Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Johannes Schlüter:
Types in PHP and MySQL
Sep 05, 2016 @ 13:38:21

Johannes Schlüter has a post to his site detailing the handling of types in PHP and MySQL and how they might act differently than expected in some situations.

Since PHP 7.0 has been released there's more attention on scalar types. Keeping types for data from within your application is relatively simple. But when talking to external systems, like a database things aren't always as one eventually might initially expect.

He talks about MySQL types and how they relate to the "network protocol" being used, converting everything to strings. He includes a few examples of hinting on the results, one where an integer is expected/string provided and another where a string was type hinted but an integer was returned. He points out that sometimes this is a limitation of what PHP can handle, not always what MySQL returns. He also includes other examples of returning decimals - sometimes as a number value and others as a string.

This leaves the question whether you should disable the emulation in order to get the correct types. Doing this has some impact on performance characteristics: With native prepared statements there will be a client-server round-trip during the prepare and another round-trip for the execute.
tagged: types typehinting mysql database string integer decimal preparedstatement pdo

Link: http://schlueters.de/blog/archives/182-Types-in-PHP-and-MySQL.html

Zend Framework Blog:
End-to-end encryption with Zend Framework 3
Aug 22, 2016 @ 11:56:35

With the recent release of the latest version of the zend-crypt package, the Zend Framework has announced that it's possible to use it to create end-to-end encryption in your applications (Zend Framework based or not).

Recently, we released zend-crypt 3.1.0, the cryptographic component from Zend Framework. This last version includes a hybrid cryptosystem, a feature that can be used to implement end-to-end encryption schema in PHP.

A hybrid cryptosystem is a cryptographic mechanism that uses symmetric encryption (e.g. AES) to encrypt a message, and public-key cryptography (e.g. RSA) to protect the encryption key. This methodology guarantee two advantages: the speed of a symmetric algorithm and the security of public-key cryptography.

He starts with a brief overview of how the system works and the flow of the request/response messaging. With this base in place, he gets into the code required to perform the encryption, first generating the keys needed for the encryption (and why he chose the mode/cypher he did for each). Then, using these keys, he shows how to use zend-crypt and its "Hybrid" handling to encrypt and decrypt a simple message. He also shows how to encrypt the contents of a file using a password.

tagged: endtoend encryption zendcrypt zendframework encryption tutorial string file

Link: https://framework.zend.com/blog/2016-08-19-end-to-end-encryption.html

SitePoint PHP Blog:
PHP Macros for Fun and Profit!
Mar 21, 2016 @ 13:47:17

On the SitePoint PHP blog they've posted another tutorial from Christopher Pitt, this time about macros in PHP, and how you can use the Yay library to add in custom pre-processed macros to your code.

I get really excited when developers feel empowered to create new tools, and even new languages with which to solve their problems. You see, many developers come to PHP from other languages. And many PHP developers can code in more than one language. Often there are things in those languages — small syntax sugars — that we appreciate and even miss when we’re building PHP things.

Adding these to a language, at a compiler level, is hard (or is it?). That is unless you built the compiler and/or know how they work. We’re not going to do anything that technical, but we’re still going to be empowered.

He starts off by describing the goal: a simple "range" macro that creates an array and fills it with integers. He helps you get the library installed and shows how to use it to pre-process a file and output the PHP version. He shows how to create the syntax for the macro in the format Yay is expecting for the array_slice shortcut. He also includes handling letting you slice out a portion of an array using the same notation. Finally he shows the resulting code after the pre-processing has happened and the macros have been resolved.

tagged: macro library yay tutorial range integer string array

Link: http://www.sitepoint.com/php-macros-for-fun-and-profit/

Sebastian de Deyne:
Normalize Your Values on Input
Mar 11, 2016 @ 11:55:58

In a post to his site Sebastian de Deyne makes the suggestion that you should normalize your values (input) as soon as possible.

Dynamic languages allow us to pass anything as a parameter without requiring a specific type. In turn, this means we often need to handle some extra validation for the data that comes in to our objects.

This is a lightweight post on handling your incoming values effectively by normalizing them as soon as possible. It's a simple guideline worth keeping in mind which will help you keep your code easier to reason about.

He gives an example of a HtmlClass object instance that can take in either a single string or an array of strings. With this structure he shows the complexity it would add for methods like toArray and toString. Instead he recommends normalizing the value in the constructor, making it an array if it's not already. The the code required in the rest of the class to use/translate it is much simpler.

tagged: normalize values input array string example tutorial

Link: https://sebastiandedeyne.com/posts/2016/normalize-your-values-on-input

Joshua Thjissen:
Incrementing values in PHP
Oct 13, 2015 @ 10:50:01

Joshua Thjissen has a post to his site looking at a relatively common operation in PHP code - incrementing values - but gets a lot more in-depth than just a simple overview.

Take a variable, increment it with 1. That sounds like a simple enough job right? Well.. from a PHP developer point of view that might seem the case, but is it really? There are bound to be some catches to it (otherwise we wouldn’t write a blogpost about it). So, there are a few different ways to increment a value, and they MIGHT seem similar, they work and behave differently under the hood of PHP, which can lead to – let’s say – interesting results.

He starts with the most basic situations, updating known integer values, but shows the curious things that can happen when the same operations are done on strings. He digs down into the bytecode that's generated from these bits of code, showing the order of operations when the code is actually executed. He then gets into more detail on each kind of operator, starting with the unary increment operator then moving on to the add assignment expression and add operator. For each he describes the behind the scenes bytcode actions happening and where in the PHP source code its being handled (and how).

tagged: increment value integer string bytecode indepth source

Link: https://www.adayinthelifeof.nl/2015/10/13/incrementing-values-in-php/

Amine Matmati:
Testing PDF content with PHP and Behat
Jul 31, 2015 @ 13:49:52

In this post to his site Amine Matmati shows you how to use Behat (with a bit of additional PHP) to test the contents of a rendered PDF file.

If you have a PDF generation functionality in your app, and since most of the libraries out there build the PDF content in an internal structure before outputting it to the file system (FPDF, TCPDF). A good way to write a test for it is to test the output just before the rendering process.

Recently however, and due to this process being a total pain in the ass, people switched to using tools like wkhtmltopdf or some of its PHP wrappers (phpwkhtmltopdf, snappy) that let you build your pages in html/css and use a browser engine to render the PDF for you, and while this technique is a lot more developer friendly, you loose control over the building process.

He shows how to get all of the required software installed including the smalot/pdfparser library used to read in the contents of the PDF file. He initializes a Behat test directory and writes a simple test, checking for a string of some "Lorem ipsum" text in the document's title and that it contains only one page. Some additional methods have to be created to integrate the PDF parsing and string location/page counting and code is included for each. When all the pieces are put in place, executing the test passes for both checks. You can find the code for the tutorial in this repository that also includes two sample PDFs to work with.

tagged: integration test behat contents string pages tutorial

Link: http://matmati.net/testing-pdf-with-behat-and-php

Davey Shafik:
Class Constants, How Do They Work? (Or: You Learn Something New Every Day...)
Jul 09, 2015 @ 08:24:43

Davey Shafik has posted a quick article to his site talking about class constants and something new he learned about them (and how it relates to the uniform variable syntax handling in PHP7).

Yesterday on Twitter there was a conversation started by Marco Pivetta regarding a particularly horrible bit of code he had spotted [that] creates a string using sprintf() by prefixing ::PARAMNAME with the result of calling get_class() on the $api variable, and then passes that string into constant() which will give you the value of a constant using it’s string name.

The conversation continued with comments from Elizabeth Smith about why this workaround was needed in the past. Davey also suggests that it won't work as expected if the input is an object and not a string but a test from Trevor Suarez proved that incorrect as well (it does work). He ends the post talking about PHP7 and showing how, thanks to the uniform variable syntax changes, this same kind of handling can be done in many other ways too.

tagged: class constant php7 uniform variable synatx getclass object string

Link: http://daveyshafik.com/archives/69193-class-constants-how-do-they-work-or-you-learn-something-new-every-day.html

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

Nikita Popov:
Internal value representation in PHP 7 - Part 2
Jun 22, 2015 @ 10:45:41

Nikita Popov has posted the second part of a series looking at how PHP 7 represents values internally. In the first part of the series the focus was on the major change from PHP 5: the zval updates and how they're allocated. This new post gets into more of the details on each of the types and how they're handled.

In the first part of this article, high level changes in the internal value representation between PHP 5 and PHP 7 were discussed. As a reminder, the main difference was that zvals are no longer individually allocated and don’t store a reference count themselves. Simple values like integers or floats can be stored directly in a zval, while complex values are represented using a pointer to a separate structure.

[...] In the following the details of the individual complex types will be discussed and compared to the previous implementation in PHP 5. One of the complex types are references, which were already covered in the previous part. Another type that will not be covered here are resources, because I don’t consider them to be interesting.

He goes through a few of the different types including strings and arrays and then gets into detail on how objects have changed from PHP 5 to PHP7. He also talks about "indirect zvals" (the IS_INDIRECT handling) that points to another zval instance rather than embedding it. Finally, he talks about two other constants, IS_CONSTANT and IN_CONSTANT_AST, and how they're used behind the scenes with some example code to illustrate.

tagged: internal value variable representation php7 zval types string array object constant ast

Link: http://nikic.github.io/2015/06/19/Internal-value-representation-in-PHP-7-part-2.html

Derick Rethans:
Xdebug 2.3: Shared Secret to Enable Tracing or Profiling
Apr 07, 2015 @ 11:19:44

Derick Rethans has posted another in his series covering the latest release of the Xdebug debugging tool for PHP, version 2.3. In this new article Derick introduces the "shared secret" handling, a custom string that for the "XDEBUG_PROFILE" that can trigger the the profiler to start.

Xdebug's profiling and trace file capabilities can both be triggered by a cookie, GET or POST variable, as long as you have enabled xdebug.profiler_enable_trigger and/or xdebug.trace_enable_trigger. With these triggers enabled, basically anybody could initiate a profile run, or trace file, by simply sending the XDEBUG_PROFILE or XDEBUG_TRACE cookies with an HTTP request. Although you should not really run Xdebug in production, you can see that this is not an optimal solution. Xdebug 2.3 adds supports for shared secrets for the trace file and profiler triggers through the xdebug.trace_enable_trigger_value and xdebug.profiler_enable_trigger_value.

He points out a browser extension, The easiest Xdebug, that already has support for this new feature. He also mentions two other tools but they have yet to integrate support for these shared secrets (but will soon hopefully): Xdebug halper and xdebug-helper-for-safari .

tagged: xdebug series release secret string tracking enable production extension

Link: http://derickrethans.nl/xdebug-2.3-tracing-profiling-shared-secret.html