Based on the responses to a tweet he posted about the Have I Been Pwnd PHP package he created for PHP (found here), Michelangelo van Dam attempts to clear up how the package works in order to help calm some fears about how it handles passwords.

Yesterday evening I posted a Tweet about improving user entered passwords using Troy Hunt's service Have I Been Pwnd. [...] It went viral over night with many likes and retweets. But I also got a ton of questions regarding the usage and the security of this package. It turns out many people are scared to send passwords over the internet and are afraid to just use a package (like mine) for password checking.

In his post he explains how the password lookup works, sending only the first five characters of the hashed version of the password to the HIBP server (not the plain-text password). He includes a helpful graphic to illustrate the process and includes an example - not directly from the package - of how the request might work. His package makes it much simpler to perform this validation in your application.

Christian Weiske has a post to his site with a reminder about a common misconception that can happen because of the wording in a standard PHP message about memory exhaustion.

The indieweb.org wiki has a page about Wordpress with a Criticism section. ?

One of those "issues" listed is Fatal Error memory exhausted [...but] I removed that section because it's nonsense to list a server configuration issue as Criticism.

While the admins reverted the change to put the message back, Christian clarified what meaning of the error message to help clarify the situation. In the case if the example message, the "32 bytes" it mentions is not the amount of total memory it's trying to allocate, it's the amount it last tried and failed at. Christian also points out the role that PHP's own memory_limit setting has on when this message might pop up.

In a post to his site Stefan Koopmanschap takes a look at the technical term "command" and tries to clear up some of the confusion around its use and how it differs from the idea of a "controller".

A couple of weeks ago while walking towards lunch with Jelrik we were having a bit of a discussion about the use of the term Command. Not long before that, Jelrik had asked a question about naming of Commands in our Slack channel, which led to some confusion.

He starts off by defining what a command is and why it's called a "command" instead of a controller (hint: it "just works" with the Symfony Console). He then gives an example of a command in a Symfony bundle structure and how a CLI "controller" can extend the Command and automatically be integrated into the command structure.

As Matthew Weier O'Phinney has posted, the PSR-7 PHP-FIG proposal is in the voting stages. The PSR-7 standard defines a unified interface for working with HTTP requests and responses.

As of a short bit ago, PSR-7 (meta) — HTTP Message Interfaces — is now in the voting phase! If you are a voting member of PHP-FIG, I urge you to read the specification and meta document now, and cast your vote accordingly.

I have written previously on the need for HTTP message abstractions, and also detailed how PSR-7 works. Those posts are still valid (I've kept the latter updated with all changes!). Since the review period, my sponsors and I have been looking over feedback and comments to see if any changes were needed. Fortunately, we've not found any substantive changes were really necessary; we have, however, made a few clarifications.

He clarifies some things around:

• why base path concerns are not represented in the ServerRequestInterface or UriInterface
• a note that UriInterface::getPath() MUST return the string "/" if the path is empty
• that UriInterface implementations MUST percent-encode reserved characters in paths and query strings, per RFC 3986
• why StreamableInterface is mutable, and provided guidelines to implementors and consumers regarding how and when to use writable streams
• the addition of several sections to the meta documentation detailing solutions to common stream-based concerns

He also gets into a bit more detail about streams, base paths and some of the overall outcomes if the PSR-7 proposal passes (which it looks like it will so far).

If you adopt PSR-7, will you need to change your code? Almost certainly. The goal of PHP-FIG is to improve interoperability between projects, and PSRs typically attempt this via codification of what member projects are already doing.