Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Aaron Saray:
Two Quick Tips for Securing PHP Sessions
Feb 15, 2016 @ 09:41:47

In a new post to his site Aaron Saray has shared two tips that can help you protect the information in your PHP sessions - two configuration options to enable that can enforce stricter standards and options enhancing their overall security.

Let’s talk a little bit about session fixation in PHP. Such a fun topic, right? Tons to get into here. But, let’s just touch the surface on two VERY SIMPLE things you can be doing now to make sure that your website is safe.

The two configuration options he mentions are ones that:

  • force the session identifier to use cookies (versus also allowing it from the URL)
  • enforce "strict mode" on the sessions

Each comes with a bit of description as to what the setting does and the recommended setting is to provide the most protection. One note, though: strict mode is only included in PHP 5.5.2 or greater.

tagged: session security tip strict mode cookies useonly phpini configuration setting

Link: http://aaronsaray.com/2016/two-quick-tips-for-securing-php-sessions

Zend Developer Zone:
Z-Ray Tip #4: Getting Rid of It!
Jan 29, 2016 @ 10:44:14

On the Zend Developer Zone they've posted the fourth part in their series of tips around using the Z-Ray profiling tool in your PHP applications. In this fourth tip they show you how to "get rid of it" in certain parts of your application.

Well, while Z-Ray is a great friend to have when developing your apps, there are just some parties you don’t want it to show up at. You might be using PHP scripts for accessing static pages. Or, you might not want Z-Ray to be displayed for one specific request. In production, you most definitely don’t want Z-Ray popping up for users using your app!

There are numerous ways to disable Z-Ray both in development and in production to make sure your development workflow is not interrupted and your live apps are not affected. Here are a few of them.

They include a few different ways to disable the tool including the use of a function call in the code (zray_disable), using a header in the HTTP request and, naturally, from the Z-Ray toolbar itself. They also talk about setting it up to be removed for production in one of two modes, either selective (only showing for certain requests) and completely disabled.

tagged: zray tip disable development production api get header selective

Link: http://devzone.zend.com/7149/z-ray-tip-4-getting-rid-of-it/

Lorna Mitchell:
Generating a File List for Phan
Nov 27, 2015 @ 10:38:33

Lorna Mitchell has shared a tip she's found helpful when using the phan static analysis tool for finding only PHP files via a simple grep.

Phan is the PHP Analyzer for PHP 7 code. I've been using it, partly out of curiosity, and partly to look at what the implications of upgrading my various projects will be. [...] I generated my filelist.txt files with a little help from grep - by looking for all files with opening PHP tags in, and putting that list of filenames into a file.

The phan tool is still pretty young but it provides a good example of how to use the new php-ast handling to parse and analyze PHP code.

tagged: phan file list generate quick tip grep static analysis tool

Link: http://www.lornajane.net/posts/2015/generating-a-file-list-for-phan

Scott Keck-Warren:
Making dataProviders More Maintainable
Sep 30, 2015 @ 09:44:18

Scott Keck-Warren has a quick post to his site sharing a method for keeping data providers maintainable in your unit tests. Data providers are a quick way to retest the same logic with several different types of data and not have an individual test for each.

I’m a big fan of using PHPUnit’s data providers feature because it allows you to easily run a lot of data through the same kinds of tests over and over again without having a bunch of duplicate code sitting around. But they aren’t always the easiest thing to come back to an understand.

He briefly introduces how data providers are used in PHPUnit testing, including a brief code example. The errors that can come up with this common setup can be cryptic to debug. He recommends a slight alteration to the data provider return structure to use an associative array instead of a single-level array. This way, if there's an error the resulting message refers to the index, not just a number making a bit more sense and aids in debugging.

tagged: dataprovider maintainable phpunit tip associative array

Link: http://www.thisprogrammingthing.com/2015/making-dataproviders-more-maintainable/

Joshua Thijssen:
Debugging Symfony components
Jan 02, 2015 @ 09:44:53

Joshua Thijssen has a quick new post today talking about debugging Symfony components, sharing a simple but useful hint.

Don’t you hate it when you are stepping through your debugger during a Symfony application debug session, and all of a sudden it cannot find files anymore as Symfony uses code located in the bootstrap.php.cache instead of the actual Symfony component. Symfony creates these cache-classes in order to speed up execution, but it makes that xdebug cannot find the correct code to step through anymore.

He found a solution in a few changes to his "app_dev.php" bootstrap file to alter the location of the autoloader and disable cache loading. This prevents issues with Symfony trying to access cached versions and use the actual files and locations, making debuggers much more happy.

tagged: debug symfony component tip cache disable dev

Link: https://www.adayinthelifeof.nl/2014/12/31/debugging-symfony-components/

Rob Allen:
SSL certificate verification on PHP 5.6
Dec 23, 2014 @ 12:15:41

Rob Allen has a quick tip posted today about SSL certificate verification in PHP 5.6 and things that need to be updated thanks to recent improvements in PHP's SSL handling.

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message: "The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed" [...] Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn't find any OpenSSL certificates on my system. This isn't a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

To resolve the issue he found where PHP was looking for certificates (using openssl_get_cert_locations) and how a quick "brew install" of the needed OpenSSL handling resolved the issue. Then, in the php.ini file a quick update to the "openssl.cafile" path points it to the right certificate.

tagged: certificate validation ssl openssl php56 tip fix

Link: http://akrabat.com/php/ssl-certificate-verification-on-php-5-6/

Matthew Weier O'Phinney:
Deployment with Zend Server (Part 8 of 8)
Sep 18, 2014 @ 11:20:04

Matthew Weier O'Phinney has posted the last part of his "Deployment with Zend Server" series with part eight. This part focuses on some hints around the actual deployment and automation.

This is the final in a series of eight posts detailing tips on deploying to Zend Server. Zend Server SDK to deploy your Zend Server deployment packages (ZPKs) from the command line. Today, I'll detail how I automate deployment with zf-deploy and zs-client (the Zend Server SDK), and wrap up the series with some closing thoughts.

He quickly summarizes the previous parts of the series as individual steps and wonders if there's a better way than doing each of them manually. He shows exactly this with the automation handling that zf-deploy and zs-client offer combined with a make script defining steps for the deploy, ZPK update and a cleanup/Composer update task.

tagged: deployment zendserver tip series part8 automation make command zfdeploy zsclient

Link: https://mwop.net/blog/2014-09-18-zend-server-deployment-part-8.html

Matthew Weier O'Phinney:
Deployment with Zend Server (Part 2 of 8)
Aug 29, 2014 @ 11:55:04

Matthew Weier O'Phinney has posted the second part of his series with some tips around application deployment with Zend Server. In this latest post he shares his second tip related to recurring jobs.

This is the second in a series of eight posts detailing tips on deploying to Zend Server.The previous post in the series detailed getting started with zf-deploy to create ZPK packages to deploy to Zend Server. Today, I'm looking at how to created scheduled/recurring jobs using Zend Server's Job Queue; think of this as application-level cronjobs.

Instead of running the jobs as cron tasks (which may or may not be installed if there's multiple servers), he opts for a software-based approach. He walks you through the use of the Zend Server Job Queue to create a simple reoccurring execution to run a PHP script at a certain time. He includes some code examples with one showing just the scheduling of a job and the other showing how to detach previous jobs and add only the new ones that weren't scheduled before.

tagged: deployment zendserver tip series part2 cron reoccurring jobs

Link: http://mwop.net/blog/2014-08-28-zend-server-deployment-part-2.html

Paul Jones' Blog:
Interview Tip: Avoid Mentioning PHP Frameworks
Mar 20, 2012 @ 09:26:19

Paul Jones has offered a tip he thinks will help you in future interviews for a software development position - don't mention frameworks.

If the job description does not mention “Framework X,” you should probably avoid answering that you use “Framework X” to solve the problem presented to you by the interviewer. If I ask you to perform a simple task, such as parsing a string in a well-known format, saying “Framework X does that for me” is likely to be seen as a negative. You should be able to do the simple things in PHP itself (e.g. parsing strings).

He points out that, as someone currently in the interview process, he is frustrated by the fact that some developers rely so heavily on the functionality that frameworks give them that they don't know how to do some of the most basic tasks outside of them.

Saying that you use a feature of "Framework X" for simple things is a negative. It sounds like you’re dependent on that framework for basic tasks. That means we (the employers) will need to train you how to do it without that framework, and that’s a hassle for us.
tagged: interview tip developer framework avoid knowledge


Anson Cheung's Blog:
Top 10 PHP Best Security Practices for Sys Admins
Jan 30, 2012 @ 14:52:26

In this recent post to his blog Anson Cheung provides a set of helpful hints for sysadmins to follow when installing (or just securing) the PHP installations on their systems.

PHP is widely used for various of web development. However, misconfigured server-side scripting would create all sorts of problem. And here are php security best practices that you should aware when configuring PHP securely. Nowadays most of the web servers are operated under Linux environment (like: Ubuntu, Debian...etc). Hence, in the following article, I am going to use list top 10 ways to enhance PHP Security Best Practices under Linux environment.

His tips include:

  • Reducing the built-in PHP modules
  • Logging all PHP errors
  • Disabling remote code execution
  • Disabling dangerous PHP functions
  • Write protection on Apache, PHP & MySQL configuration files
tagged: sysadmin security install tip bestpractices configuration