Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Aaron Saray:
Anatomy of a PHP Hack
Nov 27, 2017 @ 16:09:55

Aaron Saray has a post to his site sharing the "anatomy of a PHP hack" - the evidence that he found and pulled apart based on a recent hack he experienced.

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.

He starts with the code he found in the hacked website, obfuscated to hide the true intent and how he disassembled it to find the true intent. He walks through the method he used to reverse the code ultimately ending up with a simple call to base64_decode a value that comes in from a $_POST request.

tagged: hack decode reverse base64 post input

Link: https://aaronsaray.com/2017/anatomy-of-a-php-hack.html

HHVM Blog:
The Future of HHVM
Sep 19, 2017 @ 14:45:03

The HHVM project (an alternative PHP runtime from Facebook) has made a major announcement on their blog - beginning with version 3.24 they'll no longer be trying to keep parity with the PHP language now that it has moved into PHP 7.

The HHVM team is happy about the direction PHP has taken with PHP7, and we’re proud of the role we’ve played in pushing the language and runtime to where they are today. Since the PHP community is finally saying goodbye to PHP5, we’ve decided to do so as well.

Our next LTS release, 3.24, will be cut about four months from now and will receive support for one year thereafter. It will also be the last HHVM release that commits to PHP5 support. This aligns with PHP’s own timeline of sunsetting PHP5 at the end of 2018.

[...] PHP7 is charting a new course away from PHP5, and we want to do the same, via a renewed focus on Hack. Consequently, HHVM will not aim to target PHP7. The HHVM team believes that we have a clear path toward making Hack a fantastic language for web development, untethered from its PHP origins. We’d do ourselves and our users a disservice by positioning HHVM as an uncommon, less well-documented, less compatible PHP7 runtime.

The post then lists out some of their goals for the HHVM/Hack projects moving forward including reinvesting in open source and staying focused on their needs for the platform and language. It then talks about some of the upcoming changes you can expect around support of current versions of popular PHP tools and work on tools created specifically for Hack.

tagged: hhvm facebook platform hack language project goals php5 php7

Link: http://hhvm.com/blog/2017/09/18/the-future-of-hhvm.html

PHPUgly Podcast:
Episode 54 - Tractor Hacking
Mar 27, 2017 @ 16:33:35

The PHPUgly podcast, hosted by Eric Van Johnson, Tom Rideout and John Congdon, has posted their latest episode: Episode #54: Tractor Hacking.

Topics mentioned in this episode include:

You can listen to this latest episode either using the in-page audio player, directly on SoundCloud or you can watch the video of the live recording over on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter to get updates when new shows are released.

tagged: phpugly podcast ep54 tractor hack ericvanjohnson tomrideout johncongdon

Link: https://phpugly.com/blog/54tractor-hacking

Fred Emmott:
Greenfield Projects with Hack
Nov 03, 2016 @ 17:14:06

Fred Emmott has a new post to his site sharing some of his experience with creating a "greenfield" project in Hack, the language Facebook developed to work with its HHVM runtime for PHP.

Until late 2015, the Hack and HHVM documentation site was a fork of PHP's own documentation site. This had many shortcomings, and ultimately we decided that the best approach would be something custom. As most of the public Hack code at that point was toy examples, we decided to also make the site itself open, and start investigating the greenfield problems.

There are 3 basic approaches to 'library code' in Hack if there isn't already a Hack version:

  • Use a PHP library, without typechecker support
  • Use a PHP library, and add HHI files so that Hack understands it
  • Write something new

The Hack/HHVM site uses a mix of all three, though mostly #2 and #3.

He talks some about using plain PHP libraries in Hack projects and how you won't get the full benefit of Hack's features without some of the type-checking enforced (sometimes required to get some libraries working). Following this he covers the integration of three projects/structures, changed a bit for supporting Hack: FastRoute, PHPUnit and the things based on the PSR-7 request/response structure. He wraps up the post talking about writing "something new" and things to consider to make its APIs more "Hack-like".

tagged: hack greenfield project new facebook hhvm fastroute phpunit psr7

Link: https://fredemmott.co.uk/blog/posts/greenfield-projects-with-hack

Slack Engineering Blog:
Taking PHP Seriously
Oct 14, 2016 @ 14:16:45

On the Slack Engineering blog there's a new post from one of their engineers talking about a choice the company made about their platform - they decided to take PHP seriously. In this post author Keith Adams talks about why they chose PHP and what kind of experiences they've had with it in their own environment.

Slack uses PHP for most of its server-side application logic, which is an unusual choice these days. Why did we choose to build a new project in this language? Should you?

PHP-the-language has many flaws, which undoubtedly have slowed these efforts down, but PHP-the-environment has virtues which more than compensate for those flaws. And the options for improving on PHP’s language-level flaws are pretty impressive. On the balance, PHP provides better support for building, changing, and operating a successful project than competing environments. I would start a new project in PHP today, with a reservation or two, but zero apologies.

He starts with some background on the history of PHP itself, where the language came from and what kinds of issues it tries to mainly solve. He then gets into some of what he sees are the "virtues of PHP" including the blank slate at the start of every request, one-request-one-process concurrency and the fast programmer workflow. He then gets into the "bad stuff" they've found when working with PHP, things like surprise type conversions, a "failure-oblivious philosophy" and inconsistencies in the standard library. Finally he looks into two options (created by Facebook to improve its use of PHP) - HHVM and the Hack language - and how it was integrated into their environment.

tagged: language slack serverside hhvm hack usage experience

Link: https://slack.engineering/taking-php-seriously-cf7a60065329#.pdj63el96

SitePoint PHP Blog:
Quick Tip: Convenience Hacks for Passing Data to Views
Aug 16, 2016 @ 16:09:38

On the SitePoint PHP Blog Reza Lavaryan has shared a "quick tip" about making it easier to pass data out to the views in your MVC application. It relates more specifically to when you have a lot of values to pass out rather than just a few bits of data.

In MVC based architectures, working with template engines is an inevitable part of the development routine. It usually goes like this: we prepare and pass the data to the view. In the view, we print them based on our layout design.

[...] There are times, however, when the number of variables might be much higher than this: ten or more. In that case, we’ll have a tall list of variables (as an associative array), being passed to the respective template. It gets messy and unreadable quickly. If only there was a way to just list what we need by name, and have PHP take care of the rest for us. Well… there is!

The example shows how to use the compact function built into PHP to grab values from the current scope and return them as an array. Unfortunately it does loose the array keys with this method, so they propose an alternative with the get_defined_vars function and some simple key handling to return a more correct version of the array.

tagged: quicktip hack data view compact getdefinedvars tutorial

Link: https://www.sitepoint.com/quick-tip-convenience-hacks-for-passing-data-to-views/

Evonide.com:
How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 17:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

Joe Watkins:
Hacking PHP 7
Mar 16, 2016 @ 15:16:38

In this post to his site PHP (core) developer Joe Watkins talks about "hacking PHP 7" based on two screencasts he's made on the subject.

Writing extensions is fun, but it's not as fun as hacking PHP. So, we're going to focus on hacking, we're going to imagine that we are introducing some new language feature, by RFC.

Without focusing on the RFC process itself, you need to know which are the relevant parts of PHP you need to change, in order to introduce new language features. You also need to know how PHP 7 works, about each stage of turning text into Zend opcodes.

After talking a bit about some of his thoughts and troubles with screencasting in general he looks at "The Beginning" of PHP's translation from text to functionality: the lexing. He introduces the basic concept around how a lexer works and how it migrates the pieces over to tokens. He then starts in on the parsing of these tokens and, finally, the AST (abstract syntax tree) resulting from the combination of these pieces, executed against a piece of code.

With that out of the way, he starts in about the "hack" - a hipster expression that only works with strings and throws an exception otherwise. He shows the pieces he had to edit to create this new expression and it's matching token/AST node.

tagged: php7 hack lexer parser ast tree hipster expression screencast

Link: http://blog.krakjoe.ninja/2016/03/hacking-php-7.html

HHVM Blog:
Improved User Documentation
Dec 15, 2015 @ 15:05:32

The HHVM blog has a post today announcing some updates they've made around the documentation for the project and the release of the "next generation" of their documentation at http://docs.hhvm.com/.

Back in August, we announced that we are going full force in revamping user documentation. We sent out a public survey to gauge the standing on the existing documentation at the time. We had 160 responses to the survey. Those results served as both validation and a guide to our approach with the new documentation.

The survey showed some interesting results including that the existing documentation could use improvement, better content in certain sections and poor examples in some places. In order to help this they worked hard to revamp the documentation and created a new GitHub repository for the docs and allows developers to pull it down locally and contribute back content/corrections as they might catch them. They also lay out the new documentation structure, breaking it up into Hack, API and HHVM sections. Finally, they talk about the technology behind the site including the runnable code examples, how they're generated and what the build process looks like.

tagged: improved documentation user hhvm hack facebook api survey results

Link: http://hhvm.com/blog/10925/improved-user-documentation

HHVM Blog:
PHP 7 Support
Dec 08, 2015 @ 15:16:48

On the HHVM blog (Facebook's HipHop Virtual Machine project) they've posted about support for PHP 7 features that they've been working into HHVM and Hack to support backwards compatibility with this latest major version of the PHP language.

For those that haven’t been following along, the next version of the PHP language, version 7.0.0, was very recently released. Those of us working on HHVM offer our congratulations to all the contributors to this latest release! We’re all really excited to see this release come out the door, and for what it means for the future of PHP.

The release has implications for HHVM as well. [...] The HHVM project is committed to continuing to support the evolving PHP language, and as such we are proud to announce that the current nightly releases have support for all major PHP 7 features, and the upcoming 3.11.0 stable release will be the first release of HHVM with support for the major PHP 7 features.

There are some backwards compatibility issues that PHP 7 introduced but the HHVM project has opted to support both the PHP 5 and 7 users simultaneously. This is made as low friction as possible either through silent compatibility or though a hhvm.php7.all ini configuration setting.

tagged: hhvm hiphop facebook hack php7 backwards compatibility

Link: http://hhvm.com/blog/10859/php-7-support


Trending Topics: