Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Project:
RIPS - Static Source Code Analyzer for Vulnerabilities in PHP Scripts
Mar 20, 2012 @ 10:34:35

Gareth Heyes has pointed out an interesting tool today for analyzing the source of your application and trying to discover security-related issues: RIPS

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

The project site lists out the features that come with the tool, what it searches for (including command execution issues, header injection, file manipulation and SQL injection) and some example screenshots of its interface. You can download the latest version and try it out for yourself.

tagged: rips security analyze code tool project

Link:

Sebastian Bergmann's Blog:
Using CLANG/scan-build for Static Analysis of the PHP Interpreter
Dec 16, 2011 @ 09:48:07

In a new post to his blog Sebastian Bergmann takes a quick look at using a static analyzer, clang and scan-build, to analyze the PHP interpreter (specifically during the compile process).

I have been tinkering with CLANG's static analyzer lately. This post summarizes how I installed LLVM and CLANG and performed the analysis of a build of the PHP interpreter.

He includes all the commands (unix-based) to get the clang tools/libraries installed in the correct places as well as what to add to your $PATH to get the "scan-build" command to work with the make and make install parts of the PHP compile process.

tagged: clang analyze build compile static install

Link:

Johannes Schlüter's Blog:
MySQL Query Analyzer and PHP
Sep 30, 2011 @ 12:56:54

Johannes Schlüter has a new post to his blog today mentioning the beta release of the mysqlnd_ms plugin (previously mentioned by Ulf Wendel and a new feature that can be plugged into the MySQL Enterprise Monitor to make the Query Analyzer directly use PHP instead.

When running a PHP-based application with MySQL it is often quite interesting to see what actually happens on the database sever. Besides monitoring of the system load etc. it is often interesting to see what queries are actually executed and which of them are expensive. A part of MySQL Enterprise Monitor is the MySQL Query Analyzer which helps answering these questions.

This was handled via a proxy that sat between the database and app server and ran through the queries looking for improvements. This new plugin keeps it closer to PHP itself without having to hit against the proxy. You can see the result in these two screenshots from inside the Manager application. You also have the side benefit of getting a stack trace of it running through the app to help you identify the spots most needing improvement in the code too.

tagged: mysql query analyze mysqlndms plugin enterprise monitor

Link:

Sebastian Bergmann's Blog:
Towards Better Code Coverage Metrics in the PHP World
Jun 20, 2011 @ 08:10:57

Sebastian Bergmann has a new post to his blog talking about some of the future plans for better code coverage metrics for PHP applications (not just the statistics that we have now as generated from PHPUnit runs combined with Code_Coverage PEAR package and Xdebug).

Xdebug currently only supports what is usually referred to as Line Coverage. This software metric measures whether each executable line was executed. Based on the line coverage information provided by Xdebug, PHP_CodeCoverage also calculates the Function / Method Coverage software metric that measures whether each function or method has been invoked.

The various kinds of coverage they're planning the in future include statement coverage, branch coverage (boolean evaluation), call coverage, path coverage with an alternative of linear code sequence and jump coverage (LCSAJ).

tagged: codecoverage metrics analyze code xdebug phpunit phpcodecoverage pear

Link:

Web Development Blog:
404 Errors: Report, monetize and analyse
Jun 14, 2010 @ 12:55:05

On the Web Development Blog today there's a new post about 404 pages and some of the things you can do to make them a bit more useful than just a "not found" message.

After your websites getting more pages and links, the chance that a visitor will follow a dead link to your site exists. If a visitor is trying to access a page on your site, the server will report (normally) a 404 error. The response is by default some unfriendly page with some spare information about the error which let most visitors stop visiting your site. But using the 404 error the right way, you the site owner can collect important information.

He talks about some of the data that could be collected - what page they were requesting, where they came from, access statistics and more. The tutorial shows you how to harvest some of this information and how to put Google's Search and Adsense tools on the page as well as Google Analytics for tracking.

tagged: error page monetize analyze

Link:

Ibuildings techPortal:
phploc: PHP Lines of Code
Jan 28, 2010 @ 08:59:36

On the Ibuildings techPortal today there's a new article from Lorna Mitchell looking at the phploc tool as a way to analyze your code and pick out a whole selection of statistics.

This has been a feature of PHPUnit for some time but has been released as a separate project in the phpunit pear channel. The nature of PHPUnit means that many of these statistics can be collected while the tests are running, which is why it was added to that tool in the first instance.

Stats gathered include the number of directories, files, interfaces, methods, functions and constants with more details for each (like visibility, actual lines of code contained in them and the cyclomatic complexity). The tool is very simple to use - just call it from the command like and give it a path to your codebase. It does the rest and spits out a text-based report.

tagged: phploc lines code analyze phpunit

Link:

Blue Parabola Blog:
Coding Standard Analysis using PHP_CodeSniffer
Mar 17, 2009 @ 07:57:47

Over on the Blue Parabola blog Matthew Turland recently posted a new tutorial on using the PHP_CodeSniffer PEAR package to check out how well your code adheres to the coding standard of your choice.

For the sake of consistency [on a client project], the development team had stuff with the coding standard used by the framework itself. However, evaluating the code manually is tedious and time-consuming. There's a solution to this type of problem: the PHP_CodeSniffer package from PEAR, which builds an infrastructure around tokenizers for PHP, CSS, and JavaScript and utilities to detect coding standard violations within code in any of those languages.

He includes an example token output (the codesniffer package is based on the Tokenizer) from a script and walks you through the initial setup of the package, how to create "sniffs" for the code you want to analyze and how to run them using the popular unit testing tool PHPUnit.

tagged: phpcodesniffer sniff coding standard kohana analyze pear phpunit

Link:

Christian Stocker's Blog:
Upload Progress Meter extension 0.9.2 released
Jan 22, 2009 @ 09:36:38

Christian Stocker has released the latest version of the uploadprogress extension to the PECL repository (0.9.2). The package allows the code to track the progress of an upload automatically.

The main new function since 0.9.1 is uploadprogress_get_contents($id), which allows you to analyse the content of an uploading file during the upload and do appropriate measure (for example warn the user, that he doesn't upload a supported video format). You have to enable this feature in php.ini to make it work. This feature was provided by Ben Ramsey, so you have to poke him, if something's wrong with it.

A simple example of it in action is also included (in the /examples subdirectory off of the PECL page) showing how to upload a file, get the progress and - most importantly - how to get useful error messages out of it.

tagged: upload progress pecl extension example contents analyze

Link:

Matthew Turland's Blog:
Log Analysis and PHP
Sep 03, 2007 @ 21:41:28

In a new post, Matthew Turland looks at one thing that he feels is missing from a lot of the PHP functionality currently available in the community today - log analysis features.

Log analysis is a fairly common task in the field of web development, most often analysis of web server traffic logs or what Wikipedia refers to as web analytics. PHP has no officially supported extensions designed specifically for log analysis. There are no related extensions in PECL. The only remotely related extension in PEAR is PEAR_Log, which for generating logs rather than parsing or analyzing them. In short, there is no common solution here.

He looks at the options that developers do have - make their own solution or go with a third party option. He believes, though, that a PECL extension would be more the way to go, integrating with PHP more closely and allow for easier parsing and manipulating of the data in their own log files.

tagged: log analyze pecl extension thirdparty log analyze pecl extension thirdparty

Link:

Matthew Turland's Blog:
Log Analysis and PHP
Sep 03, 2007 @ 21:41:28

In a new post, Matthew Turland looks at one thing that he feels is missing from a lot of the PHP functionality currently available in the community today - log analysis features.

Log analysis is a fairly common task in the field of web development, most often analysis of web server traffic logs or what Wikipedia refers to as web analytics. PHP has no officially supported extensions designed specifically for log analysis. There are no related extensions in PECL. The only remotely related extension in PEAR is PEAR_Log, which for generating logs rather than parsing or analyzing them. In short, there is no common solution here.

He looks at the options that developers do have - make their own solution or go with a third party option. He believes, though, that a PECL extension would be more the way to go, integrating with PHP more closely and allow for easier parsing and manipulating of the data in their own log files.

tagged: log analyze pecl extension thirdparty log analyze pecl extension thirdparty

Link: