PHP & Web Development Blogs

A brief (by Mike's standards) note

As we express our gratitude, we must never forget that the highest appreciation is not to utter words, but to live by them. - John F. Kennedy

I wanted to take a brief moment to express my gratitude this holiday season. First and foremost, a huge thank you to the beautiful Tanja Hoefler who has put in countless hours behind the scenes of Nomad PHP, ranging from finding the best articles and tweeting them out, to tracking down great speakers, to countless hours of video editing (including fixing all my mistakes from the live broadcast).

Thank you to our Founders

I also need to thank Cal and Kathy Evans, an amazing husband and wife team who have done so much for the community over many, many years - including founding and being an invaluable source as Tanja and I took over Nomad PHP. They are truly an inspiration for Tanja and myself, and I hope some day we can do as much for the community as they have.

Thank you to our Speakers

And I need to express my gratitude to our amazing speakers who spend countless hours preparing their presentations, and even stay up all night practicing or get up at 5am to be ready to share their knowledge with the community.

Thank you to our Advisors

Another special shout out goes to Eric Poe, Eric Hogue, and Andrew Caya who have all been tremendous advocates of Nomad PHP, as well as the foundation of our meetings. Their feedback, along with our amazing Advisory Board has helped shake the direction of Nomad PHP, and the many great things we hope to do in the future.

Thank you to our Sponsors

Which brings me to our sponsors. As we try to grow and expand Nomad PHP, as well as bring in more resources and make it more valuable (and affordable), we have done so at a fairly significant loss. That's ok, as that was the plan for 2018, but companies likeRingCentral,Twilio,Auth0, andOSMI have played a critical role in letting us move forward and keeping that loss manageable. Without them, I'm not sure we would be able to be offering the service we do, or have the plans we do for 2019!

*On a side note, if you're not familiar with OSMI, they're a GREAT non-profit who has done so much good in the tech space raising awareness about mental health, and educating employers - I highly recommend supporting this great non-profit organization.*

Thank you to our Family and Friends

Of course, I need to thank my family, my friends, and all those who have supported myself, Tanja, and Nomad PHP over the years.

Thank YOU

Least, but certainly not last - in fact perhaps most important of all - I want to thank the tremendous Nomad PHP community - over 3,000 members strong - that make Nomad PHP what it is. Without you, Nomad PHP wouldn't exist - it wouldn't need to. Andwithout you, and the greater PHP community, I wouldn't be here today, doing what I love to do.

For those that do not know my story, I grew up in medicine - becoming a first responder and pursuing a career as a lifeflight paramedic (helicopter ambulance) before realizing two things... ok three: I had a tremedous fear of heights, I hated needles, and I loved programming.

Leaving the nursing program left me unsure of what to do next, so I did what I loved - programming - where the number of mistakes I made I'm sure outnumbered the lines of good code. If it wasn't for the community being so patient, so encouraging, and helping me grow - I'm not sure what I would be doing today, but it certainly wouldn't involve PHP, Developer Relations, Nomad PHP, or the community.

So for that I want to say one final thank you - a thank you for giving me the gift to do what I love, and the opportunity to hopefully pay this forward, and give back to the community, helping others do the same.

Next year will be an amazing one for Nomad PHP, but I can't thank you all for how incredible and amazing these few short months in 2018 have been - because without you, there would be no 2019.

Have a very wonderful Thanksgiving,

Mike

***PS - want to support our 2019 initiatives and be recognized on Nomad PHP in the process? Become a Supporter.***

In his talk, “Writing Viruses for Fun, Not Profit,”Ben Dechrai (after making the viewer take a pledge to only use this knowledge for good and not evil) walks through how many viruses operate, and just how easy it is to build your own self-replicating virus in PHP.

The danger of many of these viruses according to Ben is that the most dangerous viruses often escape detection by not looking like a virus. Instead they encrypt their code to hide their true intent, while also constantly adapting and evolving.

Perhaps even more dangerously, they act like they’re benign and don’t actually do anything - often times laying dormant until called upon by the malicious actor.

Creating the Virus

What’s scary is just how simple it was for Ben to create such a virus, one that mutated ever so slightly as it infected every other file on the server. Opening up unlimited possibilities from scraping customer data, to DDOS attacks, to simply hijacking your domain.



But those attacks are just the start as Ben demonstrated how easy it is to write new files, delete files, eval() and execute foreign code - which could even be extended to accessing the underlying server itself if shell_exec() is enabled.

To add to the problem, Ben shares how challenging it can be to identify malicious code on your server as many of these attacks are far more sophisticated than the the virus he created in a matter of minutes - hiding themselves and often appearing as if they are part of the original source code.

Deploying the Virus

To drive his point home, Ben demonstrates how even seemingly secure systems can be vulnerable - as all it takes is one tiny misstep within your application.

He highlights this by building what should be a secure photo gallery - one that checks the extension and mime-type of the image - and even stores it outside of the public directory. He goes even farther by adding additional sanity checks with a PHP script that then renders the image.

After walking through the code and it’s security features, he then downloads a simple image from the internet. Opening his editor he quickly injects the virus (written in PHP) into the image and uploads it, passing all of the server checks.

Surely, since it passed these checks the system is secure, right? Ben loads the gallery to proudly show off the image - which is just that… an image, with nothing special or out of the ordinary.
Except that when he opens the image gallery files, each has been infected with the malicious code.

The culprit that allowed for Ben to hijack an entire system and execute foreign code, create new files, and even hijack the entire site? When displaying the image the file was included using PHP’s include() function, instead of pulling in the data using file_get_contents() and echoing it out.

Such a simple mistake provided Ben, if he was a malicious hacker, complete access to all of the files on the system.

Protecting Yourself

Security always exists in layers - and this could have been prevented by including a few more layers, such as using an open source library to rewrite the image, reviewing the image source before pulling it in, or again not giving it executable access by using the PHP include() function.

But what’s terrifying is how simple it is to hijack a site, how easy it is to get access to your system and private data, and how easy it is to overlook security vulnerabilities - especially with open source tooling and those that take plugins.

As Ben explains, sometimes the core code itself is really secure, but then you get two different plugins that when used together accidentally create a security vulnerability. That by itself is one of the most challenging as you can audit each plugin individually, and still not know you’re opening up your system to malicious actors.

This is why it's not just important to stay up to date on the latest security measures and best practices, but to be constantly thinking like a hacker and testing your code for vulnerabilities.

Learn More

You can watch thefull video to learn more how viruses operate, how to quickly build your own PHP virus (but you must promise to use it for good), and what to watch for in order to protect yourself, your customers, and your architecture.

Hey there! This reading is not going to be a technical one. Instead, it's just a little portion of information that you might have not known before. I once worked for a project that did currency exchanges. As you probably know, currencies have 3-letter codes (ISO 4217), and I asked myself if there's a currency with code "PHP".

PHP: Philippine peso! In Philippines you can code PHP for PHP!


But there's more to it.. "PHP: Prvi Hrvatski Pištolj" stands for "first Croatian pistol". Next time someone tells me that it's too easy to shoot your own leg with PHP, I'll definitely agree.
If you don't believe me - checkout these 10 most common mistakes PHP programmers make from Toptal!

Or checkout Eric Wastl's list of things in PHP that make him sad. Or these three weird facts about PHP that you might not have known. The thing is PHP is a great programming language for building web applications, but... it's not without it's quirks.

___What else does PHP stand for???___

Project Honey Pot - system targeted at spammers and email harversters.

Pigeonhole principle - if n items are put into m containers, with n > m, then at least one container must contain more than one item. Mathematicians can be even more weird then programmers, can't they? And remember, programmers can right something like if (true == false)...

PHP has even more meanings, see this wikipedia page) for reference and havePHun!

It's 2018, and you're a top-notch modern web developer, with a load of knowledge and tools right there at your disposal: Google and StackOverflow, debugger with a GUI, IDE with autocomplete, you name it. Occasionally, though, you still find yourself in a plain old text console on a remote server, or you have to do something without IDE, or there is no network connection... In such cases it might be helpful to feel comfortable in a simple terminal. In this post I'm going to list some switches for the PHP command that you can use to get information and some utilities.

Getting basic information about PHP

$ php -i
phpinfo()
PHP Version => 7.2.10-0ubuntu1

System => Linux awesome 4.18.0-10-generic #11-Ubuntu SMP Thu Oct 11 15:13:55 UTC 2018 x86_64
Build Date => Sep 13 2018 13:38:55
Server API => Command Line Interface
Virtual Directory Support => disabled
...

Full information about your PHP interpreter. Pipe the output to the Unix less command in order to get pagination and search: php -i | less. Type Q to exit the less shell. Some distros might lack less, in that case you may try php -i | more, which doesn't give you search but still has pagination.

Want a short summary of which PHP extensions you have? Just ask:

$ php -m
[PHP Modules]
calendar
Core
ctype
date
dom
ds
exif
...

More specific info about core and extensions' functions and classes

Full information about functions and classes provided by an extension:

$ php --re ds
Extension [ <persistent> extension #46 ds version 1.2.6 ] {

 - Dependencies {
 Dependency [ json (Required) ]
 Dependency [ spl (Required) ]
 }

 - Classes [11] {
 Interface [ <internal:ds> interface Ds\Hashable ] {

 - Constants [0] {
 }

 - Static properties [0] {
 }
...

Information on a specific class:

$ php --rc Ds\Vector
Class [ <internal:ds> <iterateable> final class Ds\Vector implements Ds\Sequence, Traversable, Countable, JsonSerializable, Ds\Collection ] {

 - Constants [1] {
 Constant [ public integer MIN_CAPACITY ] { 8 }
 }

 - Static properties [0] {
 }
...

Same for a function:

$ php --rf fopen
Function [ <internal:standard> function fopen ] {

 - Parameters [4] {
 Parameter #0 [ <required> $filename ]
 Parameter #1 [ <required> $mode ]
 Parameter #2 [ <optional> $use_include_path ]
 Parameter #3 [ <optional> $context ]
 }
}

Utilities

Ever found yourself creating a dummy PHP file of just a few lines - only to be run once and then deleted? The -a switch might be what you're looking for:

$ php -a
Interactive mode enabled

php > var_dump(join(", ", [1, 2, 3]));
php shell code:1:
string(7) "1, 2, 3"
php > 

It starts an interactive shell so you can type any PHP code and execute it straight away. Requires PHP to be compiled with readline support (most distros have that anyway).

Want a quick check for any parse/syntax errors in a PHP file? Use linter:

$ php -l test.php 
PHP Parse error: syntax error, unexpected 'array_shift' (T_STRING) in test.php on line 4
Errors parsing test.php

It has a web-server!

Yes! Just in case you missed it, as of PHP 5.4.0, the CLI SAPI provides a built-in web server. Want a quick look at a web page generated by an app? Here you go:

$ cd /my_application/document_root
$ php -S localhost:8000

Then open http://localhost:8000/ in your browser of choice and enjoy!

Hope you also have enjoyed this reading. Your feedback and questions are always appreciated!

Ever wanted to publish your own extension for PHP but stopped by the lack of C language background? Well, maybe it's time for another take. Zephir language is targeted at people like you.

If you follow this link, you will find these words that say a lot about this project:

Zephir, an open source, high-level language designed to ease the creation and

maintainability of extensions for PHP with a focus on type and memory safety.

Its syntax highly resembles that of PHP, only there's no dollars scattered around your code. Dollar signs, I mean, the PHP $variables. You only can create object oriented extensions, and all the classes written in Zephir must be namespaced. A different and stricter type system exists in Zephir, which allows for transpiling the code you write, into a real C extension.

Why would you need it? This question is largely answered here: Why Zephir. I can only add that, from experience, if you expect a crazy performance boost, you probably won't get it. First, most of the time the bottleneck is not PHP but the IO: database interactions, network and filesystem interactions etc. You won't gain anything by switching to different programming language, in that regards. However, some CPU-intensive calculations may run a lot faster, and if you worry about someone stealing you intellectual property - it also might be worth checking out, because then you can ship your software in form of a binary.

Zephir is the language in which the fastest modern PHP framework is written - Phalcon. Whether or not to use it - decide for yourself, it obviously has its pros and cons. But it's certainly interesting to know that you have the ability to approach some of your tasks completely differently!

See you around, and feel free to comment!