Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Checkpoint Research Blog:
Uncovering Drupalgeddon 2
Apr 13, 2018 @ 10:22:46

On the Checkpoint Research blog there's a recent post covering the recent critical Drupal bug, a.k.a. Drupalgeddon 2, and providing a deeper look into the bug and how the exploit worked.

Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

[...] Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

The post covers the basic issue, a lack of input sanitization on Form API requests, and what versions it existed in. It then dives into the technical details, showing a proof of concept for the exploit and how an attacker might locate a place in the application to use it. It also looks behind the scenes at the code that handles the request and shows where the issue lies. The post ends with a look at "weaponizing" the exploit and executing whatever code you'd like on the server.

tagged: drupal security issue drupalgeddon2 indepth technical detail

Link: https://research.checkpoint.com/uncovering-drupalgeddon-2/

php[architect]:
PHP Sessions in Depth
Jan 23, 2018 @ 11:16:33

php[architect] magazine has republished an article from their January 2018 issue by Jeremy Dorn that covers PHP sessions in-depth.

HP Sessions are often taken for granted. A session is a magic array which persists across page loads and holds user-specific data. It’s a fantastic and integral part of most web applications. But when misused, sessions can cause substantial security holes, performance and scalability problems, and data corruption. A deep understanding of sessions is vital to production web development in PHP.

The article covers various topics around PHP sessions and their use including security, performance and scalability. It also covers a few additional topics like serialization of data, session locking and intelligent auto-merging of sessions on the backend. Check out the full article for descriptions of each and some code examples to help show them in action.

tagged: sessions detail security performance scalability additional tutorial

Link: https://www.phparch.com/2018/01/php-sessions-in-depth/

Paragon Initiative:
Libsodium Quick Reference: Similarly-Named Functions and Their Use-Cases
Jun 13, 2017 @ 12:17:55

In a new post to the Paragon Initiative blog Scott Arciszewski has shared a helpful reference for those that might be a little confused by the naming and functions involved in the use of libsodium in PHP. In this quick reference he lists out each of the functions, what type they are and an example use case.

Last Friday at Day Camp 4 Developers, I presented a talk titled Cooking with Sodium in PHP 7.2, which was largely live-demoing the various cryptography features provided by libsodium. One of the questions I was asked by attendees was about knowing which feature to use to solve specific problems. This is the sort of problem that I suspect many people run into, so here's a quick reference table followed by a detailed explanation.

In the table below, all encryption modes utilize authenticated encryption.

Following the quick reference table he then gets into more detail on each of the functions, describing in depth what they're for and examples of how to most effectively use them.

tagged: quickreference libsodium function guide usecase detail

Link: https://paragonie.com/blog/2017/06/libsodium-quick-reference-quick-comparison-similar-functions-and-which-one-use

Nikita Popov:
PHP 7 Virtual Machine
Apr 17, 2017 @ 17:42:47

Nikita Popov has a new post to his site sharing a look behind the curtain of how the PHP 7 virtual machine works, the latest version in the Zend Virtual Machine that powers the language.

This article aims to provide an overview of the Zend Virtual Machine, as it is found in PHP 7. This is not a comprehensive description, but I try to cover most of the important parts, as well as some of the finer details.

This description targets PHP version 7.2 (currently in development), but nearly everything also applies to PHP 7.0/7.1. However, the differences to the PHP 5.x series VM are significant and I will generally not bother to draw parallels.

Most of this post will consider things at the level of instruction listings and only a few sections at the end deal with the actual C level implementation of the VM.

He then goes through many different points and piece of functionality in the VM and how they work including:

  • variable types
  • the stack frame layout
  • fetch modes
  • exception handling
  • finally handling
  • generators

There's lots of information here and it's definitely interesting to see what happens inside the language to create the fast and functional PHP 7 applications we have now.

tagged: virtualmachine php7 zend detail behindthescenes example

Link: http://nikic.github.io/2017/04/14/PHP-7-Virtual-machine.html

TutsPlus.com:
Programming With Yii2: Using the Debugger
Jan 03, 2017 @ 11:52:29

The TutsPlus.com site continues their "Programming with Yii2" series of tutorials with the latest edition in the series, a look at using the Yii2 debugger to help track down issues in your code.

In today's tutorial, I'll show you how to install the Yii2 Debugger, and we'll explore its capabilities in detail. It's a powerful programming assistant which is often underutilized.

As you code and test your application, the debugger can show you your application path, queries and query variables, performance characteristics, server and framework settings, and much more.

The article starts off by showing you how to install the "yiisoft/yii2-debug" library (via Composer) and enable it in the "debug" section of your configuration. With it correctly installed you'll then be able to access it at the bottom of your pages. The debug console provides plenty of helpful information related to:

  • the route matched
  • a log of actions and events
  • load time
  • memory used
  • database queries performed

...among others. The tutorial walks you through these and other pieces of information the tool provides with screenshots of example output for each.

tagged: programming yii2 debugger tutorial series toolbar screenshot detail

Link: https://code.tutsplus.com/tutorials/programming-with-yii2-using-the-debugger--cms-26910

Kinsta.com Blog:
What’s New in PHP 7.1.0
Nov 25, 2016 @ 13:32:29

On the Kinsta blog there's a post detailing some of the new features that are coming in the next release in the PHP 7 series - PHP 7.10.

The newest version of PHP – 7.1.0 – is already at RC6 (Release Candidate 6) status, which means it will be out soon. After a huge update that took PHP from 5.6 straight to 7.0 increasing speeds considerably, PHP is now focusing on core language features that will help all of us write better code. In this article I’ll take a look at the major additions and features of PHP 7.1.0 which is just around the bend.

Their list of items includes:

  • nullable types
  • iterable and void returns
  • the use of keys in lists
  • number operators and malformed numbers

Each item in the list includes a brief description and some example code show the feature in use where it makes sense. If you're not overly familiar with what's coming in PHP 7.1 this is a great guide.

tagged: kinsta php71 upcoming version feature php71rc6 release detail

Link: https://kinsta.com/blog/php-7-1-0/

Kyle Mitchell:
The MIT License, Line by Line
Sep 27, 2016 @ 09:53:11

If you've been working with open source software for any amount of time, chances are you've seen licenses attached to the projects you've used (or even contributed to). There's quite a few of them out there and it can be confusing as to what's actually covered by them and how it effects you directly. In this recent post to Kyle E. Mitchell's site he explains, line-by-line, one of the most common Open Source licenses: the MIT license.

The MIT License is the most popular open-source software license. Here’s one read of it, line by line.

If you’re involved in open-source software and haven’t taken the time to read the license from top to bottom—it’s only 171 words—you need to do so now. Especially if licenses aren’t your day-to-day. Make a mental note of anything that seems off or unclear, and keep trucking. I’ll repeat every word again, in chunks and in order, with context and commentary. But it’s important to have the whole in mind.

He then walks you through the different sections of the license, explaining what it all means:

  • License title (header)
  • Copyright notice (header)
  • Grant scope (license grant)
  • Conditions (license grant)
  • Attribution notice, warranty disclaimer and limitation of liability

There's a lot of detail here but in the end you'll definitely understand the license in and out. He ends the post with links to a few other resources that have helped him better understand source licenses.

tagged: mit license opensource detail linebyline explanation

Link: https://writing.kemitchell.com/2016/09/21/MIT-License-Line-by-Line.html

Ibuildings Blog:
Programming Guidelines - Part 3: The Life and Death of Objects
Feb 02, 2016 @ 11:42:05

The Ibuildings blog has posted the latest part of their series looking at some general programming guidelines and principles that can help you in your own development work. In this latest article Matthias Noback talks about the "life and death of objects" in more detail including creating, updating and how they "die".

In the first part of this series we looked at ways to reduce the complexity of function bodies. The second part covered several strategies for reducing complexity even more, by getting rid of null in our code. In this article we'll zoom out a bit and look at how to properly organize the lifecycle of our objects, from creating them to changing them, letting them pass away and bringing them back from the dead.

He starts with a brief list of things that are true about objects (they live in memory, they hide implementation, etc) and some of the issues with poor object handling. He then gets into some of the basics: creating objects (meaningful & different ways), validating the input to constructors and methods and changing them to update properties and related objects. He also suggests preferring immutable objects and talks about value objects to help towards this goal. Finally he talks about the death of objects and some of the ways you can possibly "bring them back to life".

tagged: oop object detail introduction validate immutable valueobject revive lifecycle tutorial

Link: https://www.ibuildings.nl/blog/2016/02/programming-guidelines-part-3-the-life-and-death-objects

Julien Pauli:
Zoom on PHP objects and classes
Mar 26, 2015 @ 12:50:49

Julien Pauli has a recent post to his site that "zooms in" on objects and classes with a look behind the scenes at how they're handled in the PHP source (at the C level) with plenty of code examples and explanations as to how they work.

Everybody uses objects nowadays. Something that was not that easy to bet on when PHP5 got released 10 years ago (2005). I still remember this day, I wasn't involved in internals code yet, so I didn't know much things about how all this big machine could work. But I had to note at this time, when using this new release of the language, that jumps had been made compared to old PHP4. The major point advanced for PHP5 adoption was : "it has a new very powerful object model". That wasn't lies. [...] Here, I will show you as usual how all this stuff works internally. The goal is always the same : you understand and master what happens in the low level, to make a better usage of the language everyday.

The article does a great (if lengthy) job of covering everything that happens with PHP's objects and class system, including stats about memory consumption. He includes both the PHP code and the C code to illustrate what's happening with classes, interfaces, traits and object methods/attributes (including object references). He also talks about what "$this" is and how class destructors are handled.

tagged: object class behindthescenes detail c code memory usage

Link: http://jpauli.github.io/2015/03/24/zoom-on-php-objects.html

Anthony Ferrara:
What About Garbage?
Dec 03, 2014 @ 13:33:44

In his latest post Anthony Ferrara looks at a recent change in the Composer dependency management tool involving a major speed boost, just from disabling the garbage collection.

If you've been following the news, you'll have noticed that yesterday Composer got a bit of a speed boost. And by "bit of a speed boost", we're talking between 50% and 90% speed increase depending on the complexity of the dependencies. But how did the fix work? And should you make the same sort of change to your projects? For those of you who want the TL/DR answer: the answer is no you shouldn't.

He talks about what the actual (one line) change was that sped things up but goes on to talk about why doing this isn't necessarily a good thing. He covers how PHP handles variables internally, how it relates to "pointers" and the copy-on-write functionality. He includes code snippets and gives an overview of how each would be handled by the interpreter. Unfortunately, the way PHP handles things, deleting a variable only removes variable reference, not the value, but does decrement the reference count for it. When that hits 0, garbage collection kicks in and removes associated values too.

He talks about a few other kinds of garbage collection (the reference count method is just one of them) and circles back around to how this relates to Composer's functionality. He points out the number of objects created during the dependency resolution process and what can happen when the root buffer, populated with all of these objects, gets too full (hint: garbage collection). He finishes the post talking about how, in Composer's case, the garbage collection change yielded the performance impact it did, but doesn't suggest it for every project. He also makes a few suggestions as to things that could be done to improve PHP's garbage collection handling.

tagged: garbage collection handling composer disable detail

Link: http://blog.ircmaxell.com/2014/12/what-about-garbage.html