News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
Securely Distributing PHARs Pitfalls and Solutions
March 04, 2015 @ 11:46:10

Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

  • Distribute the PHAR over HTTPS
  • Enforce TLS verification
  • Sign your PHAR with a private key
  • Avoid PHAR Installer scripts
  • Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.
0 comments voice your opinion now!
secure distribution phar solution tls https privatekey installer selfupdates

Link: http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/

ThePHP.cc:
PHPUnit Migration from PEAR to PHAR
January 14, 2015 @ 13:48:34

On The PHPcc's site today Sebastian Bergmann, the creator of the popular PHPUnit unit testing framework, shows you how to move to using the tool's phar file and away from the previously used PEAR install method.

In April 2014 I announced that I would shut down pear.phpunit.de on December 31, 2014. The motivation behind this move was to simplify the release process of PHPUnit by getting rid of an outdated distribution channel. I was afraid that I would leave users of my software behind by this move. [...] I am relieved that the shutdown of pear.phpunit.de went as smooth as it did. [...] In this article I show you how to make the transition from using PHPUnit from a PEAR package to using PHPUnit from a PHP Archive or using Composer as easy and convenient as possible.

There's three main steps to the migration from PEAR to the Composer-based phar installation:

  • Uninstalling PEAR Packages
  • Using PHPUnit from a PHP Archive (PHAR)
  • Installing PHPUnit with Composer

He includes the commands and configuration files/settings you'll need to make the transition happen. He also mentions that older versions are still available if there's a need but only on GitHub/Packagist as phar packages, not via PEAR.

0 comments voice your opinion now!
phpunit migration pear phar packagist composer tutorial

Link: http://thephp.cc/news/2015/01/phpunit-migration-from-pear-to-phar

Community News:
PHPUnit Announced End of Life on PEAR Installation Method
April 21, 2014 @ 10:29:53

There's a new addition to the GitHub wiki that's quite important for the PHPUnit users out there. Sebastian Bergmann has officially announced the end of life for the PEAR version of the installer for the popular PHPUnit tool.

Since PHPUnit 3.7, released in the fall of 2012, using the PEAR Installer was no longer the only installation method for PHPUnit. Today most users of PHPUnit prefer to use a PHP Archive (PHAR) of PHPUnit or Composer to download and install PHPUnit. Starting with PHPUnit 4.0 the PEAR package of PHPUnit was merely a distribution mechanism for the PHP Archive (PHAR) and many of PHPUnit's dependencies were no longer released as PEAR packages. Furthermore, the PEAR installation method has been removed from the documentation. We are taking the next step in retiring the PEAR installation method with today's release of PHPUnit 3.7.35 and PHPUnit 4.0.17.

Included in this end of life, they'll also be decommissioning pear.phpunit.de to happen no later than the end of 2014.

0 comments voice your opinion now!
pear phpunit install method composer phar download

Link: https://github.com/sebastianbergmann/phpunit/wiki/End-of-Life-for-PEAR-Installation-Method

Hasin Hayder:
Create personalized phar files in PHP
January 15, 2014 @ 09:32:42

Hasin Hayder has a quick post talking about the creation of personalized phar files (packaged up PHP applications) using the Box Project tool.

Created a screencast to show how you can create phar files, most importantly personalized phar files to store some information inside it and protect it using user's password. Those information is usable only when user providers a correct password. For packaging, I have used http://box-project.org which is an excellent phar packager. I've also used two functions from Josh Hartman's blog to encrypt and decrypt data using Rijndael algorithm.

You can watch the full screencast over on YouTube. It walks you through the entire process of creating a simple script, using the two functions (mc_encrypt and mc_decrypt) to handle the encryption and defining the Box configuration JSON to create the package.

0 comments voice your opinion now!
phar file tutorial screencast boxproject encryption password

Link: http://hasin.me/2014/01/14/create-personalized-phar-files-in-php

Sebastian Bergmann:
Using PHPUnit from a PHP Archive (PHAR)
October 08, 2012 @ 10:18:52

PHPUnit, the popular PHP unit testing tool, has undergone some changes in its methods of deployment. First it was integrated into the Composer/Packagist dependency management system and now it's been implemented as a phar archive. Sebastian Bergmann explains how to use it in his latest post.

Downloading a single file to use PHPUnit? Not an idea that is too phar out anymore! Starting with version 3.7.5, PHPUnit seems to finally work correctly when packaged as a PHP Archive (PHAR).

He includes a list of steps you can follow to pull down the latest code and use the phar branch that executes with the archive file instead of the local "phpunit" executable. Of course, you can still (as always) install PHPUnit via the PEAR process as well.

0 comments voice your opinion now!
phpunit phar archive tutorial checkout execute


Project:
Box - Making Creating PHARs Easier
August 24, 2012 @ 10:33:52

There's a new project on Github that wants to help making your phar archives for your PHP applications. The process is a little obtuse right now and Box wants to simplify it.

Box is a library and command line application for simplifying the PHAR creation process. [Features include] creating new PHARs with a simple configuration file, add and replace files in existing PHARs, extract existing PHARs, with option to cherry pick files and verify PHAR signatures.

The project is still relatively young but it looks like it's off to a good start. Phar files are a powerful tool to have in a PHP developer's arsenal but developing them can be a pain. Hopefully something like this can make life easier.

0 comments voice your opinion now!
project phar build manage creation github


PHPBuilder.com:
Two PHP 5 Security Flaws Found
July 04, 2012 @ 21:04:33

As reported in this new post on PHPBuilder.com, there are two new security issues that could allow an attacker to execute their own code (note: these are fixed by the latest releases, PHP 5.4.4 and PHP 5.3.14).

The flaws are related to each other, with the primary issue being an insecure implementation of the DES within the crypt() function. In his eSecurityPlanet article about recent PHP security updates, Sean Michael Kerner provides the details of these two security flaws.

The issue stems from a flaw in the DES implementation where certain keys are truncated before the DES digestion and a problem in the phar extension that could allow for arbitrary code execution. You can find more on these security issues here.

0 comments voice your opinion now!
security issue des phar extension upgrade


7php.com:
Interview with Davey Shafik, The Original Author of Phar
April 23, 2012 @ 08:18:48

On the 7php.com blog today they've posted the latest in their series of PHP community interviews - a few questions with Davey Shafik, the original author of phar.

In this edition I talked with Davey Shafik (@dshafik), who is one of the Founding Contributor of PHP Zend Framework. He has been a co-author of several prominent books, namely: php|architect's PHP 5 Zend Certification Study Guide, PHP Master: Write Cutting Edge Code, The PHP Anthology: 101 Essential Tips, Tricks & Hacks. He is also a well-known speaker at several world-wide PHP Conferences - You can find his incoming conference schedules on his website.

In his answers we find out about:

  • Where he feels his place is in the PHP community
  • What he's excited about in PHP 5.4
  • Some advice to beginners about "scratching an itch"
  • Recommendations about profiling your code
  • Resources he suggests
  • His admiration of Sebastian Bergmann for the hard work he does

You can read more about these and the rest of his answers in the full interview.

0 comments voice your opinion now!
interview community daveyshafik phar


Vance Lucas' Blog:
Nginx + PHP-FPM Blank Pages with Phar Packages
March 08, 2012 @ 12:18:02

Vance Lucas has a new post sharing some of his experience in setting up nginx+PHP-FPM with phar packages that he recently had with setting up a new server instance for a company. The problem showed itself as blank pages, apparently due to a feature in the Suhosin security package.

Ran into this issue when setting up a new VPS for AutoRidge. This happens when using Nginx and PHP-FPM with PHP 5.3+ and the Suhosin patch when trying to run a PHP script using a PHAR package. From what I can gather, the Suhosin patch basically blocks PHP include/require functions from executing files ending with .phar, which results in a PHP segfault that leaves no trace of any error at all.

His solution is a pretty simple one - edit the "suhosin.ini" file to allow for the opening of includes in phar files (suhosin.executor.include.whitelist). You can find out more about the Suhosin security tool on the project's website.

0 comments voice your opinion now!
nginx phpfpm problem phar package suhosin


PHPMaster.com:
Packaging Your Apps with Phar
February 16, 2012 @ 09:53:11

On PHPMaster.com today there's a new tutorial showing you how to package up your applications using the phar functionality that's bundled in to recent PHP versions.

PHAR ("Php ARchive") is analogous to the JAR file concept but for PHP. If you have PHP 5.3 or greater, the Phar extension is built-in and enabled; you can start using it without any additional requirements. This article is intended to shed some light on this important feature for those who haven't used it before. Hopefully you'll find it a very helpful tool and have a better and faster deployment experience.

They show you how to create a sample project to build the phar from - a simple application that prints out a message and the contents of a configuration file. Code is included to help you build the phar file and how to define the stub file to pull in your application's files and folder.

0 comments voice your opinion now!
package application phar tutorial



Community Events

Don't see your event here?
Let us know!


laravel introduction api example application library php7 opinion extension series voicesoftheelephpant podcast community symfony2 framework version conference interview performance release

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework