Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Mattias Geniar:
Mitigating PHP’s long standing issue with OPCache leaking sensitive data
Feb 28, 2017 @ 11:39:33

In a new post to his site Mattias Geniar looks at an old security issue in PHP, opcache information leakage and how to mitigating the issue.

A very old security vulnerability has been fixed in PHP regarding the way it handles its OPCaches in environments where a single master process shares multiple PHP-FPM pools. This is the most common way to run PHP nowadays and might affect you, too.

He starts by talking about the vulnerability itself, that the PHP process doesn't validate the userid when fetching cached bytecode. This could result in information from other operations/scripts being exposed to other processes in a PHP-FPM pool. His solution? Upgrade PHP (the bug is fixed back in PHP 5.6.5) and set a few additional opcache ini settings to enforce the validation. Besides 5.6.29, it was also corrected in the PHP 7 releases (7.0.14 and 7.1.0). The post then talks about the potential exploit - an indirect local privilege escalation to root where the shared memory is read and access to outside information is possible.

tagged: opcache bytecode security issue leak sensitive information mitigation

Link: https://ma.ttias.be/mitigating-phps-long-standing-issue-opcache-leaking-sensitive-data/

Laravel News:
Laravel Cheat Sheet
Apr 07, 2016 @ 11:20:09

As is mentioned in this new post to the Laravel News site, there's a handy Laravel Cheat Sheet that's been published to help keep relevant Laravel information at your fingertips.

The Laravel Cheat Sheet is a new project from the EST Group that shows you many of the Laravel features from a filterable web app. For those that have used Laravel for a few years, you may notice the similarities to Jesse O’Briens.

Jesse hasn’t had time to keep his version up to date which left an opening for this new one. However, I’m disappointed in the similarities. Even though both are open source it just feels odd to me that this one looks so much like Jesse’s.

You can view the project directly (via GitHub pages) or grab the source if you'd like to check it out.

tagged: laravel cheatsheet project github information quick reference

Link: https://laravel-news.com/2016/04/laravel-cheat-sheet/

Damien Seguy:
Prepare for PHP 7 error messages (Series)
May 26, 2015 @ 09:35:11

For those looking forward to PHP 7, there's a new series of posts from Damien Seguy that can help you with some of the newer error messages and what might be causing them.

The first step to prepare for PHP 7 is to lint it : using the command line instruction ‘php -l script.php’, one can easily check that every file in a current application compile with PHP 7. The second step is to run the application and the unit tests : in short, execute it with PHP 7. And this is where we’ll learn about the new errors that PHP has prepared for us. In order to be one step ahead of the migration, this article will help you prepare here is a panorama on PHP error messages.

In part one he looks at some of the most often raised errors including the incorrect use of "$this" and undefined offsets. Part two gets into a few more complex messages about return type hinting, the constant scalar expression and using temporary expressions in a write context. Finally, part three looks at messaging around redefinition of identical parameters, bit shifting by a negative number, named constructor deprecation and strict typing. Each part of the series covers a few more than just the ones listed here too, so be sure to check each for more helpful error messages and solutions.

tagged: php7 error message help series part1 part2 part3 resolve information

Link: http://www.exakat.io/php-7-error-messages-part-1/

Derick Rethans:
Xdebug 2.3: Moar var_dump()
Feb 27, 2015 @ 09:58:40

Derick Rethans has a new post to his site starting a series of posts about the new features of Xdebug 2.3. In this new post he talks about an improvement that's been made to the output provided by var_dump with more information than before.

One of the new features relates to one of the first things that I added in the original Xdebug: making the var_dump() output "pretty". Xdebug replaces PHP's standard var_dump() function with its own version, as long as the xdebug.overload_var_dump setting is not set to 0. [...] Xdebug 2.3 enhances the overloading of var_dump() with the inclusion of the file name and line number where var_dump() is called at. This has been a long standing feature request.

He provides a few sample screenshots comparing the old and new output formats and mentions another handy setting, xdebug.file_link_format, that makes the resulting filename a link in a browser and lets you customize the format.

tagged: xdebug vardump overload file path information output improvement release

Link: http://derickrethans.nl/xdebug-2.3-overload-vardump.html

A Practical Use of WordPress Global Variables
Sep 23, 2014 @ 11:54:09

On the NetTuts.com site there's a new post (a part of a series) that introduces you to the global variables available in WordPress and provides a practical use for them.

In the first article in this series, we reviewed an introduction to WordPress global variables. Specifically, we said that they are variables that hold a variety information that can be accessed from anywhere in the WordPress page lifecycle. We learned how to access a global variable and display various details about the latest post using the $post global variable. In today’s article, we will dive further into global variables by learning how to access them to display the author information.

In this post they focus on extracting user (author) data from the system via the "authordata" global variable. He shows an example of a print_r output of the data it contains and use this to filter posts, only showing three per-author.

tagged: wordpress global variable author information authordata

Link: http://code.tutsplus.com/tutorials/a-practical-use-of-wordpress-global-variables--cms-20854

SitePoint PHP Blog:
PHP and WMI – Dig deep into Windows with PHP
Dec 24, 2013 @ 12:30:25

On the SitePoint PHP blog they've posted a new tutorial that "digs deep" into PHP on Windows with WMI, the Windows Management Instrumentation functionality - a web-based architecture information gathering system.

There are many devices (servers, desktops, laptops, tablets, phones, etc) running a Windows operating system. Many of us who live in the nix based world have to work in this OS, or if we don't, we will, sooner or later. Besides the regular tools we can expect from a *nix system (say Apache, PHP, MySQL, C/C++ compilers, etc), Windows offers a set of unique features not present in any other OS, and WMI is one of them. In this article, we will address the questions like: What is WMI? How to use WMI with PHP? We will have some minimal sample codes to go through the basic programming techniques.

He starts off the post briefly explaining what WMI is and what kinds of problems it solves. He shows you how to check if it's installed (it probably is on most recent Windows machines) and that it's enabled. He also shows how to configure the firewall to allow WMI connections and the library you'll need to get the PHP support functional (php_com_dotnet.dll). He then gets into what kind of information you can get from WMI including local hardware information, BIOS details and memory usage. Some simple code is included using the COM functionality to connect to the server and run a query.

tagged: windows wmi information tutorial introduction com

Link: http://www.sitepoint.com/php-wmi-dig-deep-windows-php

Liip Blog:
How to preload ACL in order to get good performances
Oct 09, 2013 @ 10:40:34

On the Liip blog today Jean-Christophe Zulian shares an idea about gaining performance in your access controlled section of your application. He suggests preloading ACL information in Symfony2-based applications.

Symfony2 comes with an ACL mechanism that can help you whenever you need to add some permissions in your system. [...] Unfortunately we came across a situation where we had to do this kind of permission check on a very long list of items. [...] erformance will go bad (or very bad in our case) and as the system keep storing more and more of the same kind of data it become slower and slower. [...] Luckily for us Sf2 ACL system provides a way out of this. You can in a small amount of query load all the ACLs that are related to some given objects.

He includes a small snippet of code that takes in a set of blog posts (as an example) and calls a "findAcls" method to pre-fetch the information. That information is then available for the rest of the request. The fetch is done by packet instead of via one large query, making it a bit more performant.

tagged: symfony2 preload acl information performance

Link: http://blog.liip.ch/archive/2013/10/09/how-to-preload-acl-in-order-to-get-good-performances.html

6 Things to Consider when Choosing a Framework
Apr 08, 2013 @ 11:29:07

PHPMaster.com has posted a list of six things they think you should think about as you're selecting the framework for your next application.

You've decided that it makes sense to use a framework when writing your next new application, and chances are that if you're already familiar with a specific framework, then you'll probably be leaning towards using that one when you start. But are you sure it's really the most appropriate for the task at hand? In the name of due-diligence, here are some of questions that you should ask yourself before settling on a particular framework to make sure you're not programming "against the grain" and also to make sure it will be able to meet your needs now and in the long-term.

He doesn't get into any specifics of any PHP frameworks out there, but suggests general questions to ask even before getting too deep into the technology:

  • What do I need from the framework?
  • Do I expect the framework to help manage consistency?
  • Is good documentation available?
  • Is the framework actively developed, and does it have an active user base?
  • Does the framework work in what I run in production?
  • What business factors are influencing my decision?
Not every application needs to be written using a framework. But if you've decided that yours does, then it's beneficial to compare your needs against the features and benefits of the various framework offerings.
tagged: framework choice advice questions information

Link: http://phpmaster.com/6-things-to-consider-when-choosing-a-framework

Talking to Facebook's Social Graph with PHP
Nov 21, 2011 @ 11:26:54

On PHPBuilder.com there's a recent post showing you how to connect your application with Facebook's graph API and grabbing the current user's public profile information.

In recent years, [Facebook's] influence has dramatically grown thanks to the Facebook Platform, a set of APIs which third-parties can use to create or extend applications which tightly integrate with Facebook.com's features and users. [...] PHP-minded developers are particularly fortunate, as the Facebook PHP SDK doesn't only provide users a powerful solution for interacting with the social graph, but because it's actively maintained by the Facebook development team is often the first of several available APIs to offer the latest features and bug fixes.

He points out the github repostory for grabbing the Facebook SDK, the information you'd get (at a minimum) from the API and the sort of detail you can expect from a user logged into your application. Sample code is included for this last example.

tagged: facebook social graph api tutorial public information


Community News:
Debug Bar for Zend Framework - Scienta
Mar 30, 2009 @ 10:21:48

Joakim Nygard has come up with a debug bar similar to ones found in other frameworks for the Zend Framework - the Scienta ZF debug bar.

The Scienta ZF Debug Bar is a plugin for the Zend Framework for PHP5. It provides useful debug information displayed in a small bar at the bottom of every page. Time spent, memory usage and number of database queries are presented at a glance. Additionally, included files, a listing of available view variables and the complete SQL command of all queries are shown in separate panels (shown configured with 2 database adapters):

You can check out an example setup here [png] and get the full installation instructions and latest downloads from the project's page.

tagged: debug bar status information example install download project