Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jordi Boggiano:
PHP Versions Stats - 2015 Edition
Nov 23, 2015 @ 13:17:54

It's come to "that time of year" again and Jordi Boggiano has posted the latest update in his series of PHP usage statistics. In this summary he looks at the PHP versions installed based on the packagist.org logs for developers using Composer.

It's that time of the year again, where I figure it's time to update my yearly data on PHP version usage. Last year's post showed 5.5 as the main winner and 5.3 declining rapidly. Let's see what 2015 brought.

[...] A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. [...] Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with. Of course this data set is probably biased towards development machines and CI servers and as such it should also be taken with a grain of salt.

He first compares the statics for his 2015 searches against the 2014 stats and shows the differences in usage for PHP versions 5.3.3 up to 5.6.0. Fortunately, the results show a rise in the usage of PHP 5.5 and a decline in all others...but it's not too much of a difference (2-3% range). Pie graphs are also included to help visualize these differences. He also includes some statistics on what PHP versions are required by certain packages for the ones listed on Packagist with increases starting with 5.4 and the largest advance for 5.5.

tagged: usage statistics version comparison yearly packagist composer required

Link: http://seld.be/notes/php-versions-stats-2015-edition

SitePoint PHP Blog:
PHP vs Ruby – Let’s All Just Get Along
Nov 23, 2015 @ 09:36:09

On the SitePoint PHP blog Phil Sturgeon has written up a comparison of the PHP language versus Ruby suggests that we all just get along from the perspective of a developer that works with both happily.

Quite often you see developers who have a lot of experience in one language try to play with another, then make a rather quick comparison between the two. This comparison is usually quite worthless, but the clickbait titles get them a lot of traffic.

Instead of doing that, I thought it would be interesting to have a slightly more fair comparison, from the perspective of someone who really enjoys writing both PHP and Ruby, and has done so for years. The aim here is not to find out which is “better”, but to point out a few key things I like about Ruby and its ecosystem.

He starts with some of the basics conceptual differences between the two languages including the differences with methods/variables/properties and type hinting versus duck typing. He also covers some "fun features" of each language including:

  • Nested classes
  • Using debuggers (and the tools offered)
  • "Unless" handling
  • Predicate methods
  • Shorter array syntax (in Ruby)

There's many more mentioned through the end of the post too, so be sure to check out the rest in the remainder of the article. Each point come with some brief code examples show how the feature is implemented depending on which language is being discussed.

tagged: ruby language comparison features differences

Link: http://www.sitepoint.com/php-vs-ruby-lets-all-just-get-along/

Paragon Initiative:
Preventing Timing Attacks on String Comparison with a Double HMAC Strategy
Nov 09, 2015 @ 12:07:19

The Paragon Initiative has a post showing you how to prevent timing attacks when comparing strings using a double HMAC method. Essentially this method replaces timing safe comparison methods (non-native) using a constant key in the HMAC generation.

One of the common cryptographic side-channels that developers should be aware of is how long a specific operation, such as a string comparison, takes to complete. Thus, they are called timing attacks. [...] Timing attacks are possible because string comparison (usually implemented internally via memcmp()) is optimized. [...] These concerns have led many security to propose a Double HMAC strategy instead of writing a constant time comparison loop where one is not already provided (e.g. PHP before 5.6.0).

He points out that while the has_equals approach can be effective in preventing this kind of issue, if you're not running PHP 5.6 you're a bit out of luck. There are polyfill functions that mimic it but he suggests another option - the double HMAC. He includes an example of the code to perform this kind of evaluation, using the same constant key value in the HMAC generation for both input strings. He then refactors this and shows how to use a more randomized key making use of the native CSPRNG functions coming in PHP 7 (ployfill available for this too).

tagged: prevent timing attack double hmac comparison hashequals polyfill

Link: https://paragonie.com/blog/2015/11/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy

Alejandro Celaya:
My first approach to Zend Expressive
Sep 14, 2015 @ 10:50:40

The team behind the Zend Framework recently released a microframework of sorts that makes use of middleware as its primary location for processing: Zend Expressive. In this post to his site Alejandro Celaya takes a "first approach" to this new framework and shares some of what he's discovered.

One of the trending topics in the PHP world nowadays is the one about microframeworks. It started some years ago with Slim and Silex, but recently it has been an explossion of new microframeworks. First, Slim's team announced the third version of its own framework, which implemented the psr-7 HTTP standard by taking advantage of the middleware concept. [...] Then, Laravel launched the Lumen project, which is another microframework based on Laravel components [and] Zend framework's team launched Zend Expressive, which is similar to Slim 3 in the fact that it works with middleware and psr-7, built on top of zend-stratigility and zend-diactoros.

He starts the post off answering two "why" questions: "why microframeworks" and "why Zend Expressive". He then gets into the technical details, comparing some of the basic route handling across the different microframework projects (with code examples). He shows how Expression allows the use of a service container as the main object instead of just defining routes (and what routers that's compatible with). He briefly covers some of the other piece of the Expression puzzle: template library support, the service container, error management and some other considerations to think about with evaluating the tool.

tagged: zendexpressive expressive microframework introduction overview comparison

Link: http://blog.alejandrocelaya.com/2015/09/12/my-first-approach-to-zend-expressive/

SitePoint PHP Blog:
The State of Accessibility in PHP Tools
Aug 03, 2015 @ 11:19:21

On the SitePoint PHP blog Parham Doustdar has posted a look at accessibility in PHP tools or how easy they make it for those with disabilities (such as his own blindness) to do their development work.

Usually when I tell people that I’m blind, many people ask me how I can use the computer. “Is someone reading you my messages?” I remember someone asking. Many people imagine that I have this super-nifty speech recognition software that I can just talk to, and it would do anything, even write code. Imagine dictating code to a speech recognition system! [...] I gave an answer on Quora, to someone who had asked How does a visually impaired computer programmer do programming? I recommend you go through that answer to have a better context on what I’ll be talking about in this post.

He starts with a look at how visually impaired people could normally use a computer using screen readers, interaction with the software (all through the keyboard) and some things that just can't be done with this setup. He covers some of the issues screen readers have when parsing web applications and links to the WebAIM articles page for more information there. He then gets into the IDE comparison covering essential, assistance and supplementary features as well as community engagement around accessibility issues. He compares:

  • PHPStorm
  • SublimeText
  • NetBeans
  • Eclipse-based IDEs (Zend Studio, Eclipse PDT)
  • Notepad++

Unfortunately, most of the software on his list received a rating of "zero" on the scale with the exception of Notepad++, though it still has places it falls flat.

tagged: accessibility tools blind programming ide comparison screenreader

Link: http://www.sitepoint.com/the-state-of-accessibility-in-php-tools/

SitePoint Web Blog:
PHP vs Node.js Smackdown: Right of Reply
Jul 09, 2015 @ 09:53:22

in response to the previously posted Node.js vs PHP "Smackdown" article on the SitePoint Web blog, PHP blog editor Bruno Skvorc and an author from the SitePoint Javascript channel, James Hibbard, come back with their own rebuttal to some of the points made in the previous article from a more "PHP perspective."

In SitePoint's recent PHP vs Node.js Smackdown, Craig Buckler pitted these development disciplines against each other over a series of ten challenges, to determine which is the overall winner. As Craig notes in the article, these comparisons are always somewhat controversial. As a fun followup, we asked Bruno Skvorc (SitePoint's PHP editor) and James Hibbard (one of SitePoint's JavaScript editors) to provide a commentary on each of the rounds.

For each of the rounds, they start with a summary of the related findings by Craig in the first article and share comments from both Bruno and James. With his slant towards Javascript James often agrees with what the original article stated but Bruno usually disagrees or adds comments in to clarify the PHP side of the situation (from a more insider's perspective).

tagged: smackdown nodejs language comparison reply brunoskvorc jameshibbard

Link: http://www.sitepoint.com/php-vs-node-js-smackdown-right-of-reply/

SitePoint Web Blog:
SitePoint Smackdown: PHP vs Node.js
Jul 08, 2015 @ 11:09:25

The SitePoint Web blog has posted a "smackdown" comparing two popular languages, PHP and Node.js, based on several different points.

The web is ever-changing technology landscape. Server-side developers have a bewildering choice of long-standing heavy-weights such as Java, C, and Perl to newer, web-focused languages such as Ruby, Clojure and Go. It rarely matters what you choose, presuming your application works.

But how do those new to web development make an informed choice? I hope not to start a holy war, but I’m pitting two development disciplines against each other: PHP and Node.js.

He goes through ten "rounds" of evaluations on various points including how easy it is to get started, help & support options, development tools available and hosting & deployment options. In the end, it's his opinion that the winner overall (it was close) is Node.js. However, he does end with one word of advice:

My advice: assess the options and and pick a language based on your requirements. That’s far more practical than relying on ‘vs’ articles like this!
tagged: smackdown nodejs language features comparison winner

Link: http://www.sitepoint.com/sitepoint-smackdown-php-vs-node-js/

Security Affairs:
PHP hash comparison flaw is a risk for million users
May 12, 2015 @ 09:15:10

A recent issue has come (back) to light in the security community around how PHP compares hashes. In this post to the Security Affairs site they talk about the problem of hash comparison and how to prevent the issue in your own PHP code.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says. VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

The problem comes with how PHP handles its typing behind the scenes mostly. When a string starts with "0e.." PHP interprets it as scientific notation and sees it as a value equal to zero. As a result, two strings, even if they don't match, that start with "0e..." will evaluate as equal. Fortunately, the answer is relatively simple (though could be time consuming to fix): change == (double equals) to === (triple equals). This prevents PHP from trying to do the type juggling and compare them on the types they are when presented (string to string in the case of hashes).

tagged: hash comparison flaw doubleequals tripleequals

Link: http://securityaffairs.co/wordpress/36732/hacking/php-hash-comparison-flaw.html

Anthony Ferrara:
It's All About Time
Dec 01, 2014 @ 10:46:15

In his latest post Anthony Ferrara talks about a tricky subject in PHP - timing attacks. A timing attack has to do with vulnerabilities that can come up because of the differences in time it takes to perform cryptographic operations (like hashing or encrypting).

An interesting pull request has been opened against PHP to make bin2hex() constant time. This has lead to some interesting discussion on the mailing list (which even got me to reply :-X). There has been pretty good coverage over remote timing attacks in PHP, but they talk about string comparison. I'd like to talk about other types of timing attacks.

He starts with a definition of what a remote timing attack is and provides an example of a simple script showing the delay that's key to the attack. His script deals with string location but it gives you an idea of how the attack works and where the danger lies. He points out that even remotely attackers could determine the times to perform operations (down to the nanosecond) and use this to their advantage. He points out that both == and === are vulnerable to this type of attack because of how the comparison happens. He gives two options (one an internal function) to help protect your application and briefly covers a few other types of timing attacks: index lookup, cache-timing and branch-based timing attacks.

tagged: timing attack comparison time example tutorial introduction prevent

Link: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

VG Tech:
Comparing Your Privates in PHP
Mar 19, 2014 @ 09:56:33

In a new post to their blog, the VG Tech folks talk about "comparing your privates" with a "hidden" feature of PHP. Don't worry, they're referring to private class properties on object instances here...

I was going to compare several private properties between to objects and started making a piece of code to perform the actual comparison using getters for the properties. I felt the approach sucked, and started looking into alternatives way to do this.

He shares what the current PHP documentation shares about comparing objects, but neither of them take private properties into account. He remembers, however, that object visibility is at the class level not instance level, allowing two object instances of the same class to have access to all properties of the other, regardless of exposure level. He includes a code snippet showing how to use this to compare those private properties.

tagged: private comparison object instance class

Link: http://tech.vg.no/2014/03/14/comparing-your-privates-in-php/