News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Squizlabs Blog:
PHP_CodeSniffer 2.0.0 released
December 05, 2014 @ 12:03:34

The Squizlabs blog has an announcement about the release of the latest major version of the popular PHP_CodeSniffer tool for PHP - CodeSniffer v2.0. Among the updates in this latest release is a major one - the automated fixing of issues the tool finds.

Nineteen months ago, I started work on a project to allow PHP_CodeSniffer to fix the problems that it finds. Doing this required a lot of changes to the core classes, a lot of iteration and refactoring of the fixing and testing code, and an enormous amount of time and testing across many PHP projects to ensure I am confident enough to release something that actually modifies code. I could keep writing unit tests forever, but I've finally got to a point where I am happy to release this first version of the PHP Code Beautifier and Fixer (PHPCBF), for when you just can't be bothered fixing coding standard errors yourself.

The fixes are made possible through the newly introduced "PHP Code Beautifier and Fixer" (PHPCBF) tool. When the CodeSniffer tool is run against your code the PHPCBF kicks in too and tells you which of the issues can be automatically fixed. Additionally, you can now add custom code to your custom sniffer rules to enable this auto-fix functionality yourself. He also includes a list of the other updates in the release including:

  • a new information report to show you how your code is written rather than if it conforms to a standard
  • the ability to set command line arguments in ruleset.xml files
  • the ability to create your own custom reporting classes and use them with PHP_CodeSniffer
  • support for running on HHVM

You can find out more information about this release in the PEAR or GitHub changelogs.

0 comments voice your opinion now!
phpcodesniffer v2 release automated fix phpcbf

Link: https://www.squizlabs.com/php-codesniffer/2.0.0-released

Dejan Angelov:
Experimental upgrading to Laravel 5 How I did it
November 24, 2014 @ 12:57:18

In a recent post Dejan Angelov shares the process he went through to upgrade an application to Laravel 5, yet to be released (at least at the time of this post).

Over the past weeks, Taylor introduced many great changes and new features that we'll be able to use in the new version, firstly numbered 4.3 and later 5. According to the framework's six month release cycle, it should had hit stable late this month or in early December. Because of that, I started to play with it and to apply the changes to make my application use it.

However, a couple of days ago, Taylor wrote a blog post on the Laravel's blog saying that because of the importance of this release, the release date will be postponed to January. Considering this, everything you'll read here MUST NOT be applied to applications that are currently in production.

He starts with some of the major differences, including changes in the dependencies required and the removal of the "start.php" file for bootstrapping the application. He talks about the changes in startup and shutdown as well as autoloading. He looks at directory structure changes and the addition of a base namespace. He then gets into how to fix these issues, one at a time, including code and configuration changes that need to be made. This includes updates to the facades, changes for middleware, environment configuration, pagination and routing. There's lots of other changes happening with Laravel 5, so be sure to check out the full post if you're interested in the steps you might need to take when this latest version is released.

0 comments voice your opinion now!
upgrade laravel5 framework change configuration code fix

Link: http://angelovdejan.me/2014/11/22/experimental-upgrading-to-laravel-5-how-i-did-it.html

Evert Pot:
Composer's bug now fixed
February 24, 2014 @ 12:38:06

Evert Pot has posted an update to a previous post around Composer's vulnerability around installing the wrong packages in the case of a conflict. In this latest post he points out, however, that the bug is now fixed.

As an update to my previous post, the composer security problem now appears fixed. Good to see that a quick response was possible after all.

The original issue was caused by the "replace" functionality, allowing the possibility for an incorrect package to be installed instead of the one requested. Other posts with more details include this one from Pádraic Brady and Nils Adermann. if you're a Composer user, it's highly suggested you update your currently installed version (run a "composer self-update").

0 comments voice your opinion now!
composer bug security vulnerability fix selfupdate

Link: http://evertpot.com/composer-bug-fixed

PHP.net:
PHP 5.3.27 Released - PHP 5.3 Reaching End of Life
July 12, 2013 @ 09:17:15

The PHP development group has officially released the latest bugfix release in the PHP 5.3.x series - PHP 5.3.27:

The PHP development team announces the immediate availability of PHP 5.3.27. About 10 bugs were fixed, including a security fix in the XML parser (Bug #65236). Please Note: This will be the last regular release of the PHP 5.3 series. All users of PHP are encouraged to upgrade to PHP 5.4 or PHP 5.5. The PHP 5.3 series will receive only security fixes for the next year.

You can get this latest release from the downloads page (or here for Windows users). As the update fixes a security issue, it's recommended that you upgrade (see this bug).

0 comments voice your opinion now!
release language endoflife security fix update

Link: http://php.net/index.php#id2013-07-11-1

PHPClasses.org:
10 Steps to properly do PHP Bug Tracking and Fixing as Fast as possible
May 30, 2013 @ 11:49:27

On the PHPClasses.org blog today Manuel Lemos has shared some advice on tracking and fixing bugs and some strategies to help prevent them in the future.

No matter how hard you try to test your PHP applications before putting them in production, you will always ship code to your server that has bugs. Some of those bugs will be very serious and need to be fixed before they cause greater damages to your application data that may be too hard to recover. Read this article to learn about a several good practices that you can apply to track bugs in production code, so you can fix them before it is too late.

Suggestions included in his list are things like:

  • Test as Much as Possible Before in your Development Environment
  • Separate your Code from Environment Configuration files
  • Track PHP Errors with Assertion Condition Tests
  • Send PHP Errors to an Error Log File
  • Monitor the PHP Error Log File to Quickly Fix Serious Bugs
  • Fix Your Bugs but Never Edit Code on the Production Server

He also includes a brief look at some things to think about when considering "defensive coding practices" and links to other articles with more information.

0 comments voice your opinion now!
bugs advice fix track testing logging context monitoring

Link: http://www.phpclasses.org/blog/package/1351/post/1-10-Steps-to-properly-do-PHP-Bug-Tracking-and-Fixing-as-Fast-as-possible.html

Greg Freeman:
Steps to Take When you Know your PHP Site has been Hacked
March 07, 2013 @ 09:53:02

Greg Freeman has posted the second part of his "hacked PHP application" series (part one is here). In this new post he looks at the aftermath - what to do and check to do cleanup and fixes so it doesn't happen again.

This is a follow up post from my previous post "How to Tell if Your PHP Site has been Hacked or Compromised". This post will discuss some the first steps you should take when you have identified that your site has been compromised. The first sections discuss a few points that are not relevant to everyone, the later sections will discuss how to fix the exploits.

He includes a list of things to think about including:

  • What kind of hosting you use (and if that contributed)
  • The option to redirect all requests for your site to one page
  • Get a list of all PHP files to locate something malicious
  • Locating "non-PHP PHP files"
  • Finding files with possible malicious content

He also includes a few suggestions to help prevent issues in the future - update to the latest versions, patch your code, rethinking your permissions and monitoring for potential repeat attacks.

0 comments voice your opinion now!
hack compromise steps correction fix upgrade exploit


Davey Shafik's Blog:
The Blowfish Debacle
February 13, 2012 @ 10:02:49

Davey Shafik has a recent post to his blog about what he calls "The Blowfish Debacle" - the issues that came up with the PHP 5.3.7 release to upgrade the crypt_blowfish version that resulted in a larger error being introduced.

This was a great security fix, solving an issue with insecure passwords due to incorrect behavior. HOWEVER, what wasn't made clear, is that this change was actually a backwards compatibility break. If you upgraded to 5.3.7+ data hashed pre-5.3.7 would no longer match data hashed post-5.3.7; this means if you use it for passwords, it will no longer match. So what's the deal here?

He talks about the differences in the two methods of encryption, the newer being the "more correct" way of doing things. If you need the backwards compatibility because of previously hashed values, you can use the "$2x$" prefix instead of the usual "$2a$". He includes a snippet of code that can be used to upgrade all of your previously hashed blowfish passwords up to the new format.

0 comments voice your opinion now!
blowfish upgrade issue backwardscompatibility security fix


PHP.net:
PHP 5.3.10 Released (Security Fix - Recommended Upgrade)
February 03, 2012 @ 08:01:29

The PHP development team has officially announced the release of the latest version of PHP in the 5.3.x series - PHP 5.3.10:

The PHP development team would like to announce the immediate availability of PHP 5.3.10. This release delivers a critical security fix. [...] Fixed arbitrary remote code execution vulnerability reported by Stefan Esser, CVE-2012-0830.

It is highly recommended that users upgrade to this latest version to avoid falling victim to this recently introduced bug relating to the new "max_input_vars" setting added to protect from the overflow issue recently brought up in the PHP community.

0 comments voice your opinion now!
release security fix maxinputvars hashtable collision dos vulnerability


Chris Hartjes' Blog:
PHPUnit Aborted Fix
January 19, 2012 @ 11:16:53

Chris Hartjes ran into an issue with hit unit tests where PHPUnit was throwing an "aborted" error no matter what tests were run. Thankfully, in this new post, he shares a solution.

That was a pretty annoying bug. I never did find out what the problem was as I moved onto other problems and chalked that error up to some undiagnosed weirdness on that particular server. From time to time I would get asked on Twitter if I had ever solved the problem. My answer was always "no, and if you do solve it please let met know how you fixed it." Today, my friends, was the day.

Based on a response from Demian Katz, he was able to get around the issue with flag set on the PHPUnit command line - "-dzend.enable_gc=0". Apparently the issue has to do with garbage collection and has been a known issue since the beginning of 2011.

0 comments voice your opinion now!
phpunit aborted unittest fix garbage collection bug


Symfony Blog:
Symfony2 Security Audit
October 07, 2011 @ 09:04:19

Fabien Potencier (of the Symfony framework project) has posted the results of a security audit that was performed on the framework by SektionEins.

The Symfony2 core team takes security issues very seriously; we have a dedicated procedure to report such issues, and the framework itself tries to give the developer all the features needed to secure his code easily. Thanks to our successful community donation drive, SektionEins performed a security audit on the Symfony2 code earlier this year. The audit is now over and the good news is that the Symfony2 code is pretty solid; only minor problems have been found. They have all been addressed now

Their findings included things like the Request component trusting certain headers, bad regex validation on datetimes, password encoding issues, cookie handling and exception handling issues. Links to the fixes for each are included in the post.

0 comments voice your opinion now!
symfony2 security audit sektioneins framework fix



Community Events





Don't see your event here?
Let us know!


community release tool interview artisanfiles security library podcast list language voicesoftheelephpant composer introduction series laravel symfony framework conference opinion version

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework