Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

How we broke PHP, hacked Pornhub and earned $20,000
Jul 25, 2016 @ 12:31:48

The PornHub.com site (definitely NSFW) is a high profile site that, as it turns out, uses PHP for a lot of its functionality. In this interesting article from the Evondie Security Research Group they show how they "broke PHP and hacked PornHub (and earned a $20k USD bug bounty in the process). Don't worry, the article itself is "safe for work" as it's only descriptions and code examples of how the hack was performed.

Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our attention. That’s why we have taken the perspective of an advanced attacker with the full intent to get as deep as possible into the system, focusing on one main goal: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP.

The post then walks you, step-by-step, through the process they followed to discover the exploit. The main entry point was through PornHub's use of the unserialize function that included a flaw allowing for code execution when a specially crafted object was injected. With the help of this they were able to "leak" out of the PHP execution and inject custom C code to be executed in the local environment. This was, in turn, then used to execute a file_get_contents on the local /etc/password file and return its contents.

tagged: pornhub hack evonide serialize code injection security

Link: https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/

Matt Allan:
Understanding Dependency Injection Containers
Jul 18, 2016 @ 11:54:54

In this recent post to his site Matt Allan introduces a concept that's become an integral part of most major PHP frameworks and applications recently: dependency injection containers.

If you are writing modern PHP, you will run across dependency injection a lot. Basically all dependency injection means is that if an object needs something, you pass it in. So if you have a class [...] you would pass in (inject) the object it needs (the dependency) instead of instantiating it in the class. Dependency injection makes your code more flexible and easier to test. If you want to learn more about dependency injection in general, check out this summary in the PHP The Right Way guide.

He then breaks down the main concept, the container, and how it is usually used to store instances of various objects and other functionality. He includes the code to create a simple container, allowing for closures to be set to "entries" values. He also shows how to update the simple container to allow for singleton handling, creating an object once and returning it over and over (useful in some cases).

tagged: dependency injection container tutorial introduction

Link: http://mattallan.org/2016/dependency-injection-containers/

SitePoint PHP Blog:
Disco with Design Patterns: A Fresh Look at Dependency Injection
Jul 01, 2016 @ 11:26:44

On the SitePoint PHP blog there's a tutorial posted giving you a "fresh look at dependency injection" using the Disco library from bitExpert.

Dependency Injection is all about code reusability. It’s a design pattern aiming to make high-level code reusable, by separating the object creation / configuration from usage.

[...] Our very own Alejandro Gervasio has explained the DI concept fantastically, and Fabien Potencier also covered it in a series. There’s one drawback to this pattern, though: when the number of dependencies grows, many objects need to be created/configured before being passed into the dependent objects. [...] In this article, we’ll demonstrate the concept [of a dependency injection container] further with a newcomer in this field: Disco.

He starts with the installation of the library via Composer and starting up the built-in PHP web server for testing. With that up and running he shows you how to create an instance of the container and set up a sample service with the configuration in the docblock comments. The tutorial then talks about the service scopes, container parameters and shows it in action to create a simple controller handling frontend. There's a bit more about configuration, the container builder functionality and the creation of a response listener when routes are requested.

tagged: tutorial disco designpattern dependency injection di library

Link: https://www.sitepoint.com/disco-with-frameworks-and-design-patterns-a-fresh-look-at-dependency-injection/

Vic Cherubini:
Writing Functional Tests for Services in Symfony
Jun 16, 2016 @ 12:35:07

Vic Cherubini has written up a tutorial on his site showing you how to write functional tests for Symfony services in your application. He provides a practical example of testing a basic Symfony service and the configuration/code to go with it.

The dependency injector is an amazingly simple and flexible addition to Symfony, and one you should be using to properly structure your application. But what happens when you want to write a functional (or integration) test for a service that depends on another service? This article will show you an easy way to test complex services.

He sets up a simple InvoiceGenerator service that takes in a Doctrine entity manager and a "payment processor" instance. He stubs out a simple PaymentProcessor class and shows the configuration needed to set it all up for correct injection. He then gets into the testing of this setup, creating a simple test case that requests the invoice generator from the service container. In this call the services_test definition overrides the default and injects the test payment processor instead of the actual one.

tagged: symfony functional test services example tutorial configuration container injection

Link: https://viccherubini.com/2016/06/writing-functional-tests-for-services-in-symfony

Zsolt Szend:
Dynamic dependency injection
May 18, 2016 @ 13:32:25

In this new tutorial Zsolt Szende talks about dependency injection and how to handle objects and related needs at runtime rather than the pre-configured method that some injection containers/systems have defined.

In this short article I would like to demonstrate a way to inject dependencies that are not known until runtime. There are many use cases for this and in essence it is about choosing between concrete implementations of some common interface. In object oriented design this is known at the Strategy pattern. The choice itself can be made in various ways, for example via a configuration option or a command line parameter in case of a console command, and I think the dynamic nature of the choice is the most interesting part of the pattern.

The article provides a practical example of an XML/JSON reader pulling information from an external source. A simple interface is defined and two implementation classes put it to use. Then the "command" pattern is used to apply it to an executable script and how injecting a reader type directly overrides the one from the provided option. This is taken a step further and refactored into a "resolver" to determine the best logic to apply based on the input argument.

tagged: dynamic dependency injection xml json reader tutorial resolver

Link: http://pwm.github.io/dynamic-dependency-injection/

Never Use null
May 03, 2016 @ 13:07:32

On the QaFoo.com blog they've made a recommendation in their latest post - they suggest that you never use null.

When doing code reviews together with our customers we see a pattern regularly which I consider problematic in multiple regards – the usage of null as a valid property or return value. We can do better than this.

Let's go into common use cases first and then discuss how we can improve the code to make it more resilient against errors and make it simpler to use. Most issues highlighted are especially problematic when others are using your source code. As long as you are the only user (which hopefully is not the case) those patterns might be fine.

They talk about some of the most common uses they see for using null in PHP applications including setters for class properties (injection). They point out that in PHP 7 a missing value on a property would result in a Fatal error and make the functionality harder to test overall. They suggest that all required dependencies be injected on object construction instead, making it easier to know the current state of the object on testing. They also talk some about using null as a return value, how it could make debugging difficult and a solution that could make more sense - throwing an exception instead.

tagged: never use null return value injection setter solution suggestion debugging

Link: https://qafoo.com/blog/083_never_use_null.html

Rob Allen:
DI Factories for Slim controllers
Apr 28, 2016 @ 10:38:10

In a recent post to his site Rob Allen shows you how to create dependency injection factories for Slim (v3) controllers.

When using classes for route actions in Slim 3, I recommend using a single class for each route. However you can use a single class for multiple routes. To register a class method to a route you pass a string as the route callable where the class name is separate from method by a colon. Slim will retrieve MyController from the DI container and then call the listAction method using the usual signature. f you don't specify a method, then Slim will see if it treat the class as a callable, so you can implement __invoke() and then register the route.

He shows how to create a factory method as a part of the Slim container for a constructor and inject the correct dependencies. He shows how to register these dependencies as other factory methods inside the DI container and how to pull them back out for injection. He prefers this method as it reduces "hidden dependency" issues and makes the controllers themselves easier to test.

tagged: slim3 slimframework dependency injection container tutorial factory

Link: https://akrabat.com/di-factories-for-slim-controllers/

Introducing the PHP-DI bridge for Slim
Mar 11, 2016 @ 10:15:24

In this new article on the PHP-DI project site they've shared one of the latest tools they've created to make it easier to integrate PHP-DI with the latest version of the Slim microframework (v3).

Slim 3 was released 3 months ago and it was significant. It is one of the first frameworks to integrate the latest standards and concepts in its core.

[...] While PSR-7 and middlewares are very interesting, what's more useful for us is the use of container-interop. That means Slim 3 can work with any dependency injection container. It is very easy to replace the default container (Pimple) with PHP-DI, but today we are releasing a "PHP-DI - Slim" bridge that goes a little further.

They then show how to use their new bridge to create controllers as services in the container and pass them parameters. The post ends with the instructions on getting the PHP-DI bridge installed and how to use it to replace the default AppSlim creation of your application.

tagged: phpdi dependency injection container slim microframework slimframework v3 bridge

Link: http://php-di.org/news/18-slim-bridge-released.html

Loïc Faugeron:
The Ultimate Developer Guide to Symfony - Dependency Injection
Feb 25, 2016 @ 10:43:57

Loïc Faugeron has posted another of his "Ultimate Developer Guide" series to his site, this time with a focus on the dependency injection component of the Symfony framework.

In this guide we explore the standalone libraries (also known as "Components") provided by Symfony to help us build applications. We've already seen: HTTP Kernel and HTTP Foundation, event dispatcher, routing and YAML. We're now about to check Dependency Injection, and finally in the next article we'll have a look at Console.

He starts with an introduction to the dependency injection pattern by refactoring a request to an API for its status out into classes with different responsibilities. He includes both the code he started with and what he's refactoring to. He thing brings in the Dependency Injection component, shows how to register the different classes and define a YAML configuration with their relationships. He also includes an examples of how to pass in parameters when injecting services, extending the functionality and compile the functionality into static values.

tagged: ultimate developer guide symfony dependency injection tutorial series

Link: https://gnugat.github.io/2016/02/24/ultimate-symfony-dependency-injection.html

SitePoint PHP Blog:
How to Build Your Own Dependency Injection Container
Feb 12, 2016 @ 12:22:12

The SitePoint PHP blog has posted a tutorial showing you how to build something that's become an integral part of most frameworks and applications practicing modern PHP development: a dependency injection container.

A search for “dependency injection container” on packagist currently provides over 95 pages of results. It is safe to say that this particular “wheel” has been invented.

However, no chef ever learned to cook using only ready meals. Likewise, no developer ever learned programming using only “ready code”. In this article, we are going to learn how to make a simple dependency injection container package.

He walks you through the entire process of creating the container and each of the pieces that make it up:

  • the overall interface for the container (with has/get methods)
  • having it cooperate with the "container interoperability" structure
  • reference handling
  • constructor injection functionality

Code is included the whole way showing you how to create the parts and fit them together to make more of a whole. He ends the post with a look at a few other dependency injection containers and a reference to the repository with the end result of the article.

tagged: dependency injection container tutorial introduction

Link: http://www.sitepoint.com/how-to-build-your-own-dependency-injection-container/