Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.6.8, 5.5.24 & 5.4.40 Released (Security Fixes)
Apr 17, 2015 @ 09:38:18

The PHP development group has released several different versions of PHP for the 5.5.x, 5.6.x and 5.4.x series with a long list of security issues fixed in each one (fourteen in total):

The PHP development team announces the immediate availability of PHP [5.4.40, 5.6.8, 5.5.24]. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version.

Other items were fixed besides the security issues, so check out the Changelog to see those few other fixes. It's highly recommended that you update your installations to these latest versions. You can grab the latest either from the downloads page (source) or Windows users can go to winodws.php.net.

tagged: language release multiple security fix changelog upgrade

Link: http://php.net/archive/2015.php#id2015-04-16-3

Rob Allen:
SSL certificate verification on PHP 5.6
Dec 23, 2014 @ 12:15:41

Rob Allen has a quick tip posted today about SSL certificate verification in PHP 5.6 and things that need to be updated thanks to recent improvements in PHP's SSL handling.

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message: "The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed" [...] Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn't find any OpenSSL certificates on my system. This isn't a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

To resolve the issue he found where PHP was looking for certificates (using openssl_get_cert_locations) and how a quick "brew install" of the needed OpenSSL handling resolved the issue. Then, in the php.ini file a quick update to the "openssl.cafile" path points it to the right certificate.

tagged: certificate validation ssl openssl php56 tip fix

Link: http://akrabat.com/php/ssl-certificate-verification-on-php-5-6/

Squizlabs Blog:
PHP_CodeSniffer 2.0.0 released
Dec 05, 2014 @ 12:03:34

The Squizlabs blog has an announcement about the release of the latest major version of the popular PHP_CodeSniffer tool for PHP - CodeSniffer v2.0. Among the updates in this latest release is a major one - the automated fixing of issues the tool finds.

Nineteen months ago, I started work on a project to allow PHP_CodeSniffer to fix the problems that it finds. Doing this required a lot of changes to the core classes, a lot of iteration and refactoring of the fixing and testing code, and an enormous amount of time and testing across many PHP projects to ensure I am confident enough to release something that actually modifies code. I could keep writing unit tests forever, but I've finally got to a point where I am happy to release this first version of the PHP Code Beautifier and Fixer (PHPCBF), for when you just can't be bothered fixing coding standard errors yourself.

The fixes are made possible through the newly introduced "PHP Code Beautifier and Fixer" (PHPCBF) tool. When the CodeSniffer tool is run against your code the PHPCBF kicks in too and tells you which of the issues can be automatically fixed. Additionally, you can now add custom code to your custom sniffer rules to enable this auto-fix functionality yourself. He also includes a list of the other updates in the release including:

  • a new information report to show you how your code is written rather than if it conforms to a standard
  • the ability to set command line arguments in ruleset.xml files
  • the ability to create your own custom reporting classes and use them with PHP_CodeSniffer
  • support for running on HHVM

You can find out more information about this release in the PEAR or GitHub changelogs.

tagged: phpcodesniffer v2 release automated fix phpcbf

Link: https://www.squizlabs.com/php-codesniffer/2.0.0-released

Dejan Angelov:
Experimental upgrading to Laravel 5: How I did it
Nov 24, 2014 @ 12:57:18

In a recent post Dejan Angelov shares the process he went through to upgrade an application to Laravel 5, yet to be released (at least at the time of this post).

Over the past weeks, Taylor introduced many great changes and new features that we’ll be able to use in the new version, firstly numbered 4.3 and later 5. According to the framework’s six month release cycle, it should had hit stable late this month or in early December. Because of that, I started to play with it and to apply the changes to make my application use it.

However, a couple of days ago, Taylor wrote a blog post on the Laravel’s blog saying that because of the importance of this release, the release date will be postponed to January. Considering this, everything you’ll read here MUST NOT be applied to applications that are currently in production.

He starts with some of the major differences, including changes in the dependencies required and the removal of the "start.php" file for bootstrapping the application. He talks about the changes in startup and shutdown as well as autoloading. He looks at directory structure changes and the addition of a base namespace. He then gets into how to fix these issues, one at a time, including code and configuration changes that need to be made. This includes updates to the facades, changes for middleware, environment configuration, pagination and routing. There's lots of other changes happening with Laravel 5, so be sure to check out the full post if you're interested in the steps you might need to take when this latest version is released.

tagged: upgrade laravel5 framework change configuration code fix

Link: http://angelovdejan.me/2014/11/22/experimental-upgrading-to-laravel-5-how-i-did-it.html

Evert Pot:
Composer's bug now fixed
Feb 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

tagged: composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed

PHP.net:
PHP 5.3.27 Released - PHP 5.3 Reaching End of Life
Jul 12, 2013 @ 09:17:15

The PHP development group has officially released the latest bugfix release in the PHP 5.3.x series - PHP 5.3.27:

The PHP development team announces the immediate availability of PHP 5.3.27. About 10 bugs were fixed, including a security fix in the XML parser (Bug #65236). Please Note: This will be the last regular release of the PHP 5.3 series. All users of PHP are encouraged to upgrade to PHP 5.4 or PHP 5.5. The PHP 5.3 series will receive only security fixes for the next year.

You can get this latest release from the downloads page (or here for Windows users). As the update fixes a security issue, it's recommended that you upgrade (see this bug).

tagged: release language endoflife security fix update

Link: http://php.net/index.php#id2013-07-11-1

PHPClasses.org:
10 Steps to properly do PHP Bug Tracking and Fixing as Fast as possible
May 30, 2013 @ 11:49:27

On the PHPClasses.org blog today Manuel Lemos has shared some advice on tracking and fixing bugs and some strategies to help prevent them in the future.

No matter how hard you try to test your PHP applications before putting them in production, you will always ship code to your server that has bugs. Some of those bugs will be very serious and need to be fixed before they cause greater damages to your application data that may be too hard to recover. Read this article to learn about a several good practices that you can apply to track bugs in production code, so you can fix them before it is too late.

Suggestions included in his list are things like:

  • Test as Much as Possible Before in your Development Environment
  • Separate your Code from Environment Configuration files
  • Track PHP Errors with Assertion Condition Tests
  • Send PHP Errors to an Error Log File
  • Monitor the PHP Error Log File to Quickly Fix Serious Bugs
  • Fix Your Bugs but Never Edit Code on the Production Server

He also includes a brief look at some things to think about when considering "defensive coding practices" and links to other articles with more information.

tagged: bugs advice fix track testing logging context monitoring

Link: http://www.phpclasses.org/blog/package/1351/post/1-10-Steps-to-properly-do-PHP-Bug-Tracking-and-Fixing-as-Fast-as-possible.html

Greg Freeman:
Steps to Take When you Know your PHP Site has been Hacked
Mar 07, 2013 @ 09:53:02

Greg Freeman has posted the second part of his "hacked PHP application" series (part one is here). In this new post he looks at the aftermath - what to do and check to do cleanup and fixes so it doesn't happen again.

This is a follow up post from my previous post “How to Tell if Your PHP Site has been Hacked or Compromised“. This post will discuss some the first steps you should take when you have identified that your site has been compromised. The first sections discuss a few points that are not relevant to everyone, the later sections will discuss how to fix the exploits.

He includes a list of things to think about including:

  • What kind of hosting you use (and if that contributed)
  • The option to redirect all requests for your site to one page
  • Get a list of all PHP files to locate something malicious
  • Locating "non-PHP PHP files"
  • Finding files with possible malicious content

He also includes a few suggestions to help prevent issues in the future - update to the latest versions, patch your code, rethinking your permissions and monitoring for potential repeat attacks.

tagged: hack compromise steps correction fix upgrade exploit

Link:

Davey Shafik's Blog:
The Blowfish Debacle
Feb 13, 2012 @ 10:02:49

Davey Shafik has a recent post to his blog about what he calls "The Blowfish Debacle" - the issues that came up with the PHP 5.3.7 release to upgrade the crypt_blowfish version that resulted in a larger error being introduced.

This was a great security fix, solving an issue with insecure passwords due to incorrect behavior. HOWEVER, what wasn’t made clear, is that this change was actually a backwards compatibility break. If you upgraded to 5.3.7+ data hashed pre-5.3.7 would no longer match data hashed post-5.3.7; this means if you use it for passwords, it will no longer match. So what’s the deal here?

He talks about the differences in the two methods of encryption, the newer being the "more correct" way of doing things. If you need the backwards compatibility because of previously hashed values, you can use the "$2x$" prefix instead of the usual "$2a$". He includes a snippet of code that can be used to upgrade all of your previously hashed blowfish passwords up to the new format.

tagged: blowfish upgrade issue backwardscompatibility security fix

Link:

PHP.net:
PHP 5.3.10 Released (Security Fix - Recommended Upgrade)
Feb 03, 2012 @ 08:01:29

The PHP development team has officially announced the release of the latest version of PHP in the 5.3.x series - PHP 5.3.10:

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix. [...] Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

It is highly recommended that users upgrade to this latest version to avoid falling victim to this recently introduced bug relating to the new "max_input_vars" setting added to protect from the overflow issue recently brought up in the PHP community.

tagged: release security fix maxinputvars hashtable collision dos vulnerability

Link: