Getting N Random Elements out of an Iterator – RandomIterator

hakre - random iterator

Considering there is an Iterator or Traversable with an unknown number of elements, I wondered if it is possible to get one or more random iterations out of it.

Continue reading

Posted in Developing, Hakre's Tips, PHP Development, Pressed | Tagged , , , , , , | Leave a comment

Some nice line-up for the know your language department: PHP turtles – Turtles all the way down.

Link | Posted on by | Tagged | Leave a comment

XPath Null Byte Injection in PHP

Back in July this year, in Mitigating XPath Injection Attacks in PHP I was writing about how to properly quote a string in PHP’s Xpath 1.0.

The code presented there was based on the assumption that the resulting expression is binary safe.

However that was too shortsighted because Xpath in PHP can be attacked using null-byte-injection. The PHP extension does cut-off the string at the first null-byte, allowing you to truncate an expression early.

/*/user[name = 'Mirza']/secret<NUL>]/location

Technically XML covers the full Unicode repertoire excluding the surrogate blocks FFFE and FFFF and excluding most US-ASCII control characters (those below space), only Tab, Line-Feed (LF) and Carriage-Return (CR) are allowed in XML.

This is also the reason when you need to safely transport binary data with XML, that you need to encode it, for example in base64 (See base64Binary primitive XML datatype), because otherwise the XML would be broken resulting in data-loss.

Back to the mentioned XPath injection attacks and how to mitigate them. If an injected string is able to cut-off at the first null-byte position, the quoting as described does not work stable any longer. An attacker can break out of it by injecting a null-byte. The impact is not very high, because of the quoting that xpath_string() applies, injecting a null-byte will result in a Unfinished literal warning.

However when data is injected not as string with the help of xpath_string(), null-bytes do still play against you in PHP Xpath. As those are not valid anyway in XML and therefore no text or identifiers can contain it, you can safely reject or sanitze null-bytes further up in the input processing. For example as Suhosin can do.

So better keep in mind to verify incoming (Unicode) data your application accepts. Even valid Unicode, it might not always be appropriate.

See Also:

Posted in Hakre's Tips, PHP Development, Pressed, Surviving the Internet | Tagged , , , , , , , | Leave a comment

Devil’s Dictionary of Programming

Link | Posted on by | Leave a comment

Professional Webdevelopers At Work – Yahoo Mail Endless Redirect Demonstration

So familiar with these 1996 Web-Technologies but not having the time to care in these rushing 201x days as this two minute documentary of an endless redirect-chain shows. Thanks to random URL parameters used to prevent ancient caching woes in combination with cookies – but failing to test if cookies actually work on the target domain. (Recordered 2013-10-26)

Posted in Professional Webdevelopers At Work | Tagged , , , , , , , | Leave a comment

pluginmirror.com – GitHub mirrors of every plugin in the WordPress.org plugin repository

Just a little follow up to Your Guide to Composer in WordPress as I was stumbling over while surfing (and equally short just for the log):

Bryan Petty (tierra) was so kind to mirror the WordPress Source/Development branch on Github, it is here: tierra/wordpress. While I was stumbling over it, I also discovered another project he is involved in: pluginmirror.com – GitHub mirrors of every plugin in the WordPress.org plugin repository.

The Plugin Developer Guide has some details how it works. Full source of it is also available on Github: WordPress Plugins GitHub Mirror Application.

Interestingly there is also WordPress Plugin Tests but I didn’t had the time to review it, it perhaps makes sense.

Aside | Posted on by | Tagged , , , , , | Leave a comment

Ircmaxell’s Rambling On Internals

Ircmaxell’s Rambling On Internals raises a very important point about the use of RFCs in the PHP community and the problem they have been introduced as a tool to only negotiate – not solve – the problems of the PHP Internals list.

His arguments are as always pretty weighted and need more voice, so read and spread the word. He has my support and it’s a loss for PHP and Internals as a whole should stop sitting on their legs.

I’m not so good with arguing, so I prefer to share my opinion because that is the least I can do to not let this pass unnoticed (which would be an even bigger mistake):

In my personal opinion Pierre and Stas suck most (now I said it). And that is my personal opinion. Pierre weights harder because I’ve met him in person and he has a split tongue, all he feared in that discussion was totally untrue and never happened. All he promised to do otherwise didn’t happen either. So only hot air for nothing, just for the sake of influencing others for technical arguments – not reality. Ircmaxell on the other hand not only explains he is also a do-er.

From Stas I’m just getting ill by reading that much text only because he has the time to write so many emails whole day long. I wish he would go down with us in the swamps of the PHP tag on Stackoverflow, perhaps that will envision him. It would be a benefit for the PHP community as a whole and he wouldn’t have so much time writing emails in Internals. Now that’s a productive suggestion I’d say.

I know it’s hard to run a project, especially for years and with a big userbase. But seeing Ircmaxell leaving with no further action from the Internals community itself is not excused by that.

Just my 2 cents, share yours.

See as well: I don’t understand PHP beaurocracy but I do understand Anthony Ferrara!.

Posted in Linked, Pressed | Tagged , | Leave a comment

Free The Cuban Five! 12. September 2013

Especially for our German speaking visitors: Unterstützen und Verbreiten – spitzenaktion.de.

And for our US-visitors: Miami, FL, Sept. 8 | Washington, DC, Sept. 12 (White House) | Washington, DC, Sep 13 (University of the District of Columbia Law School) http://www.freethefive.org/calendar.htm

Posted in Linked, Pressed, Uncategorized | Tagged , | Leave a comment

Greeting, Greetings and the GreetingFactory

Just stumbled over: If you ask Is this correct object oriented programing in php? and then get an answer from Gordon, well, see for yourself. (via)

Posted in Linked, Pressed | Tagged , | 1 Comment

The Sky. The Universe. The Missing Unit Tests

Out there in the Universe. Now comparisons get Epic Pictures when it comes to WordPress and Unit Tests: Beta Sagittae. via The Loop.

Reminded me of Development By The Numbers – Slides (May 2013; by ircmaxell) having also nice comparisons for numbers.

Posted in Code Smells, Hacking The Core, Linked, PHP Code Smells, Pressed | Tagged , , , , , | Leave a comment

Your Guide to Composer in WordPress

Your Guide to Composer in WordPress and there is WordPress Packagist. I only knew about Composer Installers (incl. WordPress ones) so far.

Aside | Posted on by | Tagged , , | Leave a comment

The Negative Influence of WordPress on PHP

The current The TIOBE Programming Community Index for July 2013 shows an increase for PHP, gaining grounds fast and as an ongoing trend over the last year:

If compared to January 2013, PHP is the fastest climber with an increase of +1.64% [...]. The major driver behind PHP’s popularity seems to be the new PHP Zend Framework that was released in September 2012.

It clearly shows the stamina and power PHP as a programming language has, with the two recent milestones of the two popular PHP 5.4 and 5.5 releases. Those new releases are a key driver for next generation frameworks like the bespoken Zend Framework 2.

PHP is strong standing against negative influences popular but legacy PHP applications put onto it, namely and most foremost the most popular of all these: WordPress. WordPress is continuously bringing down PHP since years as Google Trends shows:

As this Google Trends graph revals, WordPress popularity is constantly hurting PHP

As this Google Trends graph revals, WordPress popularity is constantly hurting PHP

So how long can PHP resist against this bad influence? What will happen when those two lines cross? Will the world as we know it fall apart?


You probably have come to the conclusion that comparing two independent statistics allows you to draw all kind of crazy assumptions – so do I. What has been outlined above is pure irony as you might have already noticed (but it’s said that irony does not work well in the internet, so you probably didn’t even notice).

Manuel Lemos (Google Profile) from phpclasses.org yesterday was spreading his opinion that WordPress has made PHP popular – not PHP and not any PHP Frameworks.

Well, make your own mind, what I just wanted to show is that running wild assumptions normally does work even badlier than irony in the internets. And comparing two totally unrelated statistics (“small lies, big lies, …”) shows more about your own opinion than anything else.

My 2 cents.

Posted in Hakre's Tips, Linked, Pressed, Surviving the Internet | Tagged , , , , , | 2 Comments

Atomic deploys at Etsy

Link | Posted on by | Tagged , , | Leave a comment

Mitigating XPath Injection Attacks in PHP

PHP has two libxml based extensions that allow to execute XPath 1.0 expressions: DOM (by the DOMXPath class) and SimpleXML (with its xpath() method).

Both extensions are prone to XPath Injection Attacks, a common attack form. Albeit all this, and information about the topic is available, it seems that concrete PHP code to deal with these is harder to find. Continue reading

Posted in Hakre's Tips, PHP Development, Pressed, Surviving the Internet | Tagged , , , , , , , | 1 Comment

SimpleXML and JSON Encode in PHP – Part III and End

The previous two parts (Part I; Part II) did outline PHP’s standard behaviour when JSON encoding a SimpleXMLElement with json_encode().

As outlined this does not always fits the encoding needs and for some potential problems some workarounds have been showed. However those worked by affecting the XML document instead of affecting the JSON serialization.

By default what json_encode() contains as data and structure is exactly following the rules of casting a SimpleXMLElement to an array. This is because internally (see lxr json.c) json_encode() does this cast and then builds the JSON object output based on that structure.

Luckily since PHP 5.4 the JsonSerializable interface allows to interfere exactly at that point. Instead of the standard array cast, a more tailored array or object – even a string or number – can be returned. Just anything which json_encode() would normally accept. This allows to create an own JSON encoding easily by extending from SimpleXMLElement and implementing the interface as I will show now. Continue reading

Posted in Developing, PHP Development, PHP Development, Pressed, Tools | Tagged , , , , , | Leave a comment

SimpleXML and JSON Encode in PHP – Part II

In the previous post (Part I) I was giving a little overview for common woes turning a SimpleXMLElement into JSON when XML structural information is available that JSON is not capable to encode easily. The explanations given there were intended to users new to the matter and to understand the general dilemma that kind of encoding/serialization is dealing with.

In this part I will point onto some more detailed issues and show straight-forward ways how to deal with them specific to encoding a SimpleXMLElement object as JSON.

As it might be known, SimpleXML is simple and like PHP which wants to do things the simple way, it turns out that within the details, these simple things are extremely differentiated and complicated. In short: Next to dealing with what JSON can’t deal with of XML from the last part, in this part I’m more concerned about what SimpleXMLElement can’t deal with of XML. Continue reading

Posted in Developing, PHP Development, PHP Development, Pressed, Tools | Tagged , , , , , | Leave a comment

SimpleXML and JSON Encode in PHP – Part I

With SimpleXMLElement it is often easy and looks like a very quick way to turn some XML into JSON. But not everything in PHP that has an easy interface works out of the box. In this three part series I’ll cover the basics of using the json_encode() function on a SimpleXMLElement, will make problematic areas visible and explain them by their limitations in JSON and Simplexml and will show how it is possible to deal with them and showing how alternative JSON encoding can be easily done even with advanced options. Continue reading

Posted in Developing, PHP Development, PHP Development, Pressed, Tools | Tagged , , , , , | Leave a comment

PHP: XPath on HTML and XHTML

Christan Weiske has published a nice summarizing article with the same title. It contains some detailed information I haven’t found so far on the web so worth the link: PHP: XPath on HTML and XHTML.

It also reminds me of some of the inaccuracies I still have in my earlier post on converting CSS Selectors to XPath, namely that casing is dependent to whether you use HTML or XML with DOMDocument in PHP. And also Weiske focuses on namespaces and suggests to use the self::-Axis instead of local-name() for matching the element(s) which I have not considered so far in the expressions.

Posted in Developing, Hakre's Tips, PHP Development, Pressed | Tagged , , , , | Leave a comment

PHP on Google App Engine – Quick First Review

hakre-google-appengine

This is fresh out of the news (Ars; Wired; WHIR; VB), and what Google wants to offer looks like a very cool package. So if you hadn’t had the time to view the video, here is a quick summary and some first comments. Please mind that this is really fresh.

It’s basically PHP 5.4 in a “hardened edition”[1]. I think starting with PHP 5.4 on going live is a great achievement here, so this gets my PHP Applicatoratores Badge.

Also the extensions offered so far give a nice outlook, e.g. you find ZLlib and GD in there for example so you don’t hit a show stopper that fast. I name those two specifically because they became a burden with the CV-Backlog example application installment on Heroku.

However, this selection of extensions has somewhat to be improved. Default PHP extensions like iconv which actually need to be active to have other extensions properly work are not yet part of the Google PHP Runtime. To give a practical example with this iconv one, as it has got the DOM extensions activated but not the iconv extension, there is not much to deal with character encodings for our beloved DOMDocument:

$doc = new DOMDocument();
$doc->loadXML('<?xml version="1.0" encoding="Windows-1252"?><root />');
$doc->documentElement->appendChild($doc->createElement('füürüü', 'ärööö'));
echo $doc->saveXML();

This little example leaves you with a recoding related error, and no, users don’t love these (and sadly many PHP developers won’t even understand it either):

DOMDocument::saveXML(): output conversion failed due to conv error, bytes 0xFC 0xFC 0x72 0xFC
<?xml version="1.0" encoding="Windows-1252"?>
<root><f

So this needs feedback from the community I think to get the rough edges out. That one here is to make the faux-pas to not deliver PHP with iconv. But I think by the spirit of the video, these things are expected to be cleaned out after they get reported to the PHP Runtime Team @ Google (Ref: Issue 9340: ICONV PHP extension support).

For your encryption needs, this is not that harsh, even mcrypt is missing openssl is available.

However extension are not everything (and obviously something more easily to fix I assume) and these other parts are quite well solved for the PHP worlds in PHP Runtime for Google App Engine. I would say this is where it actually already shines with the now available preview.

That is: The mysql libraries work out of the box with Google CloudSQL, a Mysql 5.5 compliant managed database server on the App Engine cloud.

/* FIXME this needs a PDO example */
$connection = mysql_connect(
    $host = ":/cloudsql/project_name:instance_name", $username, $password
);

So this is quasi with zero code-changes to get an existing application run that uses any of the three Mysql client libraries (mysql_*, mysqli_*, PDO).

Similarly easy have been the problems of file storage solved. Like with other cloud-appserver-platforms, in Google App Engine you can’t change application files (and yes, your live-application deployment should not even expect to do so [yes I look at you WordPress]). However you need a place to store files to, for example for file-uploads. Google offers here something named Google Cloud Storage and it’s easily integrate with PHP via stream-wrappers. This equally should allow to port a PHP app with none or very little code-changes and especially with easy to be done changes:

$text = file_get_contents("gs://my_bucket/shakespeare.txt");

So this is really nifty, because this comes out of the box. And btw, both these features work with the development server for App Engine, so you can develop and test your apps.

Another goodie App Engine comes with is Memcached (The video has a WordPress demo that runs Batcache and this worked out of the box for example, WordPressians know what this means). And there’s Task Queue, a goodie (and fully integrated for PHP tasks now) that allows you to schedule long-taking actions inside App Engine. And there are more services in App Engine.

Summary

This Post is just a little summary of the video and some little tests I could run so far, so really a quick review. I think the package Google offers here is heading right into the right direction for todays PHP developers that are looking for a cloud platform serving PHP needs. It’s good to see more alternatives here and if you’re interested for more starting from 27:30 Jason Cartwright shows step-by-step what they did to put a Drupal based real-life site on it, which I think should show pretty well about the pros/cons such a deployment has but also how it’s done.

Compared with Heroku for PHP, I’d say Google stands out because they really put some love into getting PHP as runtime there – for the out-of-the-box experience. So I can only give the best wishes for their launch with this quick review and hope for a good working together with the PHP community. Compared with Heroku again this is necessary because different to Heroku where you can actually compile what you need, this is not possible with Google App Engine. You’re bound to the Runtime they “allow you to use”. As you know, Vendor Lock-In can have multiple Angles, so take care for directions you want to head to and try before you buy.

I will for sure give this a test-drive and let you know how it worked out. Maybe the CV-Backlog sample application with memcached temp-storage?

Resources

Jetbrains also fired-up some support for it close to the launch, a plugin for Phpstorm:


[1] Google did not specify what “hardened” actually means, I would say this translates well that the codebase has been slightly changed in a willing to improve it so you *might* find some differences in behaviour at some edges, but I have no further information about this so far.

Update: There is a list of disabled PHP functions and the /e modifer (eval) from preg_replace has been removed.

Posted in Features, Hakre's Tips, PHP Development, Pressed, Reports, Tools | Tagged , , , , , , , , , , , | 7 Comments

Event-driven PHP – Igor Wiedler

Nice talk by Igor at TakeOff 2013: Event-driven PHP – Igor Wiedler.

Posted in Linked, PHP Development, PHP Frameworks, Pressed, Tools, Video | Tagged , , | Leave a comment

The Greatest PHP Value

Just two days ago I asked a PHP-quiz-question in the chatroom on Stackoverflow, something along the lines:

PHP: Which one is greatest?

PHP has a comparison operator to compare if one value is greater than the other (>). Which one of the three values INF, array() and (object) array() is the greatest?

  1. Infinity – INF
  2. Array – array()
  3. Object – (object) array()
  4. undefined

and it really is a PHP Quiz. The undefined means that you can not find out if a single one is the largest. If you want to guess your own, you should not read further yet.


Even the Array is greater than Infinity in PHP, the Array is less than an Object. Now you could say that Object then must be the greatest, however the Object is less than Infinity.

So between these three values you can not formulate any expression in PHP that describes the greatest one therefore the answer is undefined.

// http://eval.in/15219
$inf    = INF;
$array  = array();
$object = (object) $array;

var_dump($object > $array  and $object > $inf  ); # bool(false)
var_dump($array  > $object and $array  > $inf  ); # bool(false)
var_dump($inf    > $object and $inf    > $array); # bool(false)

So maybe some of them is equal to another? No not as well ;).

So what are the practical implications of this? A simple example that is impacted by that is the sort() function. When a sorting behavior that does not do any type-conversion is used (default), then the result is based on the order in the array and not on the values. That might be unexpected.

As always when I’m puzzled with PHP I write a more or less well formulated question on Stackoverflow about it and ping NikiC. Because he not only answers the question but also makes me learn a lot of new terms and is so firm with PHP internals. See for yourself: PHP Type-Juggling and (strict) Greater/Lesser Than Comparisons which has got quite some traction already.

array-larger-than-infinity

And if you’re using an older PHP version, the answer might not be undefined. Until PHP 5.1.6 Objects were greater than Infinity like Arrays are but less than Arrays allowing a clear winner: Array is greatest! :)

Read On: Comparison operators – PHP Sadness #52 – Very detailed and impressive description and visualization of comparison in PHP.

Posted in Developing, PHP Development, Pressed, The Know Your Language Department | Tagged , , , , , | Leave a comment