News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brandon Savage:
What's in your Composer file?
August 14, 2014 @ 10:36:24

In his latest post Brandon Savage asks you, the Composer users out there, if you know exactly what's in your "composer.json" file. If you're not a Composer user already, he also introduces you to the tool and what it can do for you and your applications.

During the recent Crafting Code Tour, Paul Jones would ask people who was currently using Composer. It was a rare night that more than half an audience raised their hands, meaning that the best invention in the PHP world in the last three years is still not being widely used by everybody. I want to share a bit about how to get started with Composer, and why you should care in the first place.

He starts with the brief overview of what Composer is and how it works with the configuration file to pull in packages and make them available via autoloading. He shows how to download and install the tool and includes a simple "composer.json" file that installs the Monolog package. He also includes his own answer to the "what's in your file" question, showing a more advanced configuration requiring several packages and defining custom autoloading and executable directories.

0 comments voice your opinion now!
composer package introduction example composerjson

Link: http://www.brandonsavage.net/whats-in-your-composer-file/

SitePoint PHP Blog:
Fractal a Practical Walkthrough
August 06, 2014 @ 13:07:49

The SitePoint PHP blog has a new tutorial posted by Alexander Cogneau that gives you an introductory walkthrough of Fractal, a PHP-based library that provides a translation and presentation layer for the output of your APIs.

If you ever developed for an API, you might have had troubles with changes of your database schema. If you didn't happen to have a good implementation, you had to rework your whole model when changing some column names. In this article I will demonstrate how you can use Fractal as a layer between your models and JSON output. This post will show you how this package will make API development easier.

He walks you through getting the library installed (via Composer) along with Silex for the application handling and the Illuminate/database package from the Laravel framework. He also provides a SQL file to create the database for the application. The sample app handles music information, providing a simple song and artist list. It uses the Fractal package to transform the data using Transformer objects for each data type.

0 comments voice your opinion now!
fractal package tutorial introduction transform output api

Link: http://www.sitepoint.com/fractal-practical-walkthrough/

PEAR Blog:
PEAR 1.9.5 is out
July 14, 2014 @ 11:09:24

The PEAR blog has posted a new announcement about the latest release of the PEAR PHP package manager, version 1.9.5.

The PEAR installer version 1.9.5 has been released today. The new version - three years after the last stable 1.9.4 and 2 weeks after the preview - is a bugfix only release. 13 bugs have been fixed.

Fixes include things dealing with broken Windows pathing and a change to report the correct php.ini setting for the installed XDebug.

0 comments voice your opinion now!
pear package manager release bugfix

Link: http://blog.pear.php.net/2014/07/12/pear-1-9-5/

Hannes Magnusson:
I have a dream
May 26, 2014 @ 09:23:54

In his latest post Hannes Magnusson describes his "dream" about a future for PHP where things like upgrading and working with extensions would be simpler, faster and more manageable.

Today we will revolutionize PHP. We will make it easier to upgrade the things you care about. We will make it easier to not upgrade things you don't want to upgrade. We will make it easier to distribute your extensions. We will make it easier to release according to your own schedule. We will make it easier to add functionality. We will make it easier to work. Ok, today is a white lie here maybe... I haven't actually implemented this, but bare with me here for a second.

With the introduction and huge growth of Composer, the PEAR package manager is fading in popularity and is slowly being abandoned. Unfortunately, it's still the primary mechanism for deploying and installing PHP extensions (PECL packages). He talks about some of his recent experience reviving a package and issues he had around the use of the packaging manager. He proposes the creation of a new "pecl install" tool - a package manager dedicated to PHP extensions, decoupled from PEAR.

The manager would just install basic PHP then leave it up to you to pick which features you need from there. The idea is still in its early stages, but the idea has taken roots and plans are being worked through to see if this idea will work for the future of the language.

0 comments voice your opinion now!
pear pecl future language package manager extension

Link: http://bjori.blogspot.com/2014/05/i-have-dream.html

Fabien Potencier:
The rise of Composer and the fall of PEAR
May 05, 2014 @ 09:17:32

Fabien Potencier has a new post to his site today talking about a recent trend in the PHP community around dependency and package management, the rise of Composer and the fall of PEAR.

As a good package manager to let user easily install plugin/bundles/MODs was probably also a big concern for phpBB, I talked to Nils about this topic during this 2011 hackday in San Francisco. After sharing my thoughts about libzypp, "..., I [Nils] wrote the first lines of what should become Composer a few months later". [...] So, what about PEAR? PEAR served the PHP community for many years, and I think it's time now to make it die.

He goes on to talk about how he personally has used PEAR in the past and when he stopped work on Phirum, a simplified PEAR channel manager. Based on some logging results, he found that most dependencies on his channels were related to PHPUnit's needs. When Sebastian Bergmann announced the move of PHPUnit away from PEAR Fabien decided to make his own move to deprecate and eventually remove new releases from the PEAR sources.

0 comments voice your opinion now!
composer pear package manage deprecate

Link: http://fabien.potencier.org/article/72/the-rise-of-composer-and-the-fall-of-pear

Matthias Noback:
There's no such thing as an optional dependency
April 11, 2014 @ 11:19:19

In his latest post Matthias Noback suggests the idea that there's no such thing as an optional dependency when it comes to working with packages and Composer.

On several occasions I have tried to explain my opinion about "optional dependencies" (also known as "suggested dependencies" or "dev requirements") and I'm doing it again: "There's no such thing as an optional dependency." I'm talking about PHP packages here and specifically those defined by a composer.json file.

So that everyone's on the same page, he starts with an example of a true dependency in a sample adapter class. He asks the usual question - "what's needed to run this code?" - and looking a bit deeper at the "suggested" packages. As it turns out, some of these dependencies turn into actual requirements when you need certain features of the tool. He points out that this is a problem with quite a few packages in the Composer ecosystem and proposes a solution - splitting packages based on requirements. He gives an example based on his adapter with a Mongo requirement split off into a "knplabs/gaufrette-mongo-gridfs" package that's more descriptive of the requirements.

0 comments voice your opinion now!
optional dependency composer packagist suggested package

Link: http://php-and-symfony.matthiasnoback.nl/2014/04/theres-no-such-thing-as-an-optional-dependency/

PHPClasses.org:
Did You Mean Advanced Email Validation in PHP
April 09, 2014 @ 11:50:21

In this most recent post to the PHPClasses.org blog Manuel Lemos talks about invalid email addresses and shows the use of this package to evaluate them.

When you take users' email addresses, for instance in a site sign-up form, there are great chances that the addresses may be incorrect because of a typing mistake or it is not possible to deliver the message to the specified address for some reason. This e-mail validation package can detect and prevent that users enter incorrect addresses even before you accept them.

He starts the post with a list of six types of invalid email addresses including everything from simple typing mistakes out to temporary rejection from "gray listing". He shows how set up the class and briefly covers some of its methods and what they do. Also included is an example if it in use to validate the address. There's also a brief section at the end talking about using OAuth to work around users not wanting "yet another account" or to share their details with an untrusted application.

0 comments voice your opinion now!
email validation tutorial package example

Link: http://www.phpclasses.org/blog/package/13/post/2-Did-You-Mean-Advanced-Email-Validation-in-PHP.html

ServerGrove Blog:
Composer 101
March 21, 2014 @ 12:14:12

You might have heard about Composer but aren't quite sure what all the fuss is about it. In this new tutorial on the ServerGrove blog, they introduce you to it, help you get it installed and show how it can help you make dependency management simpler.

Composer is a tool for dependency management in PHP. It allows us to declare the libraries (packages from now on) on which our project depends on and downloads them for us. With many high quality packages available to us, the are redefining they way we are building PHP software. You can browse through the wide variety of packages at the composer main repository packagist.org. Composer is a simple tool to use and this tutorial will go over the installation and usage basics.

They walk you through the installation (or either *nix or Windows) and help you get started with your first "composer.json" configuration file. They talk about "composer.lock" and the role it plays and how Composer uses is (and the json version) to pull in dependencies for your libraries of choice. The article also briefly covers the "composer" command and the options it provides.

0 comments voice your opinion now!
composer dependency management package introduction

Link: http://blog.servergrove.com/2014/03/19/composer-tutorial/

Pádraic Brady:
PHP Package Signing My Current Thoughts
March 10, 2014 @ 11:57:49

Pádraic Brady has a new post sharing some of his ideas around PHP package signing and a few possible ways to approach (and possibly solve) the problem.

We figured out how to write good code. We figured out how to write good code in a reusable way...for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely? [...] The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

He compares two different alternatives, Public-key infrastructure (PKI) vs (Pretty Good Privacy) GPG, and how the idea of trust fits into the picture. He also points out an unfortunate fact when it comes to the initial adoption of package signing methods - people are lazy (and cheap). They want to get things done and not have extra steps. Signing their packages would be one of these steps. He suggests an alternative, though, using double signatures to verify the integrity and validity of its contents. He also talks about the role that metadata plays in the overall package ecosystem and how signing it as well could be part of the solution.

0 comments voice your opinion now!
package signature signing metadata packagist composer

Link: http://blog.astrumfutura.com/2014/03/php-package-signing-my-current-thoughts

Pádraic Brady:
Thoughts on Composer's Future Security
March 06, 2014 @ 11:09:06

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter.
0 comments voice your opinion now!
composer package signing tls ssl support security

Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security


Community Events





Don't see your event here?
Let us know!


api podcast configure application library series community code language list symfony wordpress developer threedevsandamaybe interview unittest release install laravel introduction

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework