Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Security Update:
Imagemagick - Multiple Vulnerabilities
May 05, 2016 @ 11:07:35

Imagemagick, a well-used alternative by PHP developers for graphics manipulation (an alternative to GD) has had several new vulnerabilities announced. These vulnerabilities allow for everything from remote code execution to initiating network requests. The Imagetragick site has more information:

There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.

A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick. If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities.

There's two mitigations listed to help with a more immediate fix: using a policy.xml file and verifying that image data starts with the right "magic bytes". The site also shares more information about the different vulnerabilities and what kind of attacks they could allow. It is highly recommended that you add the mitigations they show and update your installation to use the latest release (7.0.1-1) with fixes for these issues.

tagged: imagemagick vulnerabilities multiple upgrade mitigation

Link: https://imagetragick.com

Phillip Shipley:
Docker makes upgrading to PHP7 easy
Apr 25, 2016 @ 11:13:07

In this post to his site Phillip Shipley talks about Docker and how using it for your PHP deployments can make it much easier to upgrade to PHP 7.

Last year at php[tek] 2015 during the hack time I messed around and created a Docker image to run and test PHP7. It was surprisingly easy and I quickly learned that the app I was working on at the time ran fine in PHP7, good deal. So since then I’ve been awaiting the general availability release of PHP7 to move forward with upgrading my apps.

The main thing holding me back was I just didn’t want to maintain an image based on compiling from source. Not that it’s a problem, it just didn’t feel as clean and simple as using supported packages.

He points out that Ubuntu 16.04 was released and that does now have PHP 7 as a standard package so he's happily upgrading. He gets into a bit of detail about how upgrade process and some of the smaller issue he faced along the way. He also includes the update to his Dockerfile he made to change to PHP 7 (only a few characters) to rebuild with PHP 7.0.4.

tagged: upgrade php7 docker ubuntu package official release

Link: http://www.phillipshipley.com/2016/04/docker-makes-upgrading-to-php7-easy/

Laravel News:
Has your company upgraded to PHP7 yet?
Mar 31, 2016 @ 10:28:34

On the Laravel News site they share the results of a Twitter poll asking developers and companies of they'd switched to PHP 7 yet.

Yesterday I ran a Twitter poll to see how many have moved to PHP7. With 650 votes here are the results. [...] tagged: upgrade php7 company twitter poll results

Link: https://laravel-news.com/2016/03/company-upgraded-php7-yet/

Full Stack Radio:
36: Jason McCreary - Building Laravel Shift
Feb 26, 2016 @ 09:34:43

The Full Stack Radio podcast has posted their latest episode interviewing Jason McCreary about the Laravel Shift service - a tool that helps you upgrade your Laravel applications more automatically and keep them up to date. It's a commercial service, though, and not an open source tool but there is a demo pull request you can see to get an idea of how it all works.

In this episode, Adam talks to Jason McCreary about building Shift, a tool that automates upgrading your application between framework versions.

Other topics mentioned in the episode also include PocketBracket, Laravel Cashier and the abstract syntax tree functionality (added to PHP in PHP 7.0). You can listen to this latest episode either through the in-page audio player or by downloading the mp3 directly. Be sure to subscribe to their feed if you enjoy the show and want to catch future episodes as they're released.

tagged: fullstackradio jasonmccreary laravel shift upgrade framework automated

Link: http://www.fullstackradio.com/36

PHP.net:
PHP 5.6.18 & 5.5.32 Released
Feb 05, 2016 @ 09:49:31

On the main PHP.net site they've officially announced the release of the latest versions in the 5.6.x and 5.5.x series: PHP 5.6.18 and PHP 5.5.32.

The PHP development team announces the immediate availability of PHP [5.5.32 and 5.6.18]. This is a security release. Several security bugs were fixed in this release. All PHP [5.5 and 5.6] users are encouraged to upgrade to this version.

As always you can download this latest release from either the main downloads page or from windows.php.net for the Windows binaries. If you'd like to see exactly what was fixed in these releases, check out the full Changelog.

tagged: language version security bugfix upgrade

Link: http://php.net/archive/2016.php#id2016-02-04-3

Rasmus Lerdorf:
Upgrading PHP on the EdgeRouter Lite
Jan 26, 2016 @ 10:30:33

Rasmus Lerdorf has shared a post to his site detailing how he upgraded his EdgeRouter Lite router (hardware) to use PHP 7 for the uI handling and processing, upgrading it from the PHP 5.4 it came installed with.

After nearly 7 years of service I retired my Asus RT-16 router, which wasn't really a router, but a re-purposed wifi access point running AdvancedTomato. In its place I got a Ubiquiti EdgeRouter Lite. It is Debian-based and has a dual-core 500MHz 64-Bit MIPS CPU (Cavium Octeon+), 512M of ram and a 4G removable onboard USB stick for < $100. The router is completely open and, in fact, any advanced configuration has to be done from the command line. The Web UI has been improving, but there are still many things you can't do in it. In other words, exactly the type of device I prefer.

He made use of the open platform the router has to upgrade both the PHP installation and a bit of the web UI code to make things work happily with PHP 7. There's just three steps in his process:

  • Getting a Big-Endian MIPS64 build of PHP 7
  • Configuration (php.ini)
  • Fixing broken stuff

The "broken stuff" in this last item was only a few small changes that needed to be made to the web UI code for raw POST data fetching and session writes. He ends the post with a little summary of the performance post-changes and some about the opcode handling and memory use per request.

tagged: router edgerouter ui version language install upgrade configuration bigendian mips64 php7

Link: https://toys.lerdorf.com/archives/59-Upgrading-PHP-on-the-EdgeRouter-Lite.html

Lorna Mitchell:
Upgrade To Better Passwords in PHP
Jan 11, 2016 @ 09:44:55

In a new post to her site Lorna Mitchell encourages you to upgrade to better passwords by using either the built-in password hashing (since PHP 5.5) or by using the userland implementation (that works for >=PHP 5.3.7).

The password features in PHP aren't exactly new, but I see lots of applications from "before" which aren't being migrated to better practices. I have some strategies for doing these migrations so I thought I'd share my main approach, plus a similar-but-different one I saw in the wild (OK it was in CakePHP, so not too wild!).

She offers a few steps to follow to upgrade your application to use the bcrypt solution instead of your current format:

  • Update Login Code (change SQL to just fetch the password, not evaluate it)
  • Hash existing passwords
  • Update registration code (for new passwords to use the new method)
  • Migrate users with old passwords hashes once they've verified their current login

She also mentions alternatives to these approaches including forcing the user to change their password on login.

tagged: password hash bcrypt userland passwordcompat upgrade rehash tutorial

Link: http://www.lornajane.net/posts/2016/upgrade-better-passwords-php

Laravel News:
Automatically upgrade your Laravel app with Shift
Jan 06, 2016 @ 10:24:52

On the Laravel News site they've posted an interview with Jason McCreary, the lead developer behind the Laravel Shift service, a product that helps you keep your Laravel applications up to date with the latest versions of the framework.

Laravel Shift is a new project aimed at automatically upgrading out of date Laravel apps up to the current version. The way it works is you sign-in with either Github or BitBucket, purchase a shift (an upgrade package), and then review the pull request it automatically creates.

I had a chance to speak with Jason, the lead developer on the project and what follows is a Q&A about Shift.

They talk about where the idea for Laravel Shift came from originally and how the upgrade process happens (hint: it's automated). Jason also answers questions about what kinds of applications it will work on and how it's handled if there's an application that can't be upgraded. He also mentions the process for upgrading from a very old version, noting that it would be required to "shift" multiple times to achieve the correct results.

tagged: laravel shift service upgrade automatic application laravelnews

Link: https://laravel-news.com/2016/01/automatically-upgrade-your-laravel-app-with-shift/

PHP.net:
PHP 7.0.1 Released
Dec 17, 2015 @ 09:21:50

The latest release in the PHP 7.0.x series has been released today, the first one following the major milestone of PHP 7: PHP 7.0.1.

The PHP development team announces the immediate availability of PHP 7.0.1. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version.

This is just a bugfix release with some smaller changes that were held off until after the main PHP 7.0 release came out. Bugs were fixed in the language core, the CLI server, OCI8 functionality and many others. PHP 7 users are encouraged to upgrade to this new release. You can download it as always from either the main php.net downloads page or windows.php.net for the Windows binaries.

tagged: php7 release language bugfix php701 upgrade download

Link: http://php.net/index.php#id2015-12-17-1

Davey Shafik:
PHP 7 ext/mysql Shim
Dec 07, 2015 @ 11:10:24

With the release of PHP 7 comes a major shift in how your programs may interact with databases - the removal of the mysql extension (in favor of mysqli or PDO). Depending on how your application is written, this can cause all sorts of headaches. Davey Shafik has offered a temporary solution in a post to his site today, a mysql shim library that can be used to mimic the older mysql functions until you can upgrade your application.

To help ease the transition from 5.6 to 7.0 I have created a simple package that acts as a shim between the newly removed ext/mysql and ext/mysqli. I was a little hesitant to even publish this as I don’t want to encourage the continued use of potentially insecure code, however, I want people to upgrade to 7.0 and don’t want this to be the blocker.

It does require 5.6 (though it would be possible to lower that) — however I suspect that most people who are upgrading to 7.0 are either coming from 5.6 or have the native ext/mysql. The primary reason for support 5.6 is to be able to compare the test suite results against native ext/mysql.

The library can be easily installed via Composer and, while useful in its current form, still has some work yet to be done on it to bring it up to fully compatible. If you'd like to help on the effort and make life a little easier for those upgrading to PHP 7 on older code, head over to the repository and think about contributing.

tagged: mysql extension php7 shim library backport upgrade

Link: https://daveyshafik.com/archives/69726-php-7-extmysql-shim.html