Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
Quick Tip: Convenience Hacks for Passing Data to Views
Aug 16, 2016 @ 11:09:38

On the SitePoint PHP Blog Reza Lavaryan has shared a "quick tip" about making it easier to pass data out to the views in your MVC application. It relates more specifically to when you have a lot of values to pass out rather than just a few bits of data.

In MVC based architectures, working with template engines is an inevitable part of the development routine. It usually goes like this: we prepare and pass the data to the view. In the view, we print them based on our layout design.

[...] There are times, however, when the number of variables might be much higher than this: ten or more. In that case, we’ll have a tall list of variables (as an associative array), being passed to the respective template. It gets messy and unreadable quickly. If only there was a way to just list what we need by name, and have PHP take care of the rest for us. Well… there is!

The example shows how to use the compact function built into PHP to grab values from the current scope and return them as an array. Unfortunately it does loose the array keys with this method, so they propose an alternative with the get_defined_vars function and some simple key handling to return a more correct version of the array.

tagged: quicktip hack data view compact getdefinedvars tutorial

Link: https://www.sitepoint.com/quick-tip-convenience-hacks-for-passing-data-to-views/

Evonide.com:
How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 12:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

Joe Watkins:
Hacking PHP 7
Mar 16, 2016 @ 10:16:38

In this post to his site PHP (core) developer Joe Watkins talks about "hacking PHP 7" based on two screencasts he's made on the subject.

Writing extensions is fun, but it's not as fun as hacking PHP. So, we're going to focus on hacking, we're going to imagine that we are introducing some new language feature, by RFC.

Without focusing on the RFC process itself, you need to know which are the relevant parts of PHP you need to change, in order to introduce new language features. You also need to know how PHP 7 works, about each stage of turning text into Zend opcodes.

After talking a bit about some of his thoughts and troubles with screencasting in general he looks at "The Beginning" of PHP's translation from text to functionality: the lexing. He introduces the basic concept around how a lexer works and how it migrates the pieces over to tokens. He then starts in on the parsing of these tokens and, finally, the AST (abstract syntax tree) resulting from the combination of these pieces, executed against a piece of code.

With that out of the way, he starts in about the "hack" - a hipster expression that only works with strings and throws an exception otherwise. He shows the pieces he had to edit to create this new expression and it's matching token/AST node.

tagged: php7 hack lexer parser ast tree hipster expression screencast

Link: http://blog.krakjoe.ninja/2016/03/hacking-php-7.html

HHVM Blog:
Improved User Documentation
Dec 15, 2015 @ 09:05:32

The HHVM blog has a post today announcing some updates they've made around the documentation for the project and the release of the "next generation" of their documentation at http://docs.hhvm.com/.

Back in August, we announced that we are going full force in revamping user documentation. We sent out a public survey to gauge the standing on the existing documentation at the time. We had 160 responses to the survey. Those results served as both validation and a guide to our approach with the new documentation.

The survey showed some interesting results including that the existing documentation could use improvement, better content in certain sections and poor examples in some places. In order to help this they worked hard to revamp the documentation and created a new GitHub repository for the docs and allows developers to pull it down locally and contribute back content/corrections as they might catch them. They also lay out the new documentation structure, breaking it up into Hack, API and HHVM sections. Finally, they talk about the technology behind the site including the runnable code examples, how they're generated and what the build process looks like.

tagged: improved documentation user hhvm hack facebook api survey results

Link: http://hhvm.com/blog/10925/improved-user-documentation

HHVM Blog:
PHP 7 Support
Dec 08, 2015 @ 09:16:48

On the HHVM blog (Facebook's HipHop Virtual Machine project) they've posted about support for PHP 7 features that they've been working into HHVM and Hack to support backwards compatibility with this latest major version of the PHP language.

For those that haven’t been following along, the next version of the PHP language, version 7.0.0, was very recently released. Those of us working on HHVM offer our congratulations to all the contributors to this latest release! We’re all really excited to see this release come out the door, and for what it means for the future of PHP.

The release has implications for HHVM as well. [...] The HHVM project is committed to continuing to support the evolving PHP language, and as such we are proud to announce that the current nightly releases have support for all major PHP 7 features, and the upcoming 3.11.0 stable release will be the first release of HHVM with support for the major PHP 7 features.

There are some backwards compatibility issues that PHP 7 introduced but the HHVM project has opted to support both the PHP 5 and 7 users simultaneously. This is made as low friction as possible either through silent compatibility or though a hhvm.php7.all ini configuration setting.

tagged: hhvm hiphop facebook hack php7 backwards compatibility

Link: http://hhvm.com/blog/10859/php-7-support

HHVM Blog:
Improving Arrays in Hack
Nov 03, 2015 @ 11:46:14

On the HHVM blog there's a post talking about some of the updates they've made with array handling in Hack to help make it more efficient and overcoming some of the challenges in how they're being used.

Arrays are the ubiquitous data structure in PHP, used to represent everything from lists, associated lists, sets, tuples, or even a bag of data. This flexibility itself makes it challenging for Hack to understand how an array will be used. [...] If this was the only problem with PHP arrays, then the solution would be “simple”; make the type checker smarter (something we are working on). However there are a number of other semantic details around arrays that are nearly impossible to analyze statically.

They talk about some of the issues a bit more specifically including:

  • indexing of non-existent keys
  • key coercion
  • arrays containing references

They also talk about some of the legitimate use cases for arrays over the collections Hack offers, mostly do to with the values they could contain. The post ends with links to some of the other future improvements to the array handling in Hack and a look further out and their vision of replacing PHP arrays with Hack arrays and moving collections to a runtime library.

tagged: hhvm hack array improvement problem values collections

Link: http://hhvm.com/blog/10649/improving-arrays-in-hack

HHVM Blog:
Trait and interface requirements in Hack
Jun 19, 2015 @ 09:56:23

On the HHVM blog there's a recent post looking at some of the requirements around traits and interfaces in the Hack language. More specifically, they talk about type checking with traits and how interfaces can be used to help provide extra structure.

In PHP, traits are a mechanism of code reuse that, while very powerful, are also difficult to type check both efficiently and exhaustively. In this post we’ll dive more deeply into the reasons for that and see how Hack solves those problems, allowing you to use traits in a safe way without limiting their expressiveness.

They start by talking about the main problem with PHP's handling of traits (essentially copy and paste into the current class) and how they felt Hack should "just work" in allowing type checking on these "pasted" methods too. Performance limitations prevented them from handling it how they do with other variable types, so they changed things up, using a "require extends" syntax to tell the Hack engine how to allow the checking based on an interface. There's a lot more to it than this, so be sure to read the rest of the post on how they came to that conclusion.

tagged: trait interface requirement hack require extends syntax

Link: http://hhvm.com/blog/9581/trait-and-interface-requirements-in-hack

Dan Miller:
Comparing the PHP 7 and Hack Type Systems
Apr 29, 2015 @ 08:31:43

Dan Miller, a core platform engineer at Etsy, has a new post on his personal site sharing his results from a comparison of the variable typing systems between the Hack language (created by Facebook) and what's coming in PHP7.

One of the exciting things about PHP 7, aside from the incredible performance improvements, is the introduction of scalar type hintingHack. I wanted to find out if you could execute the same code in PHP 7 and Hack, and what the differences in execution might be. Here's what I found out.

He starts by describing his setup (the versions of PHP7 and HHVM he's using) and shares a few simple examples. He uses the same(ish) code in both and points out some of the differences in what happens when each is executed. He also points out some of the differences in the features between the two (such as Hack not allowing for default arguments with a value of null). He tries a few more complicated things too, like mixing strict and non-strict files, and the findings. He ends the post with some of his overall thoughts of his results and his excitement about what the future holds for PHP7 and the hinting it will provide.

tagged: compare php7 hack type systems variable statictypehints hinting hhvm

Link: http://www.dmiller.io/blog/2015/4/26/comparing-the-php7-and-hack-type-systems

NetTuts.com:
When You're Hacked in WordPress: Staying Safe Later On
Feb 20, 2015 @ 14:19:00

NetTuts.com has posted the second part in their "When You're Hacked - WordPress" tutorial series today with this new article showing you how to stay safe once you've recovered from the initial attack.

n the first part of this series, we went through what to do when your website gets hacked. In this second part, we're going to learn about staying safe and being able to act quickly when another unpleasant incident happens.

They start by answering the overarching question everyone wants to know about WordPress (as it relates to security) - "is it safe?" They follow this with some recommendations to help keep your install safe including:

  • Staying Up to Date
  • Using Safe Plugins & Themes
  • Using a Security-Related WordPress Plugin

Check out the rest of the article for the full list and a quick summary of each, some with links to the actual tools and plugins to help you protect your installation.

tagged: wordpress hack stay safe tutorial series part2 recommendation

Link: http://code.tutsplus.com/tutorials/when-youre-hacked-in-wordpress-staying-safe-later-on--cms-22748

HHVM Blog:
Announcing a Specification for Hack
Feb 20, 2015 @ 13:51:15

Similar to how the language specification was released for PHP a little while back, the HHVM team has announced a new specification for Hack, the language they've created as a part of the HipHop VM project that's similar to PHP.

When we announced Hack, we were very excited for the community to get their hands on a programming language that has helped Facebook engineers become more productive in their day-to-day development and became, alongside PHP, the language used when developing applications running on HHVM. At the time of release, we had documentation geared for the programmer using Hack to develop applications. However, we did not have official documentation for those that might want to create a Hack implementation of their own or something like a Hack conformance test-suite. This specification fills that gap. It is the document for the Hack implementer, and an excellent supplemental document for the Hack user.

The remainder of the post talks about some of the reasoning behind creating the specification, pointing to resources where you can help contribute and a few thanks to some of the people that worked on it.

tagged: specification hack hhvm facebook hiphop language

Link: http://hhvm.com/blog/8537/announcing-a-specification-for-hack