Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

QaFoo Blog:
Testing the Untestable
May 02, 2017 @ 12:32:55

On the QaFoo blog there's a new post sharing a method for testing the untestable - file upload handling in your application.

A long time ago I wrote a blog post about Testing file uploads with PHP where I have used a CGI PHP binary and the PHP Testing Framework (short PHPT), which is still used to test PHP itself and PHP extensions.

Since the whole topic appears to be still up-to-date, I would like to show a different approach how to test a fileupload in PHP in this post. This time we will use PHP's namespaces instead of a special PHP version to test code that utilizes internal functions like is_uploaded_file() or move_uploaded_file().

They update the previous method to use the namespacing built in to PHP to "trick" the test into using a method from a local namespace first. The provide the code they'll be testing and a unit test to try and evaluate its result. The tutorial then shows how to use the namespaces to define is_uploaded_file and move_uploaded_file functions that override the defaults. These are used instead of the base level PHP ones making it easier to test the results of the mocked functions rather than the originals.

tagged: testing untestable fileupload unittest namespace tutorial

Link: https://qafoo.com/blog/102_testing_the_untestable.html

Alejandro Celaya:
Managing PUT requests with file uploads in psr-7 and middleware PHP applications
Mar 07, 2017 @ 13:17:01

Alejandro Celaya has posted a new tutorial to his site covering the handling of PUT requests in PSR-7 applications for file uploads via middleware.

It has been a long time since I first realized that handling file uploads in non-POST requests (like PUT) wasn't an easy task. One could assume the $_FILES array should be populated regardless the HTTP verb, but actually, PHP doesn't do it on its own.

After a long time wanting to find a solution to this problem, I've finally dedicated the time to get something functional, that allows file uploads to be transparently handled regardless the HTTP verb (it works the same way in POST, PUT and PATCH requests).

Since nowadays I try to work with psr-7/middleware based applications, I have created a Zend Expressive app that registers a middleware capable of parsing a multipart/form-data request body, populating the request's uploaded files array and parsed body array. This way, you can call $request->getUploadedFiles() or $request->getParsedBody() in any PUT or PATCH action, the same way you would do in a POST action.

His example application shows a simple HTML form that, when submitted, changes the HTTP request type based on a radio option selected at the bottom. He walks through the steps that the application takes to handle the upload via this middleware that makes it possible to work with the body of the PUT the same way as other requests. He goes through each part of the code that's required to make the middleware flow work and finishes up the post looking at a few other things to consider (like opting for POST over PUT for file uploads).

tagged: zendexpressive application tutorial psr7 middleware put request fileupload upload

Link: https://blog.alejandrocelaya.com/2017/03/06/managing-put-requests-with-file-uploads-in-psr-7-and-middleware-php-applications/

IBM developerWorks:
What's new in PHP V5.2, Part 5: Tracking file upload progress
May 18, 2007 @ 09:38:00

In a continuation of their series looking at what's new in PHP5, the IBM developerWorks site has posted part five, a look at the handy addition of the file upload progress functionality.

Given that uploading huge files can be tedious for impatient users, it is important to provide them positive feedback to keep them from giving up and going away.

Fortunately, PHP V5.2's new hooks into the file upload process allow us to show users in real time what is happening with their uploads. In this article, we will create a progress bar using PHP V5.2 for our users (see Download for source code).

They talk about what "hooks" are to explain how things work together before getting into the setup of the sample app. They chose to go with WAMP for their examples, but it can be easily adapted to any other flavor of *AMP setup of your choosing.

They set up a default upload box inside of a normal form the user can upload a file with. The real magic happens on the backend when the "Upload" button is hit. Via a handy call to the apc_fetch function, we can determine how far along the file is in the upload. This is relayed back to the script when their "Start me up!" link is clicked and a progress bar is advanced as the file is uploaded.

tagged: php5 feature fileupload progress meter hook apcfetch php5 feature fileupload progress meter hook apcfetch

Link:

IBM developerWorks:
What's new in PHP V5.2, Part 5: Tracking file upload progress
May 18, 2007 @ 09:38:00

In a continuation of their series looking at what's new in PHP5, the IBM developerWorks site has posted part five, a look at the handy addition of the file upload progress functionality.

Given that uploading huge files can be tedious for impatient users, it is important to provide them positive feedback to keep them from giving up and going away.

Fortunately, PHP V5.2's new hooks into the file upload process allow us to show users in real time what is happening with their uploads. In this article, we will create a progress bar using PHP V5.2 for our users (see Download for source code).

They talk about what "hooks" are to explain how things work together before getting into the setup of the sample app. They chose to go with WAMP for their examples, but it can be easily adapted to any other flavor of *AMP setup of your choosing.

They set up a default upload box inside of a normal form the user can upload a file with. The real magic happens on the backend when the "Upload" button is hit. Via a handy call to the apc_fetch function, we can determine how far along the file is in the upload. This is relayed back to the script when their "Start me up!" link is clicked and a progress bar is advanced as the file is uploaded.

tagged: php5 feature fileupload progress meter hook apcfetch php5 feature fileupload progress meter hook apcfetch

Link:

Ed Finkler's Blog:
PHPSecInfo v0.2.1 now available
Apr 09, 2007 @ 07:36:00

Ed Finkler has an announcement about the latest release of the PHP security audit tool, PHPSecInfo, for version 0.2.1 today.

PhpSecInfo v0.2.1 is now available. It’s primarily a bugfix release, but a fairly significant one.

Updates include:

  • uid and gid tests now correctly test the user and group that PHP is executing as
  • Changed upload_max_filesize and post_max_size return “OK” if current value is equal to recommended value
  • fixed nonstandard naming on some constants
  • fixed XHTML validation issue

tagged: phpdecinfo release changelog test user constants xhtml fileupload phpdecinfo release changelog test user constants xhtml fileupload

Link:

Ed Finkler's Blog:
PHPSecInfo v0.2.1 now available
Apr 09, 2007 @ 07:36:00

Ed Finkler has an announcement about the latest release of the PHP security audit tool, PHPSecInfo, for version 0.2.1 today.

PhpSecInfo v0.2.1 is now available. It’s primarily a bugfix release, but a fairly significant one.

Updates include:

  • uid and gid tests now correctly test the user and group that PHP is executing as
  • Changed upload_max_filesize and post_max_size return “OK” if current value is equal to recommended value
  • fixed nonstandard naming on some constants
  • fixed XHTML validation issue

tagged: phpdecinfo release changelog test user constants xhtml fileupload phpdecinfo release changelog test user constants xhtml fileupload

Link:

PHP Security Blog:
The Suhosin Patch, File Uploads, and Stealth Mode
Dec 05, 2006 @ 10:02:00

On the PHP Security Blog, there's two new posts concerning their Suhosin patch for PHP - one talking about a remote code execution vulnerability found in the uploadprogressmeter extension (which as already been corrected) and the other dealing with the "stealth mode" of the patch to find compatibility problems.

As mentioned, the issue with the uploadprogress extension has been fixed and as been introduced into the PECL repository. The other post just mentions what the patch is doing to try to keep compatibility problems from happening due to back extensions and/or modules being loaded in an application.

More details about the Suhosin patch can be found here.

tagged: stealth mode suhosin patch fileupload pecl extension module stealth mode suhosin patch fileupload pecl extension module

Link:

PHP Security Blog:
The Suhosin Patch, File Uploads, and Stealth Mode
Dec 05, 2006 @ 10:02:00

On the PHP Security Blog, there's two new posts concerning their Suhosin patch for PHP - one talking about a remote code execution vulnerability found in the uploadprogressmeter extension (which as already been corrected) and the other dealing with the "stealth mode" of the patch to find compatibility problems.

As mentioned, the issue with the uploadprogress extension has been fixed and as been introduced into the PECL repository. The other post just mentions what the patch is doing to try to keep compatibility problems from happening due to back extensions and/or modules being loaded in an application.

More details about the Suhosin patch can be found here.

tagged: stealth mode suhosin patch fileupload pecl extension module stealth mode suhosin patch fileupload pecl extension module

Link: