Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

QaFoo Blog:
Common Bottlenecks in Performance Tests
Apr 22, 2016 @ 11:24:46

On the QaFoo blog there's a post sharing some of what they've learned about the common bottlenecks in performance testing and some things you can to do determine the issues in your own tests.

Most developers by now internalized that we should not invest time in optimizations before we know what happens exactly. [...] This is true for optimizations in your PHP code but also for optimizations regarding your infrastructure. We should measure before we try to optimize and waste time. When it comes to the assumed performance problems in your system architecture most people guess the root cause will be the database. This might be true but in most projects we put under load it proved to be false.

So, how can we figure out where the problems are located in our stack?

They talk about some common testing practices using basic tools (like ab and siege) and having them perform common operations on the application. They then talk about testing for high load, monitoring the stack for the impact and a few tools you can use to gather statistics. They end the post with a quick mention that, despite popular opinion, the issue isn't always the database's fault. Sometimes other technology that's in play - like file locking issues or processing for server-side includes - and other things that may only show up under high load.

tagged: common bottleneck performance test advice server monitor tool

Link: https://qafoo.com/blog/082_common_bottlenecks_in_performance_tests.html

Full Stack Radio:
Episode #35 - Jonathan Reinink - Fixing Common API Design Mistakes
Feb 24, 2016 @ 10:19:20

In the latest episode of the Full Stack Radio podcast host Adam Wathan talks with Jonathan Reinink about common API design mistakes and some recommendations on how to fix them.

In this episode, Adam talks to Jonathan Reinink of Code Distillery about common API design challenges and how to fix them. Topics include: when to use nested resources and when to avoid them, strategies for dealing with actions that don't seem to fit into REST and sing singular sub-resources and optional fields to simplify your responses.

You can listen to this latest episode either through the in-page audio player or by downloading the mp3 directly. If you enjoy the show be sure to subscribe to their feed or follow them on Twitter for news on when the latest episodes are released.

tagged: jonathanreinink common api design mistake podcast ep35 fullstackradio

Link: http://www.fullstackradio.com/35

Paragon Blog:
Building Secure Web Applications in PHP
Sep 21, 2015 @ 16:15:56

The Paragon Initiative has posted an article to their blog talking about how to build secure applications in PHP. Rather than try to get into the specifics of specific vulnerabilities, they stay relatively high level and stick with concepts to keep in mind and steps you can follow to ensure your development practices are secure.

Whether you're planning the development of a brand new application or trying to prevent legacy code from causing a costly data breach, if you're going to be writing PHP, where should you begin? That is the question we will attempt to answer, in detail.

The article starts with an "easy way out" for those that don't feel like they know enough or just don't have the resources they need: hire consultants. With that out of the way, the article mentions two root causes for insecure apps: lack of knowledge about security and bad development habits. They then get into some suggestions about how you can learn to understand and prevent vulnerabilities in your own applications. They focus in on a few key places for PHP developers to pay attention to, complete with some charts showing the parts of the flow. The post ends with some advice on what do to if your site is compromised anyway and how to move forward.

tagged: secure application advice common issues developer

Link: https://paragonie.com/blog/2015/09/building-secure-web-applications-in-php

Kevin Ennis:
On Unit Testing
Jul 27, 2015 @ 11:48:31

On Medium.com Kevin Ennis has shared some thoughts on unit testing and how he's "done a 180%" on what kind of value he feels they bring.

There are a lot of really easy ways to rationalize not testing your code, and I’m probably guilty of saying each of them at one point or another. For some engineers, I think the reluctance to embrace unit testing is basically just FUD. Like so many other things, testing seems scary if you haven’t done it before.

But it’s also really difficult to fully understand the benefits of testing unless you’ve worked on a project that has good tests. So it’s easy to see why?—?without fully understanding the upside?—?many developers regard unit testing as an unnecessary step.

He goes through several of the common excuses for not writing unit tests and debunks them one at a time. He also includes a brief section at the end of the post with a recommendation on how to get started testing...essentially "just do it".

tagged: unittest opinion common rationalization fud

Link: https://medium.com/@kevincennis/on-unit-testing-1cc6798f81ee

Blackfire.io Blog:
How Blackfire leverages Docker
May 01, 2015 @ 10:08:34

The Blackfire.io PHP debugging service (from SensioLabs) has a new post to thier blog today talking about how the service makes use of Docker to build the environments for testing out their users' code.

As you may know, Blackfire was represented at the SymfonyLive conference in Paris. During this event, several people came to us and asked how we use Docker at Blackfire.io. One of our goals is to make profiling straightforward for anyone, and it means that we need to be able to easily test our product on a lot of different platforms. And Docker gives us the ability to spin up new containers in milliseconds.

Moreover, our website relies a lot on different tools, so containers can also help us reach an iso-production development environment. But Docker is only available on Linux and a big part of the Blackfire's team is using MacOS X. So how one using MacOS X can use the best of both worlds?

The post goes on to talk about their use of the boot2docker tool and how they can use it to help with the environment customization most developers want out of their testing. They show how it updates the network settings, works with file sharing, allows for multiple domain names/containers and solutions to some other common issues including no container access, no name resolution and a "bonus" section with a Skydock plugin for custom DNS naming.

tagged: blackfireio docker example common issue boot2docker

Link: http://blog.blackfire.io/how-we-use-docker.html

Pádraic Brady:
TLS/SSL Security In PHP: Avoiding The Lowest Common Insecure Denominator Trap
Apr 24, 2015 @ 10:30:50

In his latest post Pádraic Brady shares his thoughts about the state of TLS/SSL functionality in PHP and how he thinks developers should avoid the trap of "lowest common denominator" and opt for insecurity.

A few weeks back I wrote a piece about updating PHARs in-situ, what we’ve taken to calling “self-updating”. In that article, I touched on making Transport Layer Security (TLS, formerly SSL) enforcement one of the central objectives of a self-updating process. In several other discussions, I started using the phrase “Lowest Common Insecure Denominator” as a label for when a process, which should be subject to TLS verification, has that verification omitted or disabled to serve a category of user with poorly configured PHP installations.

This is not a novel or even TLS-only concept. All that the phrase means is that, to maximise users and minimise friction, programmers will be forever motivated to do away with security features that a significant minority cannot support by default.

He goes on to talk about how, in some places, targeting the lowest common denominator is okay, security isn't one of them. He also includes four basic concepts developers can adhere to to prevent this targeting:

  • You should never knowingly distribute insecure code.
  • You should accept responsibility for reported vulnerabilities.
  • You should make every effort to fix vulnerabilities within a reasonable time.
  • You should responsibly disclose vulnerabilities and fixes to the public.

He follows these up with three steps you can follow to migrate an insecure architecture into something much more robust. This includes identifying the consequences of the update and documenting the solutions you've chosen, be those configuration updates or library changes.

tagged: tls ssl security lowest common insecure denominator trap avoid

Link: http://blog.astrumfutura.com/2015/04/tlsssl-security-in-php-avoiding-the-lowest-common-insecure-denominator-trap/

SitePoint PHP Blog:
7 More Mistakes Commonly Made by PHP Developers
Jul 25, 2014 @ 11:29:28

Following several other posts with the "common mistakes PHP developers make" theme, Bruno Skvorc has posted his own list of seven things he sees developers doing over and over.

Back at the end of June, TopTal, the freelance marketplace, published a post about 10 Most Common Mistakes PHP Programmers Make. The list wasn’t exhaustive, but it was well written and pointed out some very interesting pitfalls one should be wary of – even if I wouldn’t personally list the mistakes as very common. I encourage you to give it a thorough read – it has some truly valuable information you should be aware of – especially the first eight points.

His additions to the list of common mistakes includes:

  • Using the mysql extension
  • Not rewriting URLs
  • Assigning in Conditions
  • Being Too Transparent

You can read the full list and summaries of each in the rest of the post.

tagged: common mistakes list more

Link: http://www.sitepoint.com/7-mistakes-commonly-made-php-developers/

Anna Filina:
Common PHP Mistakes
Jul 21, 2014 @ 13:53:31

Anna Filina has posted her own addendum to a top ten list of common PHP programmer mistakes, adding seven more of her own.

I was recently asked by one of my readers to give feedback on the following article he read: 10 Most Common PHP Mistakes. It is well written and very thorough. Most of the tips are specific to PHP, others are about web programming in general or database performance. It’s a very good read. I was also asked to contribute to this list, so here are 7 more tips.

Her list of seven touches on topics like caching, allowing SQL injection, disabling error reporting and ignoring accessibility. She also includes some configuration settings, code and links to other tools/resources to help provide information on preventing these other mistakes.

tagged: common programmer mistakes additional tips

Link: http://afilina.com/common-php-mistakes/

Toptal Blog:
10 Most Common PHP Mistakes
Jul 17, 2014 @ 12:52:40

On the Toptal blog Ilya Sanosyan has a post sharing what he sees as the top ten most common mistakes PHP developers make on a day to day basis. While most of the tips are code-specific there are one or two that are a bit more abstract.

PHP makes it relatively easy to build a web-based system, which is much of the reason for its popularity. But its ease of use notwithstanding, PHP has evolved into quite a sophisticated language, with many nuances and subtleties that can bite developers, leading to hours of hair-pulling debugging. This article highlights ten of the more common mistakes that PHP developers need to beware of.

Among the items on his list are things like:

  • Leaving dangling array references after foreach loops
  • Confusion about returning by reference vs. by value
  • Memory usage headfakes and inefficiencies
  • Assuming $_POST will always contain your POST data
  • Thinking that PHP supports a character data type

Each of the items comes with a good description, some code and suggestions on how to avoid and/or fix it in your applications.

tagged: common language mistakes top10 list

Link: http://www.toptal.com/php/10-most-common-mistakes-php-programmers-make

Timoh's Blog:
PHP data encryption cheatsheet
Jun 17, 2014 @ 10:52:44

Timoh has published a data encryption cheatsheet to his blog today. It's "a short guide" to help you prevent some of the more common encryption-related problems in your application, specifically around symmetric data encryption.

This cheatsheet assumes a “client-server” situation, which is probably a typical case with PHP applications. Naturally the recommendations given here are not the “only possible way” to handle data encryption in PHP, but this cheatsheet aims to be straightforward and tries to leave less room for mistakes and (possibly confusing) choices.

The cheatsheet includes information on topics like:

  • Encryption algorithm / mode of operation / nonce (initializing vector)
  • Encryption and authentication keys
  • Key stretching
  • Key storage and management
  • Data compression

It's jam-packed full of great information, so definitely check it out if you're doing any kind of encryption in PHP.

tagged: data encryption cheatsheet common mistakes

Link: https://timoh6.github.io/2014/06/16/PHP-data-encryption-cheatsheet.html