Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Davey Shafik:
Class Constants, How Do They Work? (Or: You Learn Something New Every Day...)
Jul 09, 2015 @ 08:24:43

Davey Shafik has posted a quick article to his site talking about class constants and something new he learned about them (and how it relates to the uniform variable syntax handling in PHP7).

Yesterday on Twitter there was a conversation started by Marco Pivetta regarding a particularly horrible bit of code he had spotted [that] creates a string using sprintf() by prefixing ::PARAMNAME with the result of calling get_class() on the $api variable, and then passes that string into constant() which will give you the value of a constant using it’s string name.

The conversation continued with comments from Elizabeth Smith about why this workaround was needed in the past. Davey also suggests that it won't work as expected if the input is an object and not a string but a test from Trevor Suarez proved that incorrect as well (it does work). He ends the post talking about PHP7 and showing how, thanks to the uniform variable syntax changes, this same kind of handling can be done in many other ways too.

tagged: class constant php7 uniform variable synatx getclass object string

Link: http://daveyshafik.com/archives/69193-class-constants-how-do-they-work-or-you-learn-something-new-every-day.html

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

Nikita Popov:
Internal value representation in PHP 7 - Part 2
Jun 22, 2015 @ 10:45:41

Nikita Popov has posted the second part of a series looking at how PHP 7 represents values internally. In the first part of the series the focus was on the major change from PHP 5: the zval updates and how they're allocated. This new post gets into more of the details on each of the types and how they're handled.

In the first part of this article, high level changes in the internal value representation between PHP 5 and PHP 7 were discussed. As a reminder, the main difference was that zvals are no longer individually allocated and don’t store a reference count themselves. Simple values like integers or floats can be stored directly in a zval, while complex values are represented using a pointer to a separate structure.

[...] In the following the details of the individual complex types will be discussed and compared to the previous implementation in PHP 5. One of the complex types are references, which were already covered in the previous part. Another type that will not be covered here are resources, because I don’t consider them to be interesting.

He goes through a few of the different types including strings and arrays and then gets into detail on how objects have changed from PHP 5 to PHP7. He also talks about "indirect zvals" (the IS_INDIRECT handling) that points to another zval instance rather than embedding it. Finally, he talks about two other constants, IS_CONSTANT and IN_CONSTANT_AST, and how they're used behind the scenes with some example code to illustrate.

tagged: internal value variable representation php7 zval types string array object constant ast

Link: http://nikic.github.io/2015/06/19/Internal-value-representation-in-PHP-7-part-2.html

Derick Rethans:
Xdebug 2.3: Shared Secret to Enable Tracing or Profiling
Apr 07, 2015 @ 11:19:44

Derick Rethans has posted another in his series covering the latest release of the Xdebug debugging tool for PHP, version 2.3. In this new article Derick introduces the "shared secret" handling, a custom string that for the "XDEBUG_PROFILE" that can trigger the the profiler to start.

Xdebug's profiling and trace file capabilities can both be triggered by a cookie, GET or POST variable, as long as you have enabled xdebug.profiler_enable_trigger and/or xdebug.trace_enable_trigger. With these triggers enabled, basically anybody could initiate a profile run, or trace file, by simply sending the XDEBUG_PROFILE or XDEBUG_TRACE cookies with an HTTP request. Although you should not really run Xdebug in production, you can see that this is not an optimal solution. Xdebug 2.3 adds supports for shared secrets for the trace file and profiler triggers through the xdebug.trace_enable_trigger_value and xdebug.profiler_enable_trigger_value.

He points out a browser extension, The easiest Xdebug, that already has support for this new feature. He also mentions two other tools but they have yet to integrate support for these shared secrets (but will soon hopefully): Xdebug halper and xdebug-helper-for-safari .

tagged: xdebug series release secret string tracking enable production extension

Link: http://derickrethans.nl/xdebug-2.3-tracing-profiling-shared-secret.html

Rob Allen:
Throw an exception when simplexml_load_string fails
Sep 09, 2014 @ 09:27:13

In a quick post to his site Rob Allen shares a class that he's created to handle and throw an exception any time that the load from a SimpleXML parsing fails.

I keep having to look up how to stop the warning that are emitted when simplexml_load_string & simplexml_load_file fail, so this time I've written the world's simplest little class to take care of it for me from now on.

His "Xml" class wraps around the SimpleXML functionality and checks to see if the resulting object is false. If it is, it uses some internal error handling to fetch the error message result and throws it as a "RuntimeException". This error string comes from a "getXMLErrorString" function that uses the libxml_get_errors function to get the resulting error list.

tagged: simplexml load string file fail exception error handling

Link: http://akrabat.com/php/throw-an-exception-when-simplexml_load_string-fails/

SitePoint PHP Blog:
How to Create a Unique 64bit Integer from String
Aug 14, 2014 @ 12:55:33

In the latest post to the SitePoint PHP blog Vova Feldman shows you how to create an integer from a hash string that's both 64 bit and unique each time it's generated.

PHP provides the popular md5() hash function out of the box, which returns 32 a hex character string. It’s a great way to generate a fingerprint for any arbitrary length string. But what if you need to generate an integer fingerprint out of a URL?

He describes the real-world situation he was facing - a rating widget that needed a randomized integer based on the page using it - and the two "sub-challenges" that make it up: url canonization and the string to unique 64 bit problem. He tackles each problem and shares code snippets showing the process and how it can be put to use. He also includes some interesting metrics at the end of the post showing the level of hash collisions (hint, it's a very low number).

tagged: unique integer string 64bit tutorial md5 hash

Link: http://www.sitepoint.com/create-unique-64bit-integer-string/

Edd Mann:
Reversing a Unicode String in PHP using UTF-16BE/LE
May 12, 2014 @ 10:55:00

Edd Mann looks at an issue in his latest post that caused him problems in a recent project, reversing a Unicode string with UTF-16BE/LE.

Last week I was bit by the Unicode encoding issue when trying to naively manipulate a user's input using PHP's built-in string functions. PHP simply assumes that all characters are a single byte (octet) and the provided functions use this assumption when processing a string. [...] You should be aware that in 'Western Europe' we commonly only use the basic ASCII character-set (consisting of 7 bytes). This makes the transition to the popular 'UTF-8' Unicode representation almost seamless, as the two map one-to-one. I wish to however, discuss how to reverse a Unicode string (UTF-8) using a combination of endianness magic and the 'strrev' function.

He provides two different approaches to the problem. The first he calls the "naive" approach because it corrupts characters needing more than the two-byte representation. His second solution, the "endianness" method, converts the string to big-endian first (UTF-16) and then back to UTF-8 for more correct handling.

tagged: unicode string utf8 utf16 bigendian endian convert reverse string

Link: http://eddmann.com/posts/reversing-a-unicode-string-in-php-using-utf-16-be-le

Edd Mann:
Reversing a Unicode String in PHP using UTF-16BE/LE
May 12, 2014 @ 10:55:00

Edd Mann looks at an issue in his latest post that caused him problems in a recent project, reversing a Unicode string with UTF-16BE/LE.

Last week I was bit by the Unicode encoding issue when trying to naively manipulate a user's input using PHP's built-in string functions. PHP simply assumes that all characters are a single byte (octet) and the provided functions use this assumption when processing a string. [...] You should be aware that in 'Western Europe' we commonly only use the basic ASCII character-set (consisting of 7 bytes). This makes the transition to the popular 'UTF-8' Unicode representation almost seamless, as the two map one-to-one. I wish to however, discuss how to reverse a Unicode string (UTF-8) using a combination of endianness magic and the 'strrev' function.

He provides two different approaches to the problem. The first he calls the "naive" approach because it corrupts characters needing more than the two-byte representation. His second solution, the "endianness" method, converts the string to big-endian first (UTF-16) and then back to UTF-8 for more correct handling.

tagged: unicode string utf8 utf16 bigendian endian convert reverse string

Link: http://eddmann.com/posts/reversing-a-unicode-string-in-php-using-utf-16-be-le

NetTuts.com:
Refactoring Legacy Code: Part 2 - Magic Strings & Constants
Apr 03, 2014 @ 12:47:46

NetTuts.com has posted the second part of their "Refactoring Legacy Code" series today continuing on from their beginning of the series. They continue the refactor of their "trivia" application.

Old code. Ugly code. Complicated code. Spaghetti code. Jibberish nonsense. In two words, Legacy Code. This is a series that will help you work and deal with it. We first met our legacy source code in our previous lesson. [...] The time for the first changes have come and what better way to understand a difficult code base than start to extract magic constants and strings into variables? These seemingly simple tasks will give us greater and sometimes unexpected insights into the inner workings of legacy code. We will need to figure out the intentions of the original code author and find the proper names for the pieces of code that we've never seen before.

They talk about refactoring out things like "magic strings" and other hard-coded return values and checks. They mention updating the tests to reflect these changes while keeping an eye out for "magic constants" as well.

tagged: refactoring unittest magic string constant trivia

Link: http://code.tutsplus.com/tutorials/refactoring-legacy-code-part-2-magic-strings-constants--cms-20527

Dougal Campbell:
mysql vs mysqli in WordPress
Mar 07, 2014 @ 10:59:52

In his latest post Dougal Campbell shares his findings from a bug he was having with a plugin in WordPress. It revolved around the use of mysql or mysqli and errors being thrown to his logs.

The plugin had previously worked fine (it generates a sidebar widget), and I wasn’t actively working on my site, so I wasn’t really sure when it had quit working. In the course of debugging the problem, I discovered that the plugin was throwing warnings in my PHP error log regarding the mysql_real_escape_string() function. As a quick fix, I simply replaced all of those calls with WordPress’ esc_sql() function. Voila, problem fixed.

He was interested in why this worked, though, and went digging in the code. As it turns out, the WordPress code tries to determine which mysql extension you have support for. As it turns out, his installation fit the "mysqli profile" so the "mysql_real_escape_string" wasn't available. To the WordPress users out there, he suggests esc_sql or $wpdb->prepare() instead.

tagged: mysql mysqli wordpress escape string extmysql

Link: http://dougal.gunters.org/blog/2014/03/06/mysql-vs-mysqli-wordpress