Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Exakat Blog:
Make everything private in your PHP classes
Oct 06, 2017 @ 14:25:25

In a new post to the Exakat blog they propose an interesting idea: making everything private in your PHP classes with the basic idea being that you can more easily move from a place with more control (private) to less control (protected/public).

It is a good recommendation to make everything private in a class : constants, methods, properties. With private, comes a tighter control on the element : no one from outside may use it, limiting the unwanted impact on the object. Of course, some of the class has to be accessible from the outside, or the object may only be manipulated as a token.

[...] Eventually, when the code matures, it becomes desirable to apply the above principle of encapsulation. This helps keeps the code clean and made of independent components. This is the beginning of a long hunt.

They show how the results look for an Exakat scan of a class and go through each of the results touching on class constants, methods and properties. It also catches when a class property is a "constant" and not modified - or able to be modified - by any means. The post ends with a recommendation to "update your code with your brain" based on the interpretation of the results.

tagged: private visibility class exakat scan results recommendation

Link: https://www.exakat.io/make-everything-private-php-classes/

Ken Guest:
Scan your code for old-style constructors using PHPUnit
Nov 06, 2015 @ 17:53:26

Ken Guest has a quick post on his site with a helpful hint for those updating older codebases. You can use PHPUnit & PHP_CodeSniffer to locate old constructors in the PHP4 format (constructors named after the classes).

There are less than seven days left until PHP 7 is released, which drops support for old-style constructors – the ones where a method is a constructor if it shares the same name as the class. You don’t want to spend too much time scrolling through codebases for that though do you? Better things to do, like watch videos of conference talks you’ve missed and such. Well, you’re in luck. If you use php_codesniffer (and if you don’t, well shame on you), you’ll be able to get a report of old-style constructors fairly quickly.

He includes examples of the commands you'll need to use to sniff out these older constructors, making use of the built-in "Squiz" coding standard and the "Generic.NamingConventions.ConstructorName" sniff but only on PHP files. He also shows how to alias it to a bash command and export the results to a CSV file.

tagged: scan code legacy constructor php4 php7 phpunit phpcodesniffer

Link: https://kenguest.wordpress.com/2015/11/06/scan-your-code-for-old-style-constructors-using-phpunit/

SitePoint PHP Blog:
Check Your Code’s Quality with SensioLabs Insight
Aug 07, 2014 @ 17:25:20

On the SitePoint PHP blog today there's a new post by Peter Nijssen introducing you to the SensioLabs Insight service and how it can improve your code quality (including locating security concerns).

The quality of your code is as important as testing your application. Recently, we have seen multiple articles which hopefully helped you on your way to providing a more stable application. Today, we are going to have a closer look at SensioLabs Insight. If you used Symfony or Silex in the past, you are probably familiar with SensioLabs, since they are the main sponsor of the Symfony framework.

He quickly introduces the service, mentioning what it has to offer and how to get your account all set up (free for open source libraries but it requires the results to be public). He includes some screenshots showing what the setup and scan results of your project might look like. He shows how to get more detail on the findings and how they can easily be exported to your bug tracker for fixing. He also covers some of the configuration you can do (through a YAML file) to tell Insight things like: php.ini settings, directories to exclude and specific rules to run during the scans.

tagged: sensiolabs insight introduction service scan code quality

Link: http://www.sitepoint.com/check-codes-quality-sensiolabs-insight/

DeveloperTutorials.com:
Port Scanning and Service Status Checking in PHP
Apr 08, 2009 @ 13:49:21

On the DeveloperTutorials.com site today there's a new tutorial showing the creation of a port scanner with PHP - a tool that, given some of the familiar ports that services (like web or email servers) run on, can check to see if they're responding.

While building web applications, it's often important to keep an eye on the other services running on your server. Having access to the current status of public servers can empower your applications to make decisions and respond to problems automatically. Acknowledging a service is offline can also save endless support emails. In this tutorial, I'll show you how to keep track of your server status by scanning ports on your server with PHP.

Their example makes a socket connection to the remote port to see if there's a valid hookup. The wrap this inside a loop for ports 1 through 1000 to see what ports are open and responding on your local machine (doing this on a remote machine is just asking for trouble).

Their full example defines some of the common ports in an array and loops to check on their status. It sets out a base you can build on top of with things like their suggestions - logging scan results, repoting downtime and running a service-specific task.

tagged: port scan fsockopen socket http ftp pop3 check connection

Link:

NETTUTS.com:
Scanning Folders with PHP
Nov 13, 2008 @ 20:18:28

The NETTUTS.com site has posted a new PHP-related screencast that covers a simple script to scan over the contents of folders in PHP. To illustrate, they create an image gallery script that mirrors the filesystem structure.

Let's imagine that you want to build a page that will display snapshots of your latest work. [...] In such instances, the best solution is to make PHP scan your "portfolio" folder and dynamically create the code for you. If you want to update your page with a new snapshot, all that you need to do is drag the image, and its respective thumbnail, into the appropriate folders - and PHP will do the rest. Let's build it now!

The screencast comes complete with the entire source and a link to a demo to show the end result.

tagged: scan folder filesystem directory tutorial photo gallery screencast

Link:

Developer Tutorials Blog:
Port Scanning and Service Status Checking in PHP
Jun 10, 2008 @ 13:46:08

The Developer Tutorials blog has posted a new tutorial covering how to scan ports and checking a remote service's status with PHP.

Having access to the current status of public servers can empower your applications to make decisions and respond to problems automatically. Acknowledging a service is offline can also save endless support emails. In this tutorial, I'll show you how to keep track of your server status by scanning ports on your server with PHP.

They show how to check a remote instance (a socket open with a timeout) and how to run through a list of ports, looping from one to one-thousand and running an fsockopen on each. They make a sample script to show these two combined - a simple page that loops through the common protocols (HTTP, FTP, SSH, etc) and checks to see if the remote machine is running something on that port.

tagged: port scan service status check fsockopen http ftp ssh

Link:

PHP Security Blog:
A Trio of Javascript Issues
Dec 01, 2006 @ 19:22:28

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

tagged: javascript security issue portscan http auth firefox exposephp scan javascript security issue portscan http auth firefox exposephp scan

Link:

PHP Security Blog:
A Trio of Javascript Issues
Dec 01, 2006 @ 19:22:28

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

tagged: javascript security issue portscan http auth firefox exposephp scan javascript security issue portscan http auth firefox exposephp scan

Link:

David Coallier's Blog:
Free PHP Security Scan
Nov 15, 2006 @ 13:06:07

David Coallier has posted about his ideas for an Open Source, free PHP security scanner:

The idea of this project is quite simple, I was thinking that offering this service to anyone who requests it could be a very nice idea. Offering to run the scan is the only way I could ensure that people are not using this scanner against any website.

Basically, his idea is to offer this service free of charge, but still restrict it to avoid malicious use. It would involve validation via an md5 hash to ensure that the website has been authorized to run it. Check out the blog entry for more details on how the scan would be run.

tagged: free security scan open source md5 validation authorized process free security scan open source md5 validation authorized process

Link:

David Coallier's Blog:
Free PHP Security Scan
Nov 15, 2006 @ 13:06:07

David Coallier has posted about his ideas for an Open Source, free PHP security scanner:

The idea of this project is quite simple, I was thinking that offering this service to anyone who requests it could be a very nice idea. Offering to run the scan is the only way I could ensure that people are not using this scanner against any website.

Basically, his idea is to offer this service free of charge, but still restrict it to avoid malicious use. It would involve validation via an md5 hash to ensure that the website has been authorized to run it. Check out the blog entry for more details on how the scan would be run.

tagged: free security scan open source md5 validation authorized process free security scan open source md5 validation authorized process

Link:


Trending Topics: