PHP.net

Dougal Campbell: mysql vs mysqli in WordPress

PHPDeveloper.org - Fri, 07/03/2014 - 18:59

In his latest post Dougal Campbell shares his findings from a bug he was having with a plugin in WordPress. It revolved around the use of mysql or mysqli and errors being thrown to his logs.

The plugin had previously worked fine (it generates a sidebar widget), and I wasn't actively working on my site, so I wasn't really sure when it had quit working. In the course of debugging the problem, I discovered that the plugin was throwing warnings in my PHP error log regarding the mysql_real_escape_string() function. As a quick fix, I simply replaced all of those calls with WordPress' esc_sql() function. Voila, problem fixed.

He was interested in why this worked, though, and went digging in the code. As it turns out, the WordPress code tries to determine which mysql extension you have support for. As it turns out, his installation fit the "mysqli profile" so the "mysql_real_escape_string" wasn't available. To the WordPress users out there, he suggests esc_sql or $wpdb->prepare() instead.

Link: http://dougal.gunters.org/blog/2014/03/06/mysql-vs-mysqli-wordpress

PHP Town Hall: Episode 20: A Nice Friendly Chat About Sculpin, Guzzle and PSR-7

PHPDeveloper.org - Fri, 07/03/2014 - 17:03

The PHP Town Hall podcast has released their latest episode today, Episode 20: A Nice Friendly Chat About Sculpin, Guzzle and PSR-7 with guests Beau Simensen and Michael Dowling.

This show has a history of talking about FIG stuff as it is hard to avoid. The group is working on so much cool stuff and prominent figures of the community are involved. We got two more prominent figures, who also happen to be involved with FIG stuff: Beau Simensen lead developer of Sculpin and Michael Dowling lead developer of the wonderful HTTP library Guzzle, who also works at AWS on their PHP SDK.

They talk about each of the projects mentioned and what's coming up for each. There's also some discussion around the PSR-7 HTTP spec that's been proposed and is in the works. You can listen to this latest show in a few different ways - either through the in-page audio player, by downloading the mp3 or you can watch the video of the live recording via Google Hangouts.

Link: http://phptownhall.com/blog/2014/03/06/episode-20-a-nice-friendly-chat-about-sculpin-guzzle-and-psr-7/

Community News: Packagist Latest Releases for 03.07.2014

PHPDeveloper.org - Fri, 07/03/2014 - 16:04
Recent releases from the Packagist:

PHP 5.4.26 Released

php.announce - Fri, 07/03/2014 - 08:52
Categories: PHP Community, PHP.net

Pádraic Brady: Thoughts on Composer's Future Security

PHPDeveloper.org - Thu, 06/03/2014 - 19:09

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter. Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

PHP.net: PHP 5.5.10 released

PHPDeveloper.org - Thu, 06/03/2014 - 19:02

The PHP development group has announced the release of the latest version of the language in the PHP 5.5.x series today - PHP 5.5.10.

The PHP development team announces the immediate availability of PHP 5.5.10. Several bugs were fixed in this release, including security issues related to CVEs. CVE-2014-1943, CVE-2014-2270 and CVE-2013-7327 have been addressed in this release. We recommend all PHP 5.5 users to upgrade to this version.

Other changes include fixes to date/time handling, JSON serializing and an upgrade to PCRE 8.34 for regular expression handling. As this release has several security-related fixes, it's highly advised that 5.5.x users upgrade. As always, you can get the latest release from the downloads page or for Windows users, windows.php.net.

Link: http://php.net/index.php#id2014-03-06-1

Lorna Mitchell: Working with PHP and Beanstalkd

PHPDeveloper.org - Thu, 06/03/2014 - 18:36

Lorna Mitchell has posted a new tutorial to her site today walking you through using Beanstalkd with PHP for a simple queuing setup in your application. Beanstalkd is "a simple, fast work queue. Its interface is generic, but was originally designed for reducing the latency of page views in high-volume web applications by running time-consuming tasks asynchronously."

I have an API backend and a web frontend on this project (there may be apps later. It's a startup, there could be anything later). Both front and back ends are PHP Slim Framework applications, and there's a sort of JSON-RPC going on in between the two. The job queue will handle a few things we don't want to do in real time on the application, such as: updating counts of things like comments, [...] cleaning up, [...] other periodic things like updating incoming data/content feeds or talking to some of the 3rd party APIs we use like Mailchimp and Bit.ly.

She starts with a look at how to add jobs to the queue (she assumes that you've already set up the Beanstalkd instance at this point). She uses the Pheanstalk library for the job handling and includes a sample call to configure the connection and create an instance to make the connection. The sample job contains an array of data including an "action" and "data" for it to use when processing. She also includes an example of a basic PHP-based Beanstalkd worker that will go through currently pending jobs and execute them based on the action/data combination. In the sample worker script, she defines the action as a method in the class to be executed directly on the worker instance. She finishes off the post with a few "things to remember" about working with workers and long-running PHP scripts.

Link: http://www.lornajane.net/posts/2014/working-with-php-and-beanstalkd

VG Tech: Swagger Docs in ZF2 with Examples - Part 2: Swagger UI

PHPDeveloper.org - Thu, 06/03/2014 - 17:52

On the VG Tech blog, they've posted a follow-up to their previous post about using the Zend Framework 2 to generate Swagger documentation for an API. In this new post (part 2) they focus more on Swagger UI.

This blog post on Swagger UI is a follow-up on my recent post on Swagger annotation parsing in ZF2. If you're not already set up with Swagger annotation parsing in you ZF2 app I recommend that you read part 1 first. In the last post we got ZF2 set up with annotation parsing and everything, and the only thing missing was Swagger UI for the neat presentation. I skipped that previously but today we'll add the last piece.

This second part of the series uses a custom package to create a "SwaggerUI" module. There's a few file updates that need to be made to the configuration, but the rest is handled for you. In the end, the result will look something like this, showing endpoints and allow you to interact with the API directly through forms and sample calls.

Link: http://tech.vg.no/2014/03/06/swagger-docs-in-zf2-with-examples-part-2-swagger-ui-2/

PHP 5.5.10 is released

php.announce - Thu, 06/03/2014 - 17:45
Categories: PHP Community, PHP.net

Community News: Packagist Latest Releases for 03.06.2014

PHPDeveloper.org - Thu, 06/03/2014 - 16:01
Recent releases from the Packagist:

Coding the Architecture: Five things every developer should know about software architecture

PHPDeveloper.org - Wed, 05/03/2014 - 19:57

While not specific to PHP, this new article on the Coding the Architecture blog gives some good insights on what developers should know about software architecture.

Now I may be biased, but a quick look at my calendar hints to me that there's a renewed and growing interest in software architecture. Although I really like much of the improvement the agile movement has provided to the software development industry, I still can't help feeling that there are a large number of teams out there who struggle with a lack of process.

[...] Put very simply, software architecture plays a pivotal role in the delivery of successful software yet it's frustratingly neglected by many teams. Whether performed by one person or shared amongst the team, the architecture role exists on even the most agile of teams yet the balance of up front and evolutionary thinking often reflects aspiration rather than reality. The big problem is that software architecture has fallen out of favour over the past decade or so. Here are five things that every software developer should know about it.

Each of the five things comes with a paragraph of explanation (and some links to additional resources):

  • Software architecture isn't about big design up front
  • Every software team needs to consider software architecture
  • The software architecture role is about coding, coaching and collaboration
  • You don't need to use UML
  • A good software architecture enables agility
Link: http://www.codingthearchitecture.com/2014/03/05/five_things_every_developer_should_know_about_software_architecture.html

MakeUseOf: Create The Perfect PHP Development Environment In Android

PHPDeveloper.org - Wed, 05/03/2014 - 18:39

On the MakeUseOf site there's a recent post showing how you can create the "perfect PHP development environment" on your Android-based device. Obviously, it's much more useful on a tablet, but in theory it could be used on a smartphone.

It turns out you can actually code on Android productively. For the longest time, it has been accepted that whilst computers are for productivity and creativity, Tablets exist purely to allow the passive consumption of content. I believed that as well. I'm a software developer by trade, and I use a 13" Macbook Pro to write all my code. I wouldn't have it any other way. OS X comes with everything I need to be productive as a developer, and I've built my workflow around that. Android on the other hand? I've never really thought about writing code on Android. [...] But then I bought a decent Bluetooth keyboard, and everything changed. I've now built a PHP development environment around my 2012 Nexus 7 tablet, and I love it.

He breaks it down and shows some of the tools he uses for his development including the use of VIM Touch for editing and the Palapa Web Server for local hosting of his applications. Screenshots of the setup and configuration are also included. Link: http://www.makeuseof.com/tag/create-perfect-php-development-environment-android/

Gonzalo Ayuso: Auto injecting dependencies in PHP objects

PHPDeveloper.org - Wed, 05/03/2014 - 17:19

In his latest post Gonzalo Ayuso shows how you can automatically inject dependencies into your PHP objects with the help of Pimple, a simple dependency injection container.

I must admit I don't really know what's the correct title for this post. Finally I use "Auto injecting dependencies in PHP objects". I know it isn't very descriptive. Let me explain it a little bit. This time I want to automate the Hollywood Principle ("Don't call us, we'll call you"). [...] We need to use Reflection to create our instance and to call our action. Sometimes I need to work with custom frameworks and legacy PHP applications. I've done it in a couple of projects, but now I want to create a library to automate this operation.

He includes a simple example of a "Controller" class that is injected with a "Request" via constructor injection. He refactors this to create the dependency injection container with a "Builder" class) and shows how to fetch the instance of the "Bar" class from it. It's this Builder class he shares on GitHub.

Link: http://gonzalo123.com/2014/03/03/auto-injecting-dependencies-in-php-objects/

Community News: Packagist Latest Releases for 03.05.2014

PHPDeveloper.org - Wed, 05/03/2014 - 16:08
Recent releases from the Packagist:

ServerGrove Blog: Symfony2 components overview: Validator

PHPDeveloper.org - Tue, 04/03/2014 - 20:55

The ServerGrove blog has posted their latest in-depth look at one of the many components that make up the Symfony2 framework. In this latest post they cover the Validator component, another well-used part of the framework.

In the first five posts of this series we have been talking about key components for any PHP framework from the point of view of their internals, such as HttpFoundation to abstract the HTTP protocol, HttpKernel to convert a Request into a Response, Routing to map requests to controllers, EventDispatcher to add reusability and extensibility, and Config to load and validate configuration values. This time we'll delve deeper in the user space to describe a component that is for specific apps rather than just for frameworks. Today's topic will be the Validator component.

They start off talking about a common problem in web applications, running validation on incoming data, and how the component can help. The article then gets into the architecture of the component and provides a simple example of it in use (validating an integer range). They talk about some of the built-in validations, the internationalization support and validation on objects, just just simple values. Finally, there's a look at creating custom validations, their example being a simple check on a given "programming language" string.

Link: http://blog.servergrove.com/2014/03/03/symfony2-components-overview-validator

SitePoint PHP Blog: Functional Testing in Symfony2

PHPDeveloper.org - Tue, 04/03/2014 - 19:16

Taylor Ren has written up a new tutorial for the SitePoint PHP blog today walking you through a method for functional testing a Symfony application with the help of Symfony's own "WebTestCase" functionality.

In my previous article, we demonstrated how to load sample data into our Symfony development environment. The test data may not be useful as it stands on its own. When coupled with Functional Testing, however, it becomes a life saver. [...] Functional Testing is different. We don't look at the "correctness" of a single function, which should be verified by a Unit Test, but look at the bigger picture. The question answered by Functional Testing is: Is our app performing well in the sense that it displays the right content, corresponds to a user's interaction, etc?

He shows how to create a simple WebTestCase-based test to fetch the main page of a site, locate a few pieces of information and click on a certain link. Once this test passes, he adds a bit more to the test, checking the data in the page following the click.

Link: http://www.sitepoint.com/functional-testing-symfony2/

HHVM Blog: Tracking Parity

PHPDeveloper.org - Tue, 04/03/2014 - 18:43

On the HHVM blog today there's a new post shows how far along they are with parity with the PHP language based on the tests from a sampling of several large PHP-based projects.

HHVM has a large suite of unit tests that must pass in several build configurations before a commit reaches master. Unfortunately, this test suite passing doesn't tell you if HHVM can be used for anything useful - so we periodically run the test suites for popular, open source frameworks. [...] The frameworks test page is now public, as is the JSON data backing it (which you're welcome to use).

They look briefly at what exactly is tested (latest stable version, with exceptions) and how it all works. The tests are run once an hour and are based on a completely clean build of HHVM in "csv" mode. The results of the tests are automatically pushed into the MySQL+Memcached system reporting system, accessible via the JSON API.

Link: http://www.hhvm.com/blog/3611/tracking-parity
Syndicate content