

Link: https://mwop.net/blog/2014-09-02-zend-server-deployment-part-3.html

PHPBuilder.com:
Using PHP Configuration Patterns Properly
Apr 16, 2014 @ 11:52:11

On PHPBuilder.com today they have a new post showing different configuration patterns for getting localized settings into your applications. They show the use of INI files, PHP scripts, text files, XML data and a database call.

PHP is a cross platform language. It is a server based application so we must think about the configuration settings of the PHP software. There are various ways of creating configurable PHP applications. The configuration flexibility comes as a built in feature in PHP. But we must understand the requirement clearly before making an application configurable. This article explores different PHP configuration patterns and their implementation.

For each of the options mentioned, there's a brief description of what the method is, some of the common uses and a code example showing a basic implementation. The database pattern is the only one without a code example as the database interface varies widely from application to application.

tagged: configuration pattern ini script text xml database

Link: http://www.phpbuilder.com/articles/application-architecture/using-php-configuration-patterns-properly.html

Joshua Thijssen:
Realtime PHPUnit
Feb 05, 2014 @ 09:22:52

Joshua Thijssen has a new post to his site sharing an interesting tool for those using PHPUnit for testing. It's a real-time plugin that executes your tests as soon as something in your files change.

Not all IDEs (actually, i haven’t seen even one IDE that does this), can run your unit-tests as soon as something changes. Inspired by Greg Young’s Mighty Moose system, the following script runs inside a shell, will wait for changes in your PHP-files, and runs the corresponding unit-test as soon as something changes. It doesn’t run the WHOLE unit-tests suite, but merely the test that matches up the source file.

His tool, found here on Github and uses a simple bash script that uses the file name being saved to locate the matching test and execute it, reporting back any errors that might have popped up. This could easily be hooked into most IDEs out there and keep the developer in one place.

tagged: realtime phpunit bash script

Link: https://www.adayinthelifeof.nl/2014/02/02/realtime-phpunit/

Lorna Mitchell:
GitHub-Powered Changelog Scripts
Jan 28, 2014 @ 09:29:20

In her latest post Lorna Mitchell has shared some scripts she uses to automate the creation of a changelog based on the GitHub issue comments and fixes.

My current project does periodic releases, we build a few things, then we work on getting a bunch of user feedback and changing/fixing things before we actually release. [...] When a branch merges in to the main line, we use the "fixes #42" notation to simultaneously close off the issue that it relates to. This has been working pretty well, and today I got the question "what's new since I last saw this project?" - so I created a changelog. It's rather rough-and-ready but I had fun so I thought I'd share.

The script operates off of a local git cloned version of the repository and grabs all commit messages with the tern "fixes" in it. The script then takes the log file, matches the issue ID and then makes a cur call out to the GitHub API to get that issue's description. This is then taken, formatted and dropped into the output.

tagged: changelog script automate changelog generate issue

Link: http://www.lornajane.net/posts/2014/github-powered-changelog-scripts

Kevin van Zonneveld:
It's Almost 2014 and We Are Still Committing Broken Code
Dec 30, 2013 @ 09:19:28

Kevin van Zonneveld has a new post that, while not PHP specific, does have a handy script that will help you stop committing broken code.

Whatever the reason, it's almost 2014 and we are still committing broken code. This needs to stop because best case: Travis or Jenkins prevent those errors from hitting production and it's frustrating to go back and revert/redo that stuff. A waste of your time and state of mind, you were already working on other things. Worst case: your error goes unnoticed and hits production.

To help resolve the problem, he suggests using the "hook" system common to most version control software. In his specific example, he shows the use of a pre-commit hook that fires off a bash script on the files being committed. He includes the full code for this bash script that includes a check for PHP scripts using the built in PHP linter (the "-l" option on the command line). He also includes the commands and updates you'll need to make to get it installed on git.

tagged: git precommit hook syntax error bash script tutorial

Link: http://kvz.io/blog/2013/12/29/one-git-commit-hook-to-rule-them-all/