Feed aggregator

PHP Package Signing: My Current Thoughts

Planet-PHP - Sun, 09/03/2014 - 15:57


Image of a modern fountain pen writing in curs...

(Photo credit: Wikipedia)

We figured out how to write good code. We figured out how to write good code in a reusable way…for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely?

Package signing is a simple enough idea, and I’ve been spending time trying to fit it, Composer and Packagist together as a model in my head. The concept is to have parties create a cryptographic signature of the code to be distributed at a specific point in time using a private key. If anyone were to change that code or its metadata (think composer.json) with malevolent intent, the end user would then notice that the cryptographic signature cannot be verified using the package author’s known public key. It’s a familiar topic from all those cryptography books you’ve doubtlessly read ;) .

Alright, it’s actually a horrendously complicated topic that boggles the minds of many a programmer. We’re a practical bunch, and we just want the damn code. NOW!

Practical considerations and security are locked in a continuous battle for primacy. Look at SSL/TLS – it is a security nightmare but we keep it around because, until someone comes up with a decent replacement, the alternative is no encrypted HTTPS with a verifiable host for anyone. We continue to support old versions of SSL/TLS out of practical concerns despite knowing their weaknesses. They are old versions for a reason!

Those same concerns have been at war in my own head since last week, when I made the mistake of contemplating package signing. Eventually, my practical side won out and my security persona has been sulking in a corner ever since refusing to talk to me.

The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

PKI vs GPG (Some Context!)

I won’t go into too much detail here…

Right off the bat, we have two contenders for signing packages: Public-key infrastructure (PKI) backed by a Certificate Authority (CA) and Pretty Good Privacy (PGP) also commonly referred to by its GNU implementation, GNU Privacy Guard (GPG). You’d be most familiar with PKI in the form of the SSL certificates used online. Both have the notion of private keys and public keys. Data encrypted by one key can only be decrypted by the other key. If you keep one private, then holders of the public key can always verify that data sent by you was really sent by you. If you lose the private key, you’ll need to revoke it and get a new one.

Assuming, they trust it is you to start with!

Trust is the core difference between PKI and GPG. How do you know, with certainty, than any given public key is firmly associated with the person you know it should be associated with? Maybe it’s a hacker posing as that person? Maybe it’s the local friendly NSA office masquerading as Google? Establishing trust takes diverging paths for PKI and GPG. PKI keys (in the form of certificates) are either self-signed or signed by a trusted Certificate Authority. Generally, we put zero faith in self-signed certificates because anyone can claim to be anyone else using them. We instead trust a select number of CAs to sign certs because they’ll hopefully do stuff like asking for passports, addresses, and other person or company specific information to verify any entity’s real identity before doing so. GPG avoids centralised authorities like the plague and instead uses a “web of trust” model where everyone can sign everyone else’s public key, i.e. the more of these endorsements a GPG private key gets,

Truncated by Planet PHP, read more at the original (another 11962 bytes)

Categories: Open Source, PHP Community

Some thoughts on recruiting

Planet-PHP - Sun, 09/03/2014 - 12:00

Recruiters. Many developers hate their guts, and (in most cases) rightfully so. They usually have no clue about technology or about how to communicate with developers. It is also pretty clear most of the times that they’re only out for quick wins. I’ve seen recruiters call a developer they’d placed in a company exactly 6 months after he started to see if he wanted to move on, because 6 months was the period in the contract between the employer and the recruiter. I’ve seen recruiters tell candidates that the employer wasn’t interested, just because the employer didn’t want to pay the extremely high recruiter-fee. Hell, my first professional PHP job was like that. I ended up having direct contact with the employer because I didn’t believe the story the recruiter was telling me, and landed a pretty cool project. Some of the people I worked with there are still friends.

There is a flipside though: There are recruiters out there that do understand how things work. They know how developers work, communicate, what they feel is important. They are rare, but they do exist. So it would be stupid to just say “don’t work with recruiters” to companies or to developers. The thing with working with recruiters is: It takes time. You can’t just give a recruiter a profile and wait until they get you developers, or tell them you’re looking for a job and wait for the interviews. You have to invest in the relationship with the recruiter, do some research, get to know them, and ensure you’ve found one of the good ones.

The role of a recruiter

Many companies I’ve worked at, with or been in touch with expect a recruiter to look at their huge list of available developers (here’s your first mistake, because how many developers are actually available?) and give you the best developers based on a (usually incomplete) profile. But what exactly is it that a recruiter does?

Most recruiters have very little technical knowledge. They’re networkers, they create a network amongst developers and companies and try to link one with the other when they get a request. So from the majority of the recruiters, you should not expect that they make a judgement on the seniority of the developer or his skillset.

In an ideal world, the recruiter you work with actually has a development background and keeps his/her development knowledge up to acceptable levels. Ideally, the recruiter should be able to judge the skills and level of any developer they send your way.

Think about your reasons for hiring a recruiter

Before even contacting a recruiter, you need to ensure you’re doing this for the right reasons. Many companies simply expect the wrong things from a recruiter. As I mentioned before, you can’t just give them a profile and wait for the developers to come in.

Simply outsourcing getting potential candidates should not be your only reason hiring a recruiter, at least not if you want to save yourselves some time. The time you save by getting in the candidates, you will most probably spend doing interviews with candidates that do not actually fit your profile. The amount of times I (specialized in PHP with very little experience with other languages) got approached by a recruiter for a Java or Python-project is beyond belief. Getting 10 CV’s from a recruiter is not a good thing. It’s a bad thing. Instead, you’d want to get one or two CV’s of developers that actually are what you look for.

Even if you have a good recruiter, don’t expect to save much time on the recruitment process. Even if they immediately pass you the right CV’s, you’ll still need to make the final judgement on whether the developers are good or not, and of course convince them to work for you. You’ll still need your own HR-people to handle everything.

Take back your own recruitment

It may be worth your while to consider taking the recruitment back into your own organization. The most important task for a recruiter is to find the right developers for your organization. This may seems like a task that takes a lot of time, but it is easily combined with other stuff you already do (or should do).

The best representatives of your company when it comes to finding developers are your developers. They can speak to potential developers on the same level, can explain what the challenges are and what the fun aspects are of working for your company. They are also the best people to try and find out if a potential developer would fit your company, both in skills and in personality.

So if you have a position for a new developer, send your existing developers to usergroup meetings and conferences. Let them get in touch with other developers, potential employees. Don’t tell them to go out and find people, but tell them to keep their

Truncated by Planet PHP, read more at the original (another 3249 bytes)

Categories: Open Source, PHP Community

Building Engaging Web Apps with Game Mechanics

Planet-PHP - Sat, 08/03/2014 - 21:00

When we speak of “games”, we imagine physical, sporting activities, or video and board games. Rest assured, I’m not talking about developing the next blockbuster FPS, 3rd-person slasher, MMORPG, or 2D-platformer. It’s about going beyond the simple visual appeal of JavaScript animations and CSS transforms, into game design and mechanics to create engaging websites and web applications.

What is Gamification?

“Gamification” is the use and application of game design techniques and game mechanics, in non-game contexts, to engage a target audience to change behaviours, learn new skills, or enable innovation. Game design can be applied to practically all facets of business from customer engagement, employee performance, training and education, innovation management, personal development, sustainability and health. Gartner predicts that by 2015, more than 50% of organizations that manage innovation processes will gamify those processes.

Continue reading %Building Engaging Web Apps with Game Mechanics%

Categories: Open Source, PHP Community

Community News: Packagist Latest Releases for 03.08.2014

PHPDeveloper.org - Sat, 08/03/2014 - 16:07
Recent releases from the Packagist:

The early MySQL Fabric sharding support for PHP

Planet-PHP - Sat, 08/03/2014 - 01:08

The MySQL Fabric framework brings two major features: automatic client- and server-side failover and sharding. The manual hints, you need a “Fabric aware driver” for this but it does not list one for PHP. First, you don’t necessarily need new drivers! Second, the "driver" for PHP is the current development version of the PECL/mysqlnd_ms replication and load balancing plugin. The plugin covers the sharding but not the failover/HA quickstart example of Fabric: how the plugin works and why you should not use the plugin – yet.

Partial replication: the unlimited mode

At some point divide-and-conquer is the only know strategy to scale database replication. A huge data set must be devided into smaller sets that are distributed over many servers. There are middleware, in-core and hybrid architectures for such a system. The Fabric approach could be described as a middleware approach: a middleware manages servers and data distribution, clients talk to the middleware to learn about servers. Such an architecture minimizes the dependencies on the database. Power users can easily adapt the middleware to their needs.

PECL/mysqlnd_ms now also handles the "learn about servers/shards" part in the background. It talks to Fabric through XML RPC over HTTP.

MySQL Fabric PHP application mysqli/PDO_MySQL <-> learn about servers/shards PECL/mysqlnd_ms | |
  • Provision: masters and slaves
  • Monitor: load, health/failover
  • Balance: clone, merge, split shards
  • Connect and query
| | MySQL servers The client view: all the standard MySQL APIs

PECL/mysqlnd_ms is a client-side proxy which tries to hide as much of the complexity of using any kind of MySQL cluster (MySQL Replication, MySQL Cluster, 3rd party, MySQL Fabric sharding/HA) from the developer. This includes tasks such as load balancing, read-write splitting, failover and so forth. In the most basic case it is entirely transparent on the API level (mysqli, PDO_MySQL). Given the appropriate configuration, this is a load balanced connection, the SELECT goes to the slaves, the DROP to the master…

$link = new mysqli("myapp", "user", "password", "db");
$link->query("SELECT 1");
$link->query("SELECT 2");
$link->query("DROP TABLE IF EXISTS test");


What happens is that mysqli respectively PDO_MySQL extensions call functions in the mysqlnd library. PECL/mysqlnd_ms plugs in to the mysqlnd library to hooks these calls. If, for example, mysqli_connect() tries to open a connection to the host myapp, PECL/mysqlnd_ms captures the call and checks it config for an entry named myapp. Let the entry be for a MySQL Replication cluster. Then, later when mysqli_query() is executed, the plugin inspects the query and picks the a master or slave from the config to run the query on. Connecting the acutal servers is (mostly) transparent from an application user perspective as you can see from the code example.

userspace – *.php mysqli_connect(…) inside PHP – ext/mysqlnd/*.c mysqlnd_connect(…) inside PHP – ext/mysqlnd_ms/*.c connect_hook(…) 1) read server list from file: fopen(file://…)

The PHP manual has all the details, including the pitfalls and why you can

Truncated by Planet PHP, read more at the original (another 8821 bytes)

Categories: Open Source, PHP Community

SitePoint PHP Blog: Simple Captchas with PHP and GD

PHPDeveloper.org - Fri, 07/03/2014 - 20:05

On the SitePoint PHP blog there's a new post by Mahul Jain looking at a simple way to create CAPTCHA images in PHP using the built-in GD libraries.

By now, we've all encountered captcha images in online forms. Captchas are a necessary evil, and this article will teach you how they're made. Please note that while there are better, automatic third party solutions for captchas out there such as ReCaptcha, this tutorial aims merely to explain and demonstrate how such technology actually works. We won't be explaining what captchas actually are, as it's assumed to be common knowledge and already covered in greater detail elsewhere.

He walks you through the whole process of making the sample CAPTCHA (like this one):

  • Display an empty image on the browser
  • Create a shape
  • Generate random lines
  • Generate random dots
  • Generate random text

There's screenshots all along the way too for reference as to what your result should look like. You can download the full code over on GitHub.

Link: http://www.sitepoint.com/simple-captchas-php-gd/

Master Zend Framework: Make Module Configs Cacheable with the ZF2 Factory Interface

PHPDeveloper.org - Fri, 07/03/2014 - 19:25

Matthew Setter has a new post today on the "Master Zend Framework" site looking at the use of caching for Zend Framework 2 module configurations.

For the longest time, I've been using closures in my Zend Framework 2 Modules Module class. I know they're not always the best approach, but they're not necessarily wrong either. But after reviewing Gary Hockin's recent talk at PHP Conference UK, I was reminded that outside of APC and OPCache, closures aren't cacheable. [...] So in today's tutorial, I'm going to show you a simple example of how to migrate from closures using [caching with Memcached, Redis and so on].

He starts with an example of the standard closure approach, returning an array from his "getServiceConfig" method with sub-array and object creation nested inside. He then refactors it to use the "FactoryInterface" to handle the configuration setup for the "delete form" handling.

Link: http://www.masterzendframework.com/tutorial/zf2-factory-interface-closure-migration

Building a Simple Blog App with MongoDB and PHP

Planet-PHP - Fri, 07/03/2014 - 19:00

If you want to create a blog using MongoDB and PHP, this article will teach you to:

  • Connect to a MongoDB database
  • Save documents in a collection
  • Query documents in a collection
  • Perform range queries
  • Sort documents, update a document, delete one or more documents from a collection

The reason I chose to build a blog application is because it is a basic CRUD application and it is very suitable for easing into PHP and MongoDB web development. We will build a plain user interface using Bootstrap with simple textboxes and buttons. A MongoDB database will store all the content. You can download full source from github, see a demo frontend here and try the demo app’s backend with the user name and password being duythien.

Continue reading %Building a Simple Blog App with MongoDB and PHP%

Categories: Open Source, PHP Community

Dougal Campbell: mysql vs mysqli in WordPress

PHPDeveloper.org - Fri, 07/03/2014 - 18:59

In his latest post Dougal Campbell shares his findings from a bug he was having with a plugin in WordPress. It revolved around the use of mysql or mysqli and errors being thrown to his logs.

The plugin had previously worked fine (it generates a sidebar widget), and I wasn't actively working on my site, so I wasn't really sure when it had quit working. In the course of debugging the problem, I discovered that the plugin was throwing warnings in my PHP error log regarding the mysql_real_escape_string() function. As a quick fix, I simply replaced all of those calls with WordPress' esc_sql() function. Voila, problem fixed.

He was interested in why this worked, though, and went digging in the code. As it turns out, the WordPress code tries to determine which mysql extension you have support for. As it turns out, his installation fit the "mysqli profile" so the "mysql_real_escape_string" wasn't available. To the WordPress users out there, he suggests esc_sql or $wpdb->prepare() instead.

Link: http://dougal.gunters.org/blog/2014/03/06/mysql-vs-mysqli-wordpress

PHP Town Hall: Episode 20: A Nice Friendly Chat About Sculpin, Guzzle and PSR-7

PHPDeveloper.org - Fri, 07/03/2014 - 17:03

The PHP Town Hall podcast has released their latest episode today, Episode 20: A Nice Friendly Chat About Sculpin, Guzzle and PSR-7 with guests Beau Simensen and Michael Dowling.

This show has a history of talking about FIG stuff as it is hard to avoid. The group is working on so much cool stuff and prominent figures of the community are involved. We got two more prominent figures, who also happen to be involved with FIG stuff: Beau Simensen lead developer of Sculpin and Michael Dowling lead developer of the wonderful HTTP library Guzzle, who also works at AWS on their PHP SDK.

They talk about each of the projects mentioned and what's coming up for each. There's also some discussion around the PSR-7 HTTP spec that's been proposed and is in the works. You can listen to this latest show in a few different ways - either through the in-page audio player, by downloading the mp3 or you can watch the video of the live recording via Google Hangouts.

Link: http://phptownhall.com/blog/2014/03/06/episode-20-a-nice-friendly-chat-about-sculpin-guzzle-and-psr-7/

Community News: Packagist Latest Releases for 03.07.2014

PHPDeveloper.org - Fri, 07/03/2014 - 16:04
Recent releases from the Packagist:

PHP 5.4.26 Released

php.announce - Fri, 07/03/2014 - 08:52
Categories: PHP Community, PHP.net

P&aacute;draic Brady: Thoughts on Composer's Future Security

PHPDeveloper.org - Thu, 06/03/2014 - 19:09

Pádraic Brady has a new "let's watch Paddy think aloud in a completely unstructured manner blog post" about the future of security when it comes to the popular PHP package manager Composer. It's recently come under criticism around its lack of package signing and TLS/SSL support.

The Composer issue, as initially reported by Kevin McArthur, was fairly simple. Since no download connection by Composer was properly secured using SSL/TLS then an attacker could, with the assistance of a Man-In-The-Middle (MITM) attack, substitute the package you wanted to download with a modified version that communicated with the attacker's server. They could, for example, plant a line of code which sends the contents of $_POST to the attacker's server.

He's been working on some updates to the project, one of with is TLS/SSL support as defined in this pull request currently pending. It enables peer verification by default, follows PHP 5.6 TLS recommendations and uses local system certificates in the connection. He talks some about other additional TLS/SSL measures that could be added in the future and how, despite it being safer than nothing, TLS/SSL is not the "cure all" for the problem.

He then moves on to package signing and suggests one method for implementation - signing the "composer.phar" executable and signing "everything else" (packages to be downloaded) to verify their validity.

The flaw in Composer's installer isn't that it's unsigned, it's that it doesn't afford the opportunity for the downloader to read it before it gets piped to PHP. It's a documentation issue. You can go down the route of using a CA, of course, but that's further down the rabbit hole than may be necessary. Signing the composer.phar file is another matter. Link: http://blog.astrumfutura.com/2014/03/thoughts-on-composers-future-security

PHP.net: PHP 5.5.10 released

PHPDeveloper.org - Thu, 06/03/2014 - 19:02

The PHP development group has announced the release of the latest version of the language in the PHP 5.5.x series today - PHP 5.5.10.

The PHP development team announces the immediate availability of PHP 5.5.10. Several bugs were fixed in this release, including security issues related to CVEs. CVE-2014-1943, CVE-2014-2270 and CVE-2013-7327 have been addressed in this release. We recommend all PHP 5.5 users to upgrade to this version.

Other changes include fixes to date/time handling, JSON serializing and an upgrade to PCRE 8.34 for regular expression handling. As this release has several security-related fixes, it's highly advised that 5.5.x users upgrade. As always, you can get the latest release from the downloads page or for Windows users, windows.php.net.

Link: http://php.net/index.php#id2014-03-06-1

Lorna Mitchell: Working with PHP and Beanstalkd

PHPDeveloper.org - Thu, 06/03/2014 - 18:36

Lorna Mitchell has posted a new tutorial to her site today walking you through using Beanstalkd with PHP for a simple queuing setup in your application. Beanstalkd is "a simple, fast work queue. Its interface is generic, but was originally designed for reducing the latency of page views in high-volume web applications by running time-consuming tasks asynchronously."

I have an API backend and a web frontend on this project (there may be apps later. It's a startup, there could be anything later). Both front and back ends are PHP Slim Framework applications, and there's a sort of JSON-RPC going on in between the two. The job queue will handle a few things we don't want to do in real time on the application, such as: updating counts of things like comments, [...] cleaning up, [...] other periodic things like updating incoming data/content feeds or talking to some of the 3rd party APIs we use like Mailchimp and Bit.ly.

She starts with a look at how to add jobs to the queue (she assumes that you've already set up the Beanstalkd instance at this point). She uses the Pheanstalk library for the job handling and includes a sample call to configure the connection and create an instance to make the connection. The sample job contains an array of data including an "action" and "data" for it to use when processing. She also includes an example of a basic PHP-based Beanstalkd worker that will go through currently pending jobs and execute them based on the action/data combination. In the sample worker script, she defines the action as a method in the class to be executed directly on the worker instance. She finishes off the post with a few "things to remember" about working with workers and long-running PHP scripts.

Link: http://www.lornajane.net/posts/2014/working-with-php-and-beanstalkd

VG Tech: Swagger Docs in ZF2 with Examples - Part 2: Swagger UI

PHPDeveloper.org - Thu, 06/03/2014 - 17:52

On the VG Tech blog, they've posted a follow-up to their previous post about using the Zend Framework 2 to generate Swagger documentation for an API. In this new post (part 2) they focus more on Swagger UI.

This blog post on Swagger UI is a follow-up on my recent post on Swagger annotation parsing in ZF2. If you're not already set up with Swagger annotation parsing in you ZF2 app I recommend that you read part 1 first. In the last post we got ZF2 set up with annotation parsing and everything, and the only thing missing was Swagger UI for the neat presentation. I skipped that previously but today we'll add the last piece.

This second part of the series uses a custom package to create a "SwaggerUI" module. There's a few file updates that need to be made to the configuration, but the rest is handled for you. In the end, the result will look something like this, showing endpoints and allow you to interact with the API directly through forms and sample calls.

Link: http://tech.vg.no/2014/03/06/swagger-docs-in-zf2-with-examples-part-2-swagger-ui-2/

PHP 5.5.10 is released

php.announce - Thu, 06/03/2014 - 17:45
Categories: PHP Community, PHP.net

Community News: Packagist Latest Releases for 03.06.2014

PHPDeveloper.org - Thu, 06/03/2014 - 16:01
Recent releases from the Packagist:
Syndicate content