Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPUgly Podcast:
Episode 54 - Tractor Hacking
Mar 27, 2017 @ 11:33:35

The PHPUgly podcast, hosted by Eric Van Johnson, Tom Rideout and John Congdon, has posted their latest episode: Episode #54: Tractor Hacking.

Topics mentioned in this episode include:

You can listen to this latest episode either using the in-page audio player, directly on SoundCloud or you can watch the video of the live recording over on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: phpugly podcast ep54 tractor hack ericvanjohnson tomrideout johncongdon

Link: https://phpugly.com/blog/54tractor-hacking

Fred Emmott:
Greenfield Projects with Hack
Nov 03, 2016 @ 12:14:06

Fred Emmott has a new post to his site sharing some of his experience with creating a "greenfield" project in Hack, the language Facebook developed to work with its HHVM runtime for PHP.

Until late 2015, the Hack and HHVM documentation site was a fork of PHP's own documentation site. This had many shortcomings, and ultimately we decided that the best approach would be something custom. As most of the public Hack code at that point was toy examples, we decided to also make the site itself open, and start investigating the greenfield problems.

There are 3 basic approaches to 'library code' in Hack if there isn't already a Hack version:

  • Use a PHP library, without typechecker support
  • Use a PHP library, and add HHI files so that Hack understands it
  • Write something new

The Hack/HHVM site uses a mix of all three, though mostly #2 and #3.

He talks some about using plain PHP libraries in Hack projects and how you won't get the full benefit of Hack's features without some of the type-checking enforced (sometimes required to get some libraries working). Following this he covers the integration of three projects/structures, changed a bit for supporting Hack: FastRoute, PHPUnit and the things based on the PSR-7 request/response structure. He wraps up the post talking about writing "something new" and things to consider to make its APIs more "Hack-like".

tagged: hack greenfield project new facebook hhvm fastroute phpunit psr7

Link: https://fredemmott.co.uk/blog/posts/greenfield-projects-with-hack

Slack Engineering Blog:
Taking PHP Seriously
Oct 14, 2016 @ 09:16:45

On the Slack Engineering blog there's a new post from one of their engineers talking about a choice the company made about their platform - they decided to take PHP seriously. In this post author Keith Adams talks about why they chose PHP and what kind of experiences they've had with it in their own environment.

Slack uses PHP for most of its server-side application logic, which is an unusual choice these days. Why did we choose to build a new project in this language? Should you?

PHP-the-language has many flaws, which undoubtedly have slowed these efforts down, but PHP-the-environment has virtues which more than compensate for those flaws. And the options for improving on PHP’s language-level flaws are pretty impressive. On the balance, PHP provides better support for building, changing, and operating a successful project than competing environments. I would start a new project in PHP today, with a reservation or two, but zero apologies.

He starts with some background on the history of PHP itself, where the language came from and what kinds of issues it tries to mainly solve. He then gets into some of what he sees are the "virtues of PHP" including the blank slate at the start of every request, one-request-one-process concurrency and the fast programmer workflow. He then gets into the "bad stuff" they've found when working with PHP, things like surprise type conversions, a "failure-oblivious philosophy" and inconsistencies in the standard library. Finally he looks into two options (created by Facebook to improve its use of PHP) - HHVM and the Hack language - and how it was integrated into their environment.

tagged: language slack serverside hhvm hack usage experience

Link: https://slack.engineering/taking-php-seriously-cf7a60065329#.pdj63el96

SitePoint PHP Blog:
Quick Tip: Convenience Hacks for Passing Data to Views
Aug 16, 2016 @ 11:09:38

On the SitePoint PHP Blog Reza Lavaryan has shared a "quick tip" about making it easier to pass data out to the views in your MVC application. It relates more specifically to when you have a lot of values to pass out rather than just a few bits of data.

In MVC based architectures, working with template engines is an inevitable part of the development routine. It usually goes like this: we prepare and pass the data to the view. In the view, we print them based on our layout design.

[...] There are times, however, when the number of variables might be much higher than this: ten or more. In that case, we’ll have a tall list of variables (as an associative array), being passed to the respective template. It gets messy and unreadable quickly. If only there was a way to just list what we need by name, and have PHP take care of the rest for us. Well… there is!

The example shows how to use the compact function built into PHP to grab values from the current scope and return them as an array. Unfortunately it does loose the array keys with this method, so they propose an alternative with the get_defined_vars function and some simple key handling to return a more correct version of the array.

tagged: quicktip hack data view compact getdefinedvars tutorial

Link: https://www.sitepoint.com/quick-tip-convenience-hacks-for-passing-data-to-views/

How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 12:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

Joe Watkins:
Hacking PHP 7
Mar 16, 2016 @ 10:16:38

In this post to his site PHP (core) developer Joe Watkins talks about "hacking PHP 7" based on two screencasts he's made on the subject.

Writing extensions is fun, but it's not as fun as hacking PHP. So, we're going to focus on hacking, we're going to imagine that we are introducing some new language feature, by RFC.

Without focusing on the RFC process itself, you need to know which are the relevant parts of PHP you need to change, in order to introduce new language features. You also need to know how PHP 7 works, about each stage of turning text into Zend opcodes.

After talking a bit about some of his thoughts and troubles with screencasting in general he looks at "The Beginning" of PHP's translation from text to functionality: the lexing. He introduces the basic concept around how a lexer works and how it migrates the pieces over to tokens. He then starts in on the parsing of these tokens and, finally, the AST (abstract syntax tree) resulting from the combination of these pieces, executed against a piece of code.

With that out of the way, he starts in about the "hack" - a hipster expression that only works with strings and throws an exception otherwise. He shows the pieces he had to edit to create this new expression and it's matching token/AST node.

tagged: php7 hack lexer parser ast tree hipster expression screencast

Link: http://blog.krakjoe.ninja/2016/03/hacking-php-7.html

HHVM Blog:
Improved User Documentation
Dec 15, 2015 @ 09:05:32

The HHVM blog has a post today announcing some updates they've made around the documentation for the project and the release of the "next generation" of their documentation at http://docs.hhvm.com/.

Back in August, we announced that we are going full force in revamping user documentation. We sent out a public survey to gauge the standing on the existing documentation at the time. We had 160 responses to the survey. Those results served as both validation and a guide to our approach with the new documentation.

The survey showed some interesting results including that the existing documentation could use improvement, better content in certain sections and poor examples in some places. In order to help this they worked hard to revamp the documentation and created a new GitHub repository for the docs and allows developers to pull it down locally and contribute back content/corrections as they might catch them. They also lay out the new documentation structure, breaking it up into Hack, API and HHVM sections. Finally, they talk about the technology behind the site including the runnable code examples, how they're generated and what the build process looks like.

tagged: improved documentation user hhvm hack facebook api survey results

Link: http://hhvm.com/blog/10925/improved-user-documentation

HHVM Blog:
PHP 7 Support
Dec 08, 2015 @ 09:16:48

On the HHVM blog (Facebook's HipHop Virtual Machine project) they've posted about support for PHP 7 features that they've been working into HHVM and Hack to support backwards compatibility with this latest major version of the PHP language.

For those that haven’t been following along, the next version of the PHP language, version 7.0.0, was very recently released. Those of us working on HHVM offer our congratulations to all the contributors to this latest release! We’re all really excited to see this release come out the door, and for what it means for the future of PHP.

The release has implications for HHVM as well. [...] The HHVM project is committed to continuing to support the evolving PHP language, and as such we are proud to announce that the current nightly releases have support for all major PHP 7 features, and the upcoming 3.11.0 stable release will be the first release of HHVM with support for the major PHP 7 features.

There are some backwards compatibility issues that PHP 7 introduced but the HHVM project has opted to support both the PHP 5 and 7 users simultaneously. This is made as low friction as possible either through silent compatibility or though a hhvm.php7.all ini configuration setting.

tagged: hhvm hiphop facebook hack php7 backwards compatibility

Link: http://hhvm.com/blog/10859/php-7-support

HHVM Blog:
Improving Arrays in Hack
Nov 03, 2015 @ 11:46:14

On the HHVM blog there's a post talking about some of the updates they've made with array handling in Hack to help make it more efficient and overcoming some of the challenges in how they're being used.

Arrays are the ubiquitous data structure in PHP, used to represent everything from lists, associated lists, sets, tuples, or even a bag of data. This flexibility itself makes it challenging for Hack to understand how an array will be used. [...] If this was the only problem with PHP arrays, then the solution would be “simple”; make the type checker smarter (something we are working on). However there are a number of other semantic details around arrays that are nearly impossible to analyze statically.

They talk about some of the issues a bit more specifically including:

  • indexing of non-existent keys
  • key coercion
  • arrays containing references

They also talk about some of the legitimate use cases for arrays over the collections Hack offers, mostly do to with the values they could contain. The post ends with links to some of the other future improvements to the array handling in Hack and a look further out and their vision of replacing PHP arrays with Hack arrays and moving collections to a runtime library.

tagged: hhvm hack array improvement problem values collections

Link: http://hhvm.com/blog/10649/improving-arrays-in-hack

HHVM Blog:
Trait and interface requirements in Hack
Jun 19, 2015 @ 09:56:23

On the HHVM blog there's a recent post looking at some of the requirements around traits and interfaces in the Hack language. More specifically, they talk about type checking with traits and how interfaces can be used to help provide extra structure.

In PHP, traits are a mechanism of code reuse that, while very powerful, are also difficult to type check both efficiently and exhaustively. In this post we’ll dive more deeply into the reasons for that and see how Hack solves those problems, allowing you to use traits in a safe way without limiting their expressiveness.

They start by talking about the main problem with PHP's handling of traits (essentially copy and paste into the current class) and how they felt Hack should "just work" in allowing type checking on these "pasted" methods too. Performance limitations prevented them from handling it how they do with other variable types, so they changed things up, using a "require extends" syntax to tell the Hack engine how to allow the checking based on an interface. There's a lot more to it than this, so be sure to read the rest of the post on how they came to that conclusion.

tagged: trait interface requirement hack require extends syntax

Link: http://hhvm.com/blog/9581/trait-and-interface-requirements-in-hack