Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
Jun 17, 2015 @ 12:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

tagged: prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

ServerGrove Blog:
Useful Linux command-line tools to work with PHP projects
Apr 24, 2015 @ 11:16:20

The ServerGrove blog has posted a new tutorial with a selection of useful command line tools to help you in working with your PHP applications. None of them are PHP specific but are Unix-based commands that can help in every day development.

Linux provides a lot of interesting command-line tools that we can use when working with PHP projects. In this post we give you some useful commands.

They include examples of commands that can help with:

  • Find all PHP files in the current directory
  • Check the syntax of all PHP files in the current directory
  • Get the size of each Composer dependency
  • Find suspicious PHP files
  • Find files with abstract classes
  • List PHP settings for the xdebug extension
  • Find empty files and/or directories
  • List files currently open by a PHP process

As mentioned, most of the tools themselves are not PHP specific but these example commands do relate to things that are more in a PHP context.

tagged: useful linux commandline tool context example list

Link: http://blog.servergrove.com/2015/04/23/useful-linux-command-line-tools-work-php-projects/

Matthew Setter:
Can VIM Ever Replace PHPStorm?
Mar 02, 2015 @ 10:54:13

In an interesting new post to his site Matthew Setter wonders if an IDE like PHPStorm can be replaced by VIM, a standard in the editor community for decades.

Is it reasonable, even practical, to expect that a 30 year old application can match a modern one? Is it conceivable to be able to code as well using VIM, said 30 year old application, as I can in PhpStorm, with all the IntelliSense-lead functionality PhpStorm offers?

He starts with some of his recent experience with the editor and some of the things he's (happily) found it can do he didn't know before. He includes a screenshot of a multi-pane view, explains what each is and what he can do with them. He points out that this example is Markdown documents but it can just as easily be used for code too. Finally he talks about the subject any PHPStorm user wants to know about, the IntelliSense functionality. Unfortunately, while there are some tools he mentions that can do similar things, they don't provide the context PHPStorm can deliver.

He ends the post with an interesting question: is IntelliSense the right approach? He wonders if having more context is a better answer rather than just the auto-complete handling IntelliSense offers.

tagged: vim editor replacement phpstorm opinion autcomplete context screenshot

Link: http://www.matthewsetter.com/can-vim-ever-replace-phpstorm/

Paul Jones:
Action-Domain-Responder and the “Domain Payload” Pattern
Oct 01, 2014 @ 10:16:11

Paul Jones has a new post with more information about his proposed "Action-Domain-Responder" design pattern (a replacement for the typical MVC) and suggests a new piece, the Domain Payload pattern. This pattern would use a domain payload object to wrap the data and provide the responder with additional handling and context.

In Action-Domain-Responder the Action passes input to the Domain layer, which then returns some data for the Action to pass to the Responder. In simple scenarios, it might be enough for the Responder to inspect the data to determine how it should present that data. In more complex scenarios, though, it would make more sense for the Domain to pass back the data in a way that indicates the status of the data. Instead of the Responder inspecting the Domain results, the Domain should tell us what kind of results they are.

He shows a code example of this Domain Payload object in action, starting with some typical MVC code and refactoring it along the way into an ADR structure. He shifts from a typical model into a more domain-driven approach and describes the wrapping of the data in the payload, context for the contents (even just a class name helps) and how those relate to the actual output. You can find the resulting code in this example over on Paul's GitHub account.

tagged: action domain responder mvc adr payload wrapper context data

Link: http://paul-m-jones.com/archives/6043

Paul Jones:
Some Rules For Good Naming
Apr 30, 2014 @ 09:29:42

Paul Jones has a new post to his site today talking about the importance of naming when it comes to the use of different patterns in development. He also makes some recommendations to help clear up some of the confusion around different names for the same things.

[Thoughts in a] Grumpy Programmer mailing-list essay got me thinking. [...] I completely agree with the emphasis on using a common vocabulary. One issue here is that naming things properly is very, very hard. It is one of the only two hard problems in programming. Are there any rules (even rules-of-thumb) that can we use to make it easier to pick good names for the classes and concepts in our projects?

He reminds readers that code is no place for a "novel context", that is that it's not meant to be instructions for humans, but instructions for computers. He points out that patterns are more about behavior than the name you give them and that picking a name that's "close enough" isn't a good idea. He also recommends that you avoid picking a name for a special context the code might be involved in.

tagged: naming rules opinion designpattern behavior context

Link: http://paul-m-jones.com/archives/5952

Reddit.com:
Attempting to understand Namespacing, and its benefits
Jan 02, 2014 @ 11:54:23

If you're relatively new to PHP, you may have read about something called "namespacing" but not fully understood it or the benefits it provides. Over on Reddit, there's a recent discussion where the poster asks about just that:

As I understand it, Namespacing provides a lot of useful context for developers, as well as making the autoloading of classes much easier (though I've never personally tried this). I can also see it being used in a large enough application where it might help keep things in scope, but this seems like a bit of a stretch to me. Apart from that, I'm not too clear on what namespacing actually does.

The comments to the thread including things like links to other resources and other suggestions like:

  • tools to try out
  • places to start using it in your own code
  • the difference between underscores and real namespacing
  • how they help avoid conflicts in naming and functionality
tagged: namespace benefit context autoload opinion discussion

Link: http://www.reddit.com/r/PHP/comments/1u1ztr/attempting_to_understand_namespacing_and_its

Hannes Magnusson:
Query logging and profiling in MongoDB
Sep 18, 2013 @ 10:25:49

in a previous post Hannes Magnusson introduced the new stream handling notification feature in the MongoDB PHP extension. In his most recent post he elaborates on a subject mentioned in the previous post - query logging and profiling.

In my previous blog post I mentioned that the 1.5.0 release of the MongoDB driver for PHP has improved notification support using the PHP Notification API, and showed off a fairly useless (but fun) progress bar. Now its time for a little bit more practical examples using this system: Query logging and profiling.

He talks about some of the features in his pull request, including the new constants added to help make working with the logging on streams easier. He includes some sample code that handles the logging via an "update" callback function, parsing the log message type and save the related data to a class variable. An instance of this class is then assigned to the "notification" stream and passed in as an additional option when creating the MongoClient connection. He includes an example of querying a basic collection and how to extract the request information from the logging object instance.

tagged: mongodb stream context tutorial log query profile notification api

Link: http://bjori.blogspot.com/2013/09/query-logging-and-profiling-in-mongodb.html

PHPClasses.org:
10 Steps to properly do PHP Bug Tracking and Fixing as Fast as possible
May 30, 2013 @ 11:49:27

On the PHPClasses.org blog today Manuel Lemos has shared some advice on tracking and fixing bugs and some strategies to help prevent them in the future.

No matter how hard you try to test your PHP applications before putting them in production, you will always ship code to your server that has bugs. Some of those bugs will be very serious and need to be fixed before they cause greater damages to your application data that may be too hard to recover. Read this article to learn about a several good practices that you can apply to track bugs in production code, so you can fix them before it is too late.

Suggestions included in his list are things like:

  • Test as Much as Possible Before in your Development Environment
  • Separate your Code from Environment Configuration files
  • Track PHP Errors with Assertion Condition Tests
  • Send PHP Errors to an Error Log File
  • Monitor the PHP Error Log File to Quickly Fix Serious Bugs
  • Fix Your Bugs but Never Edit Code on the Production Server

He also includes a brief look at some things to think about when considering "defensive coding practices" and links to other articles with more information.

tagged: bugs advice fix track testing logging context monitoring

Link: http://www.phpclasses.org/blog/package/1351/post/1-10-Steps-to-properly-do-PHP-Bug-Tracking-and-Fixing-as-Fast-as-possible.html

Dzone.com:
Diving into Behat
Apr 09, 2013 @ 09:50:34

Giorgio Sironi has a new post to DZone.com today about some of his experiences with Behat, a behavior-driven development testing tool written in PHP. It uses the Gherkin language syntax to define its tests.

I had the occasion to try out and adopt Behat for a particular need in our projects at Onebip. Here is my recount of the experience from a PHPUnit contributor and invested person.

He starts off with a list of situations where he doesn't think that Behat is a good fit for testing including testing of a single object and acceptance tests where comparing the response from more than one test is needed. He suggests that it's more useful for verifying high level business rules than anything. He talks some about the shift they made to using Behat and some of the benefits they found in its use. He finishes up the post by looking at the technical side and includes a warning about letting the size of the FeatureContext file get too large.

tagged: behat introduction context technical impact overview benefits

Link: http://css.dzone.com/articles/diving-behat

Web & PHP Magazine:
Issue #8 - The Power of Design
Nov 15, 2012 @ 13:55:06

The latest issue of the Web & PHP Magazine has been released - Issue 8 - The Power of Design. Articles in this latest issue include:

  • Todd Lombardo on user context
  • Stefan Priebsch on data and persistence
  • Patrick Allaert about data structures
  • June Henriksen on the human side of programming

You can find out more about this issue (and go download your free copy) on the Web & PHP site. There's also seven previous issues, all free for download (PDF format)!

tagged: webandphpmagazine issue publish design context structure human pdf

Link: