News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matthias Noback:
There's no such thing as an optional dependency
April 11, 2014 @ 11:19:19

In his latest post Matthias Noback suggests the idea that there's no such thing as an optional dependency when it comes to working with packages and Composer.

On several occasions I have tried to explain my opinion about "optional dependencies" (also known as "suggested dependencies" or "dev requirements") and I'm doing it again: "There's no such thing as an optional dependency." I'm talking about PHP packages here and specifically those defined by a composer.json file.

So that everyone's on the same page, he starts with an example of a true dependency in a sample adapter class. He asks the usual question - "what's needed to run this code?" - and looking a bit deeper at the "suggested" packages. As it turns out, some of these dependencies turn into actual requirements when you need certain features of the tool. He points out that this is a problem with quite a few packages in the Composer ecosystem and proposes a solution - splitting packages based on requirements. He gives an example based on his adapter with a Mongo requirement split off into a "knplabs/gaufrette-mongo-gridfs" package that's more descriptive of the requirements.

0 comments voice your opinion now!
optional dependency composer packagist suggested package

Link: http://php-and-symfony.matthiasnoback.nl/2014/04/theres-no-such-thing-as-an-optional-dependency/

PHPClasses.org:
Did You Mean Advanced Email Validation in PHP
April 09, 2014 @ 11:50:21

In this most recent post to the PHPClasses.org blog Manuel Lemos talks about invalid email addresses and shows the use of this package to evaluate them.

When you take users' email addresses, for instance in a site sign-up form, there are great chances that the addresses may be incorrect because of a typing mistake or it is not possible to deliver the message to the specified address for some reason. This e-mail validation package can detect and prevent that users enter incorrect addresses even before you accept them.

He starts the post with a list of six types of invalid email addresses including everything from simple typing mistakes out to temporary rejection from "gray listing". He shows how set up the class and briefly covers some of its methods and what they do. Also included is an example if it in use to validate the address. There's also a brief section at the end talking about using OAuth to work around users not wanting "yet another account" or to share their details with an untrusted application.

0 comments voice your opinion now!
email validation tutorial package example

Link: http://www.phpclasses.org/blog/package/13/post/2-Did-You-Mean-Advanced-Email-Validation-in-PHP.html

ServerGrove Blog:
Composer 101
March 21, 2014 @ 12:14:12

You might have heard about Composer but aren't quite sure what all the fuss is about it. In this new tutorial on the ServerGrove blog, they introduce you to it, help you get it installed and show how it can help you make dependency management simpler.

Composer is a tool for dependency management in PHP. It allows us to declare the libraries (packages from now on) on which our project depends on and downloads them for us. With many high quality packages available to us, the are redefining they way we are building PHP software. You can browse through the wide variety of packages at the composer main repository packagist.org. Composer is a simple tool to use and this tutorial will go over the installation and usage basics.

They walk you through the installation (or either *nix or Windows) and help you get started with your first "composer.json" configuration file. They talk about "composer.lock" and the role it plays and how Composer uses is (and the json version) to pull in dependencies for your libraries of choice. The article also briefly covers the "composer" command and the options it provides.

0 comments voice your opinion now!
composer dependency management package introduction

Link: http://blog.servergrove.com/2014/03/19/composer-tutorial/

Pádraic Brady:
PHP Package Signing My Current Thoughts
March 10, 2014 @ 11:57:49

Pádraic Brady has a new post sharing some of his ideas around PHP package signing and a few possible ways to approach (and possibly solve) the problem.

We figured out how to write good code. We figured out how to write good code in a reusable way...for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely? [...] The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

He compares two different alternatives, Public-key infrastructure (PKI) vs (Pretty Good Privacy) GPG, and how the idea of trust fits into the picture. He also points out an unfortunate fact when it comes to the initial adoption of package signing methods - people are lazy (and cheap). They want to get things done and not have extra steps. Signing their packages would be one of these steps. He suggests an alternative, though, using double signatures to verify the integrity and validity of its contents. He also talks about the role that metadata plays in the overall package ecosystem and how signing it as well could be part of the solution.

0 comments voice your opinion now!
package signature signing metadata packagist composer

Link: http://blog.astrumfutura.com/2014/03/php-package-signing-my-current-thoughts

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

VG Tech:
Swagger Docs in ZF2 with Examples - Part 2 Swagger UI
March 06, 2014 @ 09:52:25

On the VG Tech blog, they've posted a follow-up to their previous post about using the Zend Framework 2 to generate Swagger documentation for an API. In this new post (part 2) they focus more on Swagger UI.

This blog post on Swagger UI is a follow-up on my recent post on Swagger annotation parsing in ZF2. If you're not already set up with Swagger annotation parsing in you ZF2 app I recommend that you read part 1 first. In the last post we got ZF2 set up with annotation parsing and everything, and the only thing missing was Swagger UI for the neat presentation. I skipped that previously but today we'll add the last piece.

This second part of the series uses a custom package to create a "SwaggerUI" module. There's a few file updates that need to be made to the configuration, but the rest is handled for you. In the end, the result will look something like this, showing endpoints and allow you to interact with the API directly through forms and sample calls.

0 comments voice your opinion now!
swagger swaggerui tutorial series part2 package module

Link: http://tech.vg.no/2014/03/06/swagger-docs-in-zf2-with-examples-part-2-swagger-ui-2/

SitePoint PHP Blog:
Debugging with Xdebug and Sublime Text 3
February 28, 2014 @ 11:10:53

The latest post from the SitePoint PHP blog, a new tutorial by Peter Nijssen, shows you how to get started with Xdebug and Sublime Text 3 to debug your PHP applications.

Debugging - we all do it a lot. Writing code perfectly the first time around is hard and only a few (if any) succeed at it. More than a year ago, Shameer wrote an article on SitePoint about how you can debug your application using Xdebug and Netbeans. In this article, we are going to have a look at how we can debug using Xdebug in combination with Sublime Text.

He assumes you already have Xdebug installed (and links to the instructions for those that don't) and helps you configure it to find your listening editor. Back in Sublime, he shows you how to use the package manager to install the Xdebug client and configure the current project to use it. He shows how to set up breakpoints and view the stack/watch data when the point is hit.

0 comments voice your opinion now!
debug xdebug sublimetext remote tutorial package client

Link: http://www.sitepoint.com/debugging-xdebug-sublime-text-3/

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

Matthias Noback:
The "dark" side of PHP
February 10, 2014 @ 12:58:14

In his latest post Matthias Noback talks about the "dark" side of PHP and some of the common problems of working with and using packages. This is the introduction from his upcoming book on the same subject.

PHP is actually a very problematic language. It has somewhat of a bad reputation. This is no surprise to me, given the huge amounts of bad code written in PHP, produced by novice "developers", yet available for a large audience to copy into their projects. [...] PHP has become such a big player - I guess - because it is so easy to learn. Starting with a simple HTML page it does not take much effort to add some dynamic functionality to it. There is no need to go to school and learn about programming before you can use PHP on your web server.

For all of this good that PHP brings to the table, there's also the bad practices that can come with it. While PHP can be forgiving about bad practices, there's only so far it can go before it starts throwing errors. Since the parsing comes late in the game, bad code can sneak in and not be noticed until it's used.

0 comments voice your opinion now!
package design misuse book introduction language

Link: http://php-and-symfony.matthiasnoback.nl/2014/02/the-dark-side-of-php

Reddit.com:
Any ideas on what "MVC agnostic" PHP code is?
February 06, 2014 @ 10:43:59

On Reddit.com there's a recent post that asks for a bit of clarification about the term "MVC agnostic" as said by a potential employer:

A potential employer wanted to see some of my code before an interview. They originally asked for MVC or OO PHP that I'd written in the last 30 days - fair enough. [...] They've come back to me (via the recruitment agent) asking for some "MVC agnostic code" as no one on staff has worked with codeignitor before. Any ideas what they mean by this as I'm slightly stumped.

Most of the responses to the post suggest something that's becoming more and more of a trend in PHP development lately - framework agnostic development. Basically, this is creating functionality (usually in packages) that can be dropped into any application and used independently.

Other comments suggest other possible definitions like:

  • "This is the first time that I have heard someone mention "MVC agnostic" and on the face of it I would question their own understanding of the phrase."
  • "Yeah, the key bit in your question there was 'via a recruitment agency'. Half of the time, they haven't got a clue about the industry and so jargon gets tossed about something awful."
  • "I think it's more accurate to say that what they want to know is that you actually know PHP, and not merely a set of tools on top of PHP that make you productive in the way you prefer."
0 comments voice your opinion now!
mvc agnostic framework opinion package development example

Link: http://www.reddit.com/r/PHP/comments/1x2xea/any_ideas_on_what_mvc_agnostic_php_code_is/


Community Events











Don't see your event here?
Let us know!


performance hack example facebook unittest component project composer database language symfony2 application introduction release podcast framework hhvm security package install

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework