PHP & Web Development Blogs

In his talk, “Writing Viruses for Fun, Not Profit,”Ben Dechrai (after making the viewer take a pledge to only use this knowledge for good and not evil) walks through how many viruses operate, and just how easy it is to build your own self-replicating virus in PHP.

The danger of many of these viruses according to Ben is that the most dangerous viruses often escape detection by not looking like a virus. Instead they encrypt their code to hide their true intent, while also constantly adapting and evolving.

Perhaps even more dangerously, they act like they’re benign and don’t actually do anything - often times laying dormant until called upon by the malicious actor.

Creating the Virus

What’s scary is just how simple it was for Ben to create such a virus, one that mutated ever so slightly as it infected every other file on the server. Opening up unlimited possibilities from scraping customer data, to DDOS attacks, to simply hijacking your domain.



But those attacks are just the start as Ben demonstrated how easy it is to write new files, delete files, eval() and execute foreign code - which could even be extended to accessing the underlying server itself if shell_exec() is enabled.

To add to the problem, Ben shares how challenging it can be to identify malicious code on your server as many of these attacks are far more sophisticated than the the virus he created in a matter of minutes - hiding themselves and often appearing as if they are part of the original source code.

Deploying the Virus

To drive his point home, Ben demonstrates how even seemingly secure systems can be vulnerable - as all it takes is one tiny misstep within your application.

He highlights this by building what should be a secure photo gallery - one that checks the extension and mime-type of the image - and even stores it outside of the public directory. He goes even farther by adding additional sanity checks with a PHP script that then renders the image.

After walking through the code and it’s security features, he then downloads a simple image from the internet. Opening his editor he quickly injects the virus (written in PHP) into the image and uploads it, passing all of the server checks.

Surely, since it passed these checks the system is secure, right? Ben loads the gallery to proudly show off the image - which is just that… an image, with nothing special or out of the ordinary.
Except that when he opens the image gallery files, each has been infected with the malicious code.

The culprit that allowed for Ben to hijack an entire system and execute foreign code, create new files, and even hijack the entire site? When displaying the image the file was included using PHP’s include() function, instead of pulling in the data using file_get_contents() and echoing it out.

Such a simple mistake provided Ben, if he was a malicious hacker, complete access to all of the files on the system.

Protecting Yourself

Security always exists in layers - and this could have been prevented by including a few more layers, such as using an open source library to rewrite the image, reviewing the image source before pulling it in, or again not giving it executable access by using the PHP include() function.

But what’s terrifying is how simple it is to hijack a site, how easy it is to get access to your system and private data, and how easy it is to overlook security vulnerabilities - especially with open source tooling and those that take plugins.

As Ben explains, sometimes the core code itself is really secure, but then you get two different plugins that when used together accidentally create a security vulnerability. That by itself is one of the most challenging as you can audit each plugin individually, and still not know you’re opening up your system to malicious actors.

This is why it's not just important to stay up to date on the latest security measures and best practices, but to be constantly thinking like a hacker and testing your code for vulnerabilities.

Learn More

You can watch thefull video to learn more how viruses operate, how to quickly build your own PHP virus (but you must promise to use it for good), and what to watch for in order to protect yourself, your customers, and your architecture.

In modern software architecture, developers are constantly exploring new paradigms to enhance the performance, scalability, and maintainability of their applications. One such architectural pattern gaining popularity is Command Query Responsibility Segregation (CQRS). CQRS separates the responsibility of handling read and write operations, offering numerous benefits in complex systems. In this article, we'll delve into CQRS and explore its implementation in PHP.

What is CQRS?

CQRS, coined by Greg Young, is an architectural pattern that segregates the responsibility for handling read and write operations in a system. In traditional CRUD-based architectures, the same model is often used for both reading and writing data. However, CQRS advocates for a clear distinction between commands (write operations that modify state) and queries (read operations that retrieve data).

Key Concepts of CQRS:
   

. Command: Commands represent actions that modify the state of the system. They encapsulate the intent to perform an operation, such as creating, updating, or deleting data.
   
. Query: Queries retrieve data from the system without modifying its state. They are read-only operations used to fetch information for presentation or analysis.
   
. Command Handler: Responsible for processing commands by executing the necessary business logic and updating the system's state accordingly.
   
. Query Handler: Handles queries by retrieving data from the appropriate data source and returning the results to the caller.
   
. Separate Models: CQRS often involves maintaining separate models for commands and queries. This allows each model to be optimized for its specific use case, leading to improved performance and scalability.

Implementing CQRS in PHP:

Implementing CQRS in PHP involves structuring your application to separate command and query responsibilities effectively. Here's a high-level overview of how to implement CQRS in PHP:

1. Define Commands and Queries:

Start by defining the commands and queries your application will support. Commands should encapsulate actions that modify state, while queries should retrieve data.

class CreateProductCommand {
 public $name;
 public $price;
}

class GetProductQuery {
 public $productId;
}

2. Create Command and Query Handlers:

Next, implement handlers for processing commands and queries. Command handlers execute the necessary business logic to fulfill the command, while query handlers retrieve data based on the query criteria.

class CreateProductCommandHandler {
 public function handle(CreateProductCommand $command) {
 }
}

class GetProductQueryHandler {
 public function handle(GetProductQuery $query) {
 }
}

3. Use Separate Models:

Maintain separate models for commands and queries to optimize each for its specific purpose. This separation allows you to design models tailored to the needs of write and read operations.

class Product {
 public $name;
 public $price;
}

class ProductView {
 public $name;
 public $price;
}

4. Wiring Everything Together:

Finally, wire up your command and query handlers to the appropriate endpoints or controllers in your application. Dispatch commands to their respective handlers and invoke query handlers to retrieve data.

$command = new CreateProductCommand();
$command->name = "Example Product";
$command->price = 99.99;

$handler = new CreateProductCommandHandler();
$handler->handle($command);

$query = new GetProductQuery();
$query->productId = 123;

$handler = new GetProductQueryHandler();
$product = $handler->handle($query);

Benefits of CQRS in PHP:

-Improved Scalability: Separating read and write operations allows you to scale each independently based on demand.

-Enhanced Performance: Optimizing models and handlers for specific tasks can lead to improved performance and responsiveness.

-Simplified Maintenance: Clear separation of concerns makes the codebase easier to understand, maintain, and extend over time.

-Flexibility: CQRS enables flexibility in choosing the most suitable data storage and retrieval mechanisms for different use cases.

Conclusion:

CQRS is a powerful architectural pattern that offers numerous advantages for building complex and scalable PHP applications. By segregating command and query responsibilities, developers can achieve better performance, scalability, and maintainability in their systems. While implementing CQRS in PHP requires careful planning and design, the benefits it provides make it a compelling choice for projects requiring high performance and flexibility.

It's 2018, and you're a top-notch modern web developer, with a load of knowledge and tools right there at your disposal: Google and StackOverflow, debugger with a GUI, IDE with autocomplete, you name it. Occasionally, though, you still find yourself in a plain old text console on a remote server, or you have to do something without IDE, or there is no network connection... In such cases it might be helpful to feel comfortable in a simple terminal. In this post I'm going to list some switches for the PHP command that you can use to get information and some utilities.

Getting basic information about PHP

$ php -i
phpinfo()
PHP Version => 7.2.10-0ubuntu1

System => Linux awesome 4.18.0-10-generic #11-Ubuntu SMP Thu Oct 11 15:13:55 UTC 2018 x86_64
Build Date => Sep 13 2018 13:38:55
Server API => Command Line Interface
Virtual Directory Support => disabled
...

Full information about your PHP interpreter. Pipe the output to the Unix less command in order to get pagination and search: php -i | less. Type Q to exit the less shell. Some distros might lack less, in that case you may try php -i | more, which doesn't give you search but still has pagination.

Want a short summary of which PHP extensions you have? Just ask:

$ php -m
[PHP Modules]
calendar
Core
ctype
date
dom
ds
exif
...

More specific info about core and extensions' functions and classes

Full information about functions and classes provided by an extension:

$ php --re ds
Extension [ <persistent> extension #46 ds version 1.2.6 ] {

 - Dependencies {
 Dependency [ json (Required) ]
 Dependency [ spl (Required) ]
 }

 - Classes [11] {
 Interface [ <internal:ds> interface Ds\Hashable ] {

 - Constants [0] {
 }

 - Static properties [0] {
 }
...

Information on a specific class:

$ php --rc Ds\Vector
Class [ <internal:ds> <iterateable> final class Ds\Vector implements Ds\Sequence, Traversable, Countable, JsonSerializable, Ds\Collection ] {

 - Constants [1] {
 Constant [ public integer MIN_CAPACITY ] { 8 }
 }

 - Static properties [0] {
 }
...

Same for a function:

$ php --rf fopen
Function [ <internal:standard> function fopen ] {

 - Parameters [4] {
 Parameter #0 [ <required> $filename ]
 Parameter #1 [ <required> $mode ]
 Parameter #2 [ <optional> $use_include_path ]
 Parameter #3 [ <optional> $context ]
 }
}

Utilities

Ever found yourself creating a dummy PHP file of just a few lines - only to be run once and then deleted? The -a switch might be what you're looking for:

$ php -a
Interactive mode enabled

php > var_dump(join(", ", [1, 2, 3]));
php shell code:1:
string(7) "1, 2, 3"
php > 

It starts an interactive shell so you can type any PHP code and execute it straight away. Requires PHP to be compiled with readline support (most distros have that anyway).

Want a quick check for any parse/syntax errors in a PHP file? Use linter:

$ php -l test.php 
PHP Parse error: syntax error, unexpected 'array_shift' (T_STRING) in test.php on line 4
Errors parsing test.php

It has a web-server!

Yes! Just in case you missed it, as of PHP 5.4.0, the CLI SAPI provides a built-in web server. Want a quick look at a web page generated by an app? Here you go:

$ cd /my_application/document_root
$ php -S localhost:8000

Then open http://localhost:8000/ in your browser of choice and enjoy!

Hope you also have enjoyed this reading. Your feedback and questions are always appreciated!

Unit testing is a crucial aspect of modern software development, ensuring that individual units of code function correctly in isolation. In PHP, unit testing helps developers identify bugs early in the development cycle, improve code quality, and facilitate code maintenance. In this comprehensive guide, we'll walk you through the process of creating unit tests in PHP, using popular testing frameworks like PHPUnit.

Why Unit Testing?

Unit testing involves testing individual components or units of code in isolation from the rest of the application. Here are some reasons why unit testing is essential:
   
. Bug Detection: Unit tests help identify bugs and regressions early in the development process, making them easier and cheaper to fix.
   
. Code Quality: Writing unit tests encourages developers to write modular, well-structured, and maintainable code.
   
. Improved Documentation: Unit tests serve as executable documentation, providing clear examples of how individual components of your code should behave.

Getting Started with PHPUnit:

PHPUnit is the most widely used testing framework for PHP. It provides a robust set of features for writing and executing unit tests. Let's dive into how you can get started with PHPUnit:

Installation:

You can install PHPUnit using Composer, the PHP package manager. Simply navigate to your project directory and run the following command:

composer require --dev phpunit/phpunit

This command installs PHPUnit as a development dependency in your project.

Writing Your First Test:

Now that PHPUnit is installed, let's create a simple test case. Create a new directory named tests in your project root, and within that directory, create a file named ExampleTest.php. Here's an example of what your test file might look like:

<?php

use PHPUnit\Framework\TestCase;

class ExampleTest extends TestCase
{
 public function testTrueAssertsToTrue()
 {
 $this->assertTrue(true);
 }
}

This test case contains a single test method named testTrueAssertsToTrue, which asserts that true is indeed true.

Running Tests:

To run your tests, simply execute PHPUnit from the command line, pointing it to your test directory. Run the following command in your project root:

vendor/bin/phpunit tests

PHPUnit will discover and execute all test cases within the specified directory, providing detailed feedback on the results.

Writing Testable Code:

Writing testable code is essential for effective unit testing. Here are some best practices to follow:
   
. Separation of Concerns: Ensure that your code follows the principle of separation of concerns, with clear boundaries between different components.
   
. Dependency Injection: Use dependency injection to inject dependencies into your classes, making it easier to replace them with mock objects during testing.
   
. Mocking and Stubbing: Use PHPUnit's mocking and stubbing features to simulate the behavior of dependencies and isolate the code under test.

Advanced Features:

PHPUnit provides a wide range of advanced features for writing comprehensive unit tests. Some notable features include:

-Data Providers: Use data providers to run a test method with multiple sets of data.

-Annotations: PHPUnit supports annotations for marking test methods, setting up fixtures, and configuring test execution.

-Code Coverage: PHPUnit can generate code coverage reports, showing which parts of your codebase are covered by your tests.

Conclusion:

Unit testing is an indispensable practice in modern PHP development, and PHPUnit makes it easy to write and execute unit tests for your codebase. In this guide, we've covered the basics of getting started with PHPUnit, writing testable code, and leveraging advanced features to write comprehensive unit tests. By incorporating unit testing into your development workflow, you can improve code quality, reduce bugs, and build more robust and maintainable PHP applications.

Are you looking to dive into the world of relational databases but feeling overwhelmed by the options available? MariaDB might just be the perfect starting point for you. In this beginner's guide, we'll introduce you to MariaDB, an open-source relational database management system (RDBMS) that's renowned for its ease of use, scalability, and robust performance. Whether you're a budding developer, a small business owner, or just curious about databases, this guide will walk you through the basics of MariaDB and get you started on your database journey.

What is MariaDB?

MariaDB is a community-developed, open-source RDBMS that was forked from MySQL in 2009. It's designed to be a drop-in replacement for MySQL, meaning that most MySQL features and commands work seamlessly with MariaDB. This makes it an attractive option for those already familiar with MySQL or looking to migrate from it.

Features of MariaDB:
   

. Open-Source: MariaDB is distributed under the GNU General Public License (GPL), making it freely available for anyone to use, modify, and distribute.
   
. High Performance: MariaDB is optimized for high performance, thanks to its efficient storage engines, query optimizer, and multi-threaded architecture.
   
. Scalability: Whether you're running a small-scale application or managing large-scale deployments, MariaDB can scale to meet your needs.
   
. Security: MariaDB takes security seriously, offering features such as encryption, role-based access control, and secure connections to ensure your data remains safe.
   
. Compatibility: As mentioned earlier, MariaDB strives to maintain compatibility with MySQL, which means you can easily migrate existing MySQL databases to MariaDB with minimal hassle.

Getting Started:

Installation:

Getting started with MariaDB is straightforward. You can install it on various operating systems, including Linux, Windows, and macOS. Here's a basic overview of the installation process:

-Linux: Most Linux distributions offer MariaDB in their official repositories. You can install it using your package manager. For example, on Ubuntu, you can run sudo apt-get install mariadb-server.

-Windows/macOS: MariaDB provides installers for Windows and macOS on their official website. Simply download the installer and follow the on-screen instructions to complete the installation.

Configuration:

Once MariaDB is installed, you'll need to perform some initial configuration steps, such as setting up a root password and securing the installation. This typically involves running a configuration script or accessing the MariaDB command-line interface (CLI).

Creating Databases and Tables:

With MariaDB installed and configured, you can start creating databases and tables to store your data. You can do this using SQL commands or a graphical interface such as phpMyAdmin.

Here's a simple example of creating a database and a table:

CREATE DATABASE my_database;
USE my_database;

CREATE TABLE users (
 id INT AUTO_INCREMENT PRIMARY KEY,
 username VARCHAR(50) NOT NULL,
 email VARCHAR(100) NOT NULL
);

This creates a database named my_database and a table named users with columns for id, username, and email.

Performing Basic Queries:

Once you have your database and tables set up, you can start querying your data using SQL. Here are some basic examples of SQL queries:

-Inserting Data:

INSERT INTO users (username, email) VALUES ('john_doe', '[email protected]');

-Selecting Data:

SELECT * FROM users;

-Updating Data:

UPDATE users SET email = '[email protected]' WHERE username = 'john_doe';

-Deleting Data:

DELETE FROM users WHERE username = 'john_doe';

Conclusion:

MariaDB is an excellent choice for beginners and experienced developers alike who are looking for a powerful, open-source relational database solution. In this guide, we've covered the basics of MariaDB, from installation to performing basic database operations. As you continue to explore MariaDB, you'll discover a wealth of features and capabilities that can help you build robust and scalable applications. So why wait? Dive into MariaDB today and unlock the full potential of relational databases.