Remi Collet: New "remi-php70" repository

Fri, 07/24/2015 - 18:09

Remi has announced the release of the remi-php7 repo, available for Fedora ≥ 21 and Enterprise Linux ≥ 6.

Current version is PHP 7.0.0beta2 with about 25 extensions which are already compatible. This repository provides development versions which are not suitable for production usage. [...] As for other remi's repositories, it is disabled by default, so the update is an administrator choice.

This repository can be installed just like other similar remi repos via the "yum" command to add the repository to the list of available ones, then another to upgrade the PHP installation.

Link: Understand Overriding in Magento: Controllers

Fri, 07/24/2015 - 17:19

The site has posted a tutorial (the third and last in their series) showing how to override controller handling in Magento. In the previous posts they showed how to override functionality related to the models and blocks (frontend layout elements).

In Magento, the controller is responsible for handling incoming requests, and it's a backbone of the Magento routing implementation. [...] As I said in the previous tutorial, it's never recommended to change core files directly, as it makes upgrading Magento really difficult. To avoid this, we should follow the standard way of making desired changes to core files: we should either use event observers or override core files with our custom module files. We'll discuss the overriding feature today.

You'll need to be familiar with custom module creation to be able to follow along (see here if not) but other than that they provide everything you'll need. They start by creating the files and folders needed for the custom module including:

  • Module XML definition (Envato_All.xml)
  • Module XML configuration
  • the Envato_Catalog_ProductController controller file (PHP)

The controller extends the pre-existing Product controller but the configuration definitions tell it ti use the "Envato" version instead.


BitExpert Blog: Think About It: PHP/PostgreSQL Bulk Performance (Part 3)

Fri, 07/24/2015 - 16:46

On the bitExpert blog they've continued their "Think About It" series of posts looking at optimizations that can be made to different technologies in their stack to increase performance. In this third part of the series they focus in on the changes made to help speed things up with the PostgreSQL database backend.

This article is the last of a three-part series and describes how we optimized the persistence process of bulk data in our code in combination with PostgreSQL. Make sure you covered the first article about how we tweaked PHPExcel to run faster while reading Excel and CSV files and the second article about how we optimized our data processing and reached performance improvements tweaking our code.

They work from the example code provided at the end of part two and update the "update" handling to optimize it a bit. By default it executes an update query for each record so, instead, they modified it to perform a bulk update with an "update from values" format. They could then migrate to a "save all" handler with the complete set of records to save.


Lorna Mitchell: Test Your PHP Application on PHP 7

Fri, 07/24/2015 - 15:06

Lorna Mitchell has a post to her site showing you how to get a PHP7 setup and working so you can test out your current application, preparing it for this next major version's release.

PHP 7 is coming, which is nice, but what does it mean for the majority of PHP developers? PHP as a community is notoriously slow in adoption, some of us are still waiting for 2012's new shiny to be available as standard on our hosting platforms. However with the performance benefits and a few really nice new features, PHP 7 is well worth everyone's attention, and it's actually quite easy to get started so here's my quick howto.

The large part of the post is the steps you'll need to get the php7dev box (from Rasmus Lerdorf) up and running, complete with a shared folder mounted from your local machine and a custom Nginx configuration. She also mentions the "Go PHP7" initiative that's aiming to help make the transition to PHP7 as easy as possible for everyone (including various extensions).


Easy Laravel Book: How Laravel 5 Prevents SQL Injection, CSRF, and XSS

Thu, 07/23/2015 - 22:05

Jason Gilmore has posted an article to the Easy Laravel Book site with a bit more detail about how the framework prevents some common security issues including SQL injection and cross-site request forgery.

A reader recently e-mailed me and asked about Laravel 5's native security features. While I talk about various security-related matters throughout the book, this information isn't consolidated into any particular chapter and so I thought it would be useful to do so in a single blog post. Laravel helps to secure your web application by protecting against three serious security risks: SQL injection, cross-site request forgery, and cross-site scripting.

He goes through each of the types and talks about the built-in functionality Laravel includes to protect against each one. A bit of code is tossed in when needed to help clarify the point too. Fortunately for the user, a good bit of the technical pieces of these protections are behind the scenes and don't need much effort to use.


Paragon Initiative: Implementing Secure User Auth in PHP Applications with Long-Term Persistence

Thu, 07/23/2015 - 16:14

On the Paragon Initiative blog there's a post showing you how to implement secure authentication with long term persistence (a secure "remember me" essentially) in a PHP application

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

He starts with a look at passwords - how to correctly hash them, how salts play into it and some suggestions about password policies. From there he gets into the "remember me" handling, giving two common problems with most systems: insufficient randomness and timing leaks (timing attack issues). He then proposes a different kind of solution, storing some additional information in the database record, a "selector" that's not timing dependent to find the record then use a timing attack safe method to compare the hashes. He ends the post with a brief look at account recovery and some things to watch out for if you plan to implement it.


Matthew Setter: PHP South Coast 2015

Thu, 07/23/2015 - 15:55

For those that weren't able to attend this year's PHP South Coast conference (in Portsmouth, UK) Matthew Setter has posted a wrap up of some of his experiences there and what the conference was like.

I'm on the train heading to Stansted airport, after what I can only describe as a brilliant weekend in Portsmouth, attending the inaugural PHP South Coast, conference. I've not been to Portsmouth for 10 years, but the wait was well worth it.

He talks about the venue where the conference was held and some of the talks that were given during the day long event. There were two tracks so, unfortunately, he wasn't able to attend all of the talks but he does provide summaries for those he was able to attend. He also spotlights the opening keynote from Cal Evans about the importance of community and how it relates to your career. He ends the post talking about something he found quite valuable: meeting people, both those he knew from online and others just attending the event.


Community News: PHP 7.0.0 Beta 2 Tagged

Thu, 07/23/2015 - 14:45

According to this post on (and this NEWS file update) the latest beta of PHP 7.0.0, beta 2, has officially been tagged.

Fixes include updates in several different areas of the codebase:

  • Curl
  • GD (graphics handling)
  • Opcache
  • SOAP
  • the SPL (Standard PHP Library, with MutlitpleIterator)

You can find out more about all of the bugs that were fixed (including a sneak peek at what's coming in beta 3) in the NEWS file.


Simon Holywell: International PHP dates with intl

Wed, 07/22/2015 - 18:55

Following up on his previous post about date/time handling and localization, Simon Holywell has posted an update with information about using the "Intl" extension for PHP to get it working with the more powerful PHP DateTime handling.

I wrote about localising dates (and other data) in a recent blog post, but unfortunately there were some shortcomings where time zones were concerned. As I alluded to in that post there is a way around this via the Intl extension that exposes a simple API to format DateTime instances. Thankfully this follow up post will be quite short as the setup is very simple for those of you on Ubuntu/Debian you can use the repositories.

He includes the commands you'll need to install the extension (via apt-get), compile it via the "pecl" command and update your php.ini file to enable it. He also includes some code examples showing how to use the IntlDateFormatter handling to work with dates, formats and calendars.


Andrew Embler: Creating a Z-Ray Plugin for Zend Server 8.5

Wed, 07/22/2015 - 17:37

In this post to his site Andrew Embler shows you how to create a custom Z-Ray plugin for the Zend Server (v8.5) to show some statistics about requests made to the application.

Zend just released version 8.5 of their Zend Server application server. A major part of this release is the plugin gallery, which provides an App store for Zend Server extensions. These extensions can add application-specific debugging features to the Z-Ray Debugger. We've built one such extension specifically for Concrete5. It didn't take long - just a day or two. That said, there were some bumps in the process, as you're working on a platform for which the documentation hasn't quite caught up yet. With that in mind, I'm going to share my process for building the Concrete5 Z-Ray plugin, in the hopes that it might help someone who is building their own Z-Ray plugin for Zend Server.

The post is pretty comprehensive, sharing all the code you'll need to implement the extension along the way. He's broken it up into sections to help make it a bit more manageable:

  • Create Your Directory
  • Place the deployment.json file in the directory
  • Add Additional Items specified by deployment.json
  • Add the Z-Ray specific Directory
  • Create the Z-Ray PHP Class
  • [Adding] The Logo
  • Basic Panel Details: The Pages Panel
  • Advanced Panel Details: The Blocks Panel

Screenshots also accompany some of the steps showing you what the page output should look like once the files and functionality are in place.


MyBuilder Tech Blog: Insertion, Removal and Inversion Operations on Binary (Search) Trees in PHP

Wed, 07/22/2015 - 16:08

The Tech blog has a tutorial posted showing you how to work with binary trees in PHP, specifically how to perform insertion, removal and inversion operations on their data.

Recently Max Howell (creator of Homebrew) posted an interesting tweet in regard to Google's interview process. In this tweet he mentioned how one of the proposed questions was to white-board a solution to invert a binary tree. Over the past couple of years I have been interested in exploring fundamental Computer Science data-structures and algorithms. As a result, I thought it would be interesting to explore this structure and associated operations in more depth - using immutable and mutable PHP implementations to clearly highlight the benefits garnered from each approach.

He starts with a brief definition of what a binary search tree is just to be sure everyone is on the same page. He then gets into the code to represent a Node, a simple class that has a value and "left" and "right" variables to contain each of the possible two child nodes. He then goes through each of the operations (insertion, removal and inversion) showing code examples for both mutable and immutable methods.


Barry vd. Heuvel: OAuth in Javascript Apps with Angular and Lumen, using Satellizer and Laravel Soci

Wed, 07/22/2015 - 15:51

Barry vd. Heuvel has a post to his site sharing a step by step guide to setting up OAuth in a Lumen+AngularJS application via Socialite and Satellizer (an AngularJS library for OAuth and token based authentication).

In the last few weeks, Socialite was a popular topic to blog/tweet about. Coincidentally, I also needed Socialite for a project. But in my case, I wanted to use it in an Angular app, distributed using Cordova (Phonegap) as hybrid app on Android/iOS. There were some examples, but I couldn't find much about it at the time. A few people asked to share my experience about it, so here it is!

He starts by linking to all of the tools you'll need to help get some background on them including a helpful guide to installing Satellizer. He then goes over the flow of the entire process, from the initial call from the AngularJS side to authenticate, through the backend Lumen/Socalite/Satellizer handling and then back out to the Javascript where the token is then stored. With this established, he gets into the implementation details starting with the Lumen code to make the API request to GitHub then working with the JWT tokens and responding back to the AngularJS frontend with the result.


AppDynamics PHP Blog: Introduction to PHP Security - Part 2

Wed, 07/22/2015 - 14:33

AppDynamics PHP blog has posted the second part of their series looking at some of the basics of PHP security. In part one they talked about some of the most common attacks and how to remediate them. In this latest part they "dive deeper" and get into some of the more advanced issues.

Truth be told, there are potentially an infinite number of ways in which a software product can be compromised and have its security breached. [...] New security flaws are regularly found, and routine patches are immediately released for most of the major software applications you utilize in your application stack. No matter whether your web or database server, your operating system, your PHP runtime, or even the MVC framework that your time adopted, your point(s) of exposure may exist anywhere within the various components that make up your application ecosystem.

They start with a few more advanced best practices including using SSL and keeping error messages away from the public eye. They briefly discuss other kinds of injection types (besides just SQL) and offer some tips about securing the data that lives in the application as well.


Community News: Recent posts from PHP Quickfix

Wed, 07/22/2015 - 13:00
Recent posts from the PHP Quickfix site:

Simon Holywell: PHP date localisation with setlocale

Tue, 07/21/2015 - 18:57

Simon Holywell as written up a tutorial for his site showing you how to use setlocale to do PHP date localization.

Localising sites can be a chore, but PHP has the venerable setlocale() to use system locales. These are like templates or profiles that describe how various types of data should be displayed. Should a price have a comma or point to indicate the decimals? When printing a date should PHP output Monday or Montag?

All of these considerations are locale specific and they map to a geographical area. Various cultures have their own standards for displaying this kind of information not to mention different languages to accommodate.

He shows how to find the locales your system supports and how to install them if the one(s) you need are missing. With it correctly installed, the system knows how to use it but PHP needs a little extra help. With a call to the setlocale method and the use of a special date string modifier (in this case "%B" for the month name) PHP knows to use the locale-aware version of the data...but only with strftime not the normal PHP date handling.


SitePoint PHP Blog: Defensive Programming in PHP

Tue, 07/21/2015 - 17:49

In an article from the SitePoint PHP blog author Jeff Smith walks us through some advice he has about defensive programming in PHP, that is good practices for writing code that more gracefully handles potential error points.

Defensive programming, simply put, is programming with the intent to anticipate likely failure points. The goal is to circumvent those likely problems before they occur. You see the problem, right? There's something inherently difficult with the advice "expect the unexpected" and it's made many times worse when one alters it to "expect the unexpected and try to prevent it". Let's look at some practical examples.

He touches on a few of the most common places where errors could be introduced with unexpected input or functionality:

  • Conditional Statements
  • User Input (and trusting it....hint: never)
  • Assumptions [Made] About Your Code
  • Tunnel Vision (or not using good development practices)
  • Consistency in Syntax and Naming

Each point in the list includes a brief summary of what to look out for and things you can do to prevent the problem. It's by no means an exhaustive list, but it is a good place to start.


Sameer Borate: Cron Expression Parser in PHP

Tue, 07/21/2015 - 16:15

If you've ever worked with the "cron" tool on a unix-based system, you know that there's a special syntax that comes along with defining when the commands should run. It can be difficult to get this timing exactly right, especially if you're very picky about the execution time. In this post from Sameer Borate he shows you a PHP library that can help not only parse current cron configurations but also provides shortcuts for common timings (ex: "daily" or "weekly").

Working with cron scheduling can many times be a frustrating affair. Although setting a few cron jobs at one time can be easy, calculating cron dates in the future in code can get time consuming quickly. The PHP cron expression parser described here can parse a CRON expression, determine if it is due to run, calculate the next run date of the expression or calculate the previous run date of the expression. You can calculate dates far into the future or past by skipping n number of matching dates.

He includes some examples of putting the library to use to define a cron object based on an expression (either via a shortcut or an actual cron time expression). You can then check to see if the cron is "due" or perform some various operations about its run dates. This includes a formatted output of the previous run time, the next run time and the calculation of the next/previous run time based on a relative timestamp.


Rob Allen: Custom OAuth2 authentication in Apiiglity

Tue, 07/21/2015 - 15:05

In an article posted to his site Rob Allen shows you how to hook in the OAuth2 authentication for an Apigility-based application with a pre-existing database table structure that may not match the defaults Apigility is looking for.

I have a client that's writing an Apigility API that needs to talk to a database that's already in place. This also includes the users table that is to be used with Apigility's OAuth2 authentication. Getting Apigility's OAuth2 integration to talk to a specific table name is quite easy. [...] However, if you want to use different column names, that's a bit trickier as they are hardcoded in the OAuth2StoragePdo class. To get Apigility's OAuth2 components to look at the correct columns, you create your own OAuth2 Adapter. I chose to extend ZFOAuth2AdapterPdoAdapter which extends OAuth2StoragePdo and go from there.

He includes the code for this extension of the PdoAdapter (a "OAuth2Adapter" class) in the post showing the definitions of the get user, set user and check password methods the OAuth2 flow needs to match users to OAuth sessions. He also includes the code for the "OAuth2AdapterFactory" class that's used to pull the custom PDO adapter class into Apigility and, along with some configuration changes, make it available for use. Then it's just a simple matter of changing the authentication type in the Apigility UI.