Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
A Gentle Introduction to Application Security
Aug 17, 2015 @ 10:51:56

The Paragon Initiative blog has posted a gentle introduction to application security for those new to some of the ideas of secure code and wanting to learn more.

If you are a web developer (or are thinking about teaching yourself web programming), you probably don't think of yourself as a security engineer, or a white-hat/blue-team member of an information security assurance team. You might have considered security threats in the context of quality assurance before (e.g. validating input), but perhaps you're no expert on the subject. But the second your code is deployed in production, your code is the front line of defense for that entire system and quite possibly the entire network. Logically, that means the software you produce must be made reasonably secure.

[...] This might seem like a lot of pressure. [...] I'm not going to say you need to become an application security expert. That very notion betrays the (largely untapped) potential for rich diversity in the technology communities. But I will say this: Application Security is Every Developer's Responsibility

They remind developers that there's a lot more than just 10 types of vulnerabilities (or even 25) and proposes a new model for thinking of security weaknesses in your applications. He outlines five points for assessing the security of your apps, not just common vulnerabilities to fix:

  • Failure to Separate Data from Instructions
  • Unsound Application Logic
  • Your Application's Operating Environment
  • Cryptographic Weaknesses

The fifth is a catch-all "miscellaneous" category that would contain things that are either crossing the boundaries of the other categories or are just each in their own category. He suggests we move on to a "more secure tomorrow", evaluate our applications along these criteria.

tagged: gentle introduction security application paragon initiative taxonomy

Link: https://paragonie.com/blog/2015/08/gentle-introduction-application-security

UserSnap Blog:
A Practical Guide to Building Fast Web Applications in the Cloud
Aug 14, 2015 @ 10:44:58

On the UserSnap blog Luciano Mammino has provided a guide to building fast applications in the cloud using PHP and several tools and techniques. He offers a list of six rules to follow to make building the applications fast (and fast applications).

In this post Luciano highlighted some of the most common principles you should consider while building high performing web applications (specifically on the backend part). The following concepts discussed here can be applied to any language and framework. Though this post will cover some concrete examples, design patterns and tools that are mostly used in the PHP ecosystem.

His list of rules includes tips like:

  • Avoid premature optimization
  • Defer the work you don’t need to do immediately
  • Use cache when you can
  • Prepare your app for horizontal scalability when possible

Each point comes with a paragraph or two of explanation as to why it's an issue to watch out for and some tips to help prevent it as well as tools that can help.

tagged: guide practical fast application top6 tips tools

Link: http://usersnap.com/blog/building-web-applications-cloud/

Community News:
PHP Mentoring Application Launched
Aug 13, 2015 @ 11:53:30

The PHP Mentoring organization has officially updated to an application rather than the GitHub wiki page for matching up mentors with potential apprentices. What is PHP Mentoring? Glad you asked...

We are a formal, personal, long term, peer to peer mentorship organization focused on creating networks of skilled developers from all walks of life. We are PHP developers first and foremost but that is not all we do, nor is it the only skill we intend to pass on to others.

We are mentors and apprentices, teachers and students, coaches, counselors and friends. We're not in this for profit but for the end result, a strong community of talented developers doing some fabulous work. We give back to the community as much as we take, we build up not tear down, and above all we believe in "play nice" and "code well".

The group looks to connect developers, matching those more experienced with ones maybe just starting out or wanting to learn more about a specific topic. They have some guidelines to follow if you're interested in becoming a mentor/apprentice. The application has just been launched and the mentor list is still being repopulated, but in the meantime you can check out the wiki page for more information on current mentors.

tagged: phpmentoring organization application mentor apprentice

Link: http://app.phpmentoring.org

Philip Brown:
Dealing with Exceptions in a Laravel API application
Aug 10, 2015 @ 11:57:43

In a post to his site Philip Brown shows a helpful way to manage API exceptions in a Laravel-based API application. In an API, exceptions are particularly important as they can be a hint to what the problem is and make it easier to return the correct error code to the client.

Exceptions are a very important method for controlling the execution flow of an application. When an application request diverges from the happy path, it’s often important that you halt execution immediately and take another course of action.

In today’s tutorial I’m going to show you how I structure my Laravel API applications to use Exceptions. This structure will make it very easy to return detailed and descriptive error responses from your API, as well as make testing your code a lot easier.

He starts with a brief introduction to HTTP status codes and their role in the interaction between client and server. He then gets into the "exception foundation" and how it will work, providing some basic common functionality (like throwing a 404 when a record isn't found, regardless of the type). He creates a configuration file to define the default error messages, an abstract Exception the custom instances can extend. He creates several of these as an example, such as a "UserNotFound" exception that extends the base "NotFound" exception class. He works with Laravel's own exception handlers and includes the code to catch a few different types inside.

tagged: exception laravel api application custom base handler tutorial

Link: http://culttt.com/2015/08/10/dealing-with-exceptions-in-a-laravel-api-application/

SitePoint PHP Blog:
Appserver – a Production-ready PHP-based Server
Aug 06, 2015 @ 08:57:44

The SitePoint PHP blog has posted a new review of Appserver, a "production-ready PHP application server" that includes a web server written in PHP. Appserver is a downloadable project that can be run on any server that already has PHP installed.

You’re probably asking, “Why is appserver paradigm changing?” The answer is, because it tackles the last frontier of PHP application development: high performance for large applications from a server resource optimization and collaboration perspective. This is the realm of PHP development which a good number of professional PHP developers have been calling for, like Manuel Lemos in his “PHP7 Features and Release Date” blog (see the section about a “Standalone Multi-threading Web Server”) and Fabien Potencier, father of Symfony, in his presentation “My Take on PHP”, where he notes he is also working on such an application server solution himself. Well, look no longer Fabien, we already have a really good solution with appsever.io.

In this first part of a new series author Scott Molinari introduces some of the basic concepts behind an appserver in general and helps you get the software installed. He talks about threading and compares the typical PHP server stack against the appserver approach. The main difference is that, with the appserver, there's more control over what's destroyed for each request, allowing more control over the execution and reuse of components. He points out that it does require a bit of different kind of thinking to write code that works with an appserver. He finishes off the post with a few quick steps to getting the latest version of the Appserver build into a local VM via the apt-get package manager and starting it up.

tagged: appserver appserverio application server introduction part1 series concept installation

Link: http://www.sitepoint.com/appserver-a-production-ready-php-based-server

Paragon Initiative:
Secure Data Encryption in Web Applications with PHP
Aug 03, 2015 @ 10:58:47

The Paragon Initiative has posted a new white paper to their site covering secure data encryption in web applications written in PHP. The paper covers high level topics and offers some more practical suggestions about tools and guides to use in protecting your applications.

Encrypting network communications is absolutely essential to the security of anyone who wishes to use your website or application. The standard and most reliable form of network encryption is called Transport Layer Security (TLS), which was preceded by and older standard called Secure Socket Layer (SSL).

Websites that use SSL or TLS are accessible by typing https://domain.com into your browser instead of just http://domain.com. Consequently, the shorthand way to refer to HTTP over TLS is simply HTTPS. Contrasted with network cryptography, storing sensitive information is a much more challenging and interesting problem to solve, and is the focus of this paper.

Among the topics covered in the white paper are things like:

  • The flow of a HTTPS request (and if it's "fast" or not)
  • Secure password storage and handling
  • On-demand encryption/decryption
  • Cryptography library recommendations
  • Using asymmetric cryptography with public and private keys

They also point to this curated list of resources to help you learn more about general web application security including cryptography.

tagged: secure application cryptography https password library libsodium resources

Link: https://paragonie.com/white-paper/2015-secure-php-data-encryption

Luciano Mammino:
6 Rules of thumb to build blazing fast web server applications
Jul 28, 2015 @ 09:48:33

Luciano Mammino has posted six tips for blazing fast web applications to his site. These tips aren't as much specific to the code (though they're related) as they are general good practices around architecture, development work and common issues.

In this post I will try to highlight some of the most common principles that you have to take under consideration when you want to achieve a great level of performance while building a web application (specifically on the backend part). I believe the concepts discussed here can be applied to any language and framework even if, due to my specific experience, I will mention some examples, design patterns, conventions and tools that are mostly used in the PHP world.

His post lists out six main rules along with some description and links to other tools for each:

  • Avoid premature optimization
  • Do the minimum amount of work to solve the problem
  • Defer the work you don't need to do immediately
  • Use cache when you can
  • Understand and avoid the N+1 query problem with relational databases
  • Prepare your app for horizontal scalability when possible

There's lots of good tools mentioned here so find one that fits your needs and helps solve the issue. There's also some good articles mentioned, giving more information about a particular topic or other perspectives on how to solve it a different way.

tagged: tips rulesofthumb fast web application optimize work cache nplusone scale horizontal

Link: http://loige.co/6-rules-of-thumb-to-build-blazing-fast-web-applications

Symfony Blog:
The Symfony Demo application, three months later
Jul 27, 2015 @ 10:27:02

The Symfony blog has a post that talks about the state of the Symfony "Demo" application three months after its release. The "Demo" application is a simpler way to get an entire Symfony 2 application up and running, giving you a good foundation for either your own development or quick testing.

The [Symfony Demo application](https://github.com/symfony/symfony-demo) was publicly introduced three months ago. In addition to being a learning resource, it's considered the reference implementation of the [Symfony Best Practices](http://symfony.com/doc/current/best_practices/index.html). During the past weeks, we've been busy adding new features to showcase Symfony functionalities. This article is a quick recap of the most important new features.

They talk about four different improvements to the demo setup and configuration process:

  • Full internationalization
  • New console commands
  • New technical requirements checker
  • New JavaScript and Sass/CSS management

They also briefly mention a few other miscellaneous changes at the end of the application around security, debugging helpers and more functional testing.

tagged: symfony demo application improvements symfony2

Link: http://symfony.com/blog/the-symfony-demo-application-three-months-later

Lorna Mitchell:
Test Your PHP Application on PHP 7
Jul 24, 2015 @ 09:06:53

Lorna Mitchell has a post to her site showing you how to get a PHP7 setup and working so you can test out your current application, preparing it for this next major version's release.

PHP 7 is coming, which is nice, but what does it mean for the majority of PHP developers? PHP as a community is notoriously slow in adoption, some of us are still waiting for 2012's new shiny to be available as standard on our hosting platforms. However with the performance benefits and a few really nice new features, PHP 7 is well worth everyone's attention, and it's actually quite easy to get started so here's my quick howto.

The large part of the post is the steps you'll need to get the php7dev box (from Rasmus Lerdorf) up and running, complete with a shared folder mounted from your local machine and a custom Nginx configuration. She also mentions the "Go PHP7" initiative that's aiming to help make the transition to PHP7 as easy as possible for everyone (including various extensions).

tagged: test application php7 php7dev vm virtualmachine setup configure

Link: http://www.lornajane.net/posts/2015/test-your-php-application-on-php-7

Paragon Initiative:
Implementing Secure User Auth in PHP Applications with Long-Term Persistence
Jul 23, 2015 @ 10:14:23

On the Paragon Initiative blog there's a post showing you how to implement secure authentication with long term persistence (a secure "remember me" essentially) in a PHP application

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

He starts with a look at passwords - how to correctly hash them, how salts play into it and some suggestions about password policies. From there he gets into the "remember me" handling, giving two common problems with most systems: insufficient randomness and timing leaks (timing attack issues). He then proposes a different kind of solution, storing some additional information in the database record, a "selector" that's not timing dependent to find the record then use a timing attack safe method to compare the hashes. He ends the post with a brief look at account recovery and some things to watch out for if you plan to implement it.

tagged: secure authentication application longterm persistence

Link: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence