Hide Folders in PhpStorm Project Pane

How can I hide a directory in a PHPStorm project, for example .sass-cache I just asked myself this morning.

Searching online didn’t reveal it to me and there are numerious options that were close but not about hiding the directory from the project panel.

Finally a co-worker pointed me into the right direction, there are two things to do under circumstances:

1. Exclude the directory: Mark the directory itself as excluded (Right-Click -> Mark Directory As -> Excluded). It might then already disappear
2. Hide excluded files: Tick the project pane option (under the Gear-Wheel symbol) and un-tick Show Excluded Files to hide excluded directories

and that’s it.

However: Showing the .idea folder doesn’t work this way (WI-26391).

Learning OOP in PHP

Just linked: Learning OOP in PHP

Download NextGen Gallery WordPress Gallery with Wget

For a gallery download with Wget made by NextGen Gallery (at least this is what I read from then nggpage=2 query string), I had success with:

wget -nc -nd -A '*.jpg' -R 'thumbs_*,index.html*' \
    -I /wp-content/gallery/ -r -l 1 \
    http://www.example.com/category/2014/04/08/slug/

My example gallery with with all jpeg files. The switches are documented in the GNU Wget Manual.

Commandline Source Fixes Foo

From time to time I need to cleanup source trees. Today I needed to do that again, here are some command liners to get some work done.

If you’re on Windows, all you need to do to get these running is to install git for windows which has git bash and all the commands used in these examples.

Convert Line Endings / Line Separators

First of all it’s good to review if the find command-line actually finds the file looking for. E.g. to exclude some directories (here exemplary .git for git version control and .idea for Phpstorm and other Idea IDEs) and then list the file extensions that would be find:

find . \( -name '.git' -o -name '.idea' \) -prune -o \
    -type f -printf '%f\n' | awk -F . '{print $NF}' | sort -u

Example: List of file extensions

$ find . \( -name '.git' -o -name '.idea' \) -prune -o \
>     -type f -printf '%f\n' | awk -F . '{print $NF}' | sort -u
gitattributes
gitignore
json
md
php
xml
yml

This shows it’s save to operate on these. Lets ensure all line-endings are unix and not dos:

find . \( -name '.git' -o -name '.idea' \) -prune -o \
    -type f -exec dos2unix -bUvt {} \; 2>&1

This executes dos2unix (here in test-mode, remove -t switch to apply changes) on each file (redirecting stderr to stdout so it’s easier to grep or less). Dos2unix allows more conversions, use dos2unix --help more more info.

Something new I tried today was to apply such a command only onto files that have been touched by the last commit. In a clean staging area after that commit, I could apply dos2unix with the help of git diff-tree and a Bash loop:

git diff-tree --no-commit-id --name-only -r HEAD \
    | while read line ; do dos2unix -bUvt "$line" ; done

So instead of the find operation, I create a list of files to operate on with git and then a while read line ; do ; done loop invokes the command.

\ No newline at end of file

Another common change to apply is to add newlines at the end of files. Some background information about why a newline at the end of file is useful is given in Sanitizing files with no trailing newline (May 2010; by waldner). This one was not so easy for me to find as I wanted to invoke it again via find, but I finally made it working like a charm with the help of sed and the nice Gnu extension of -i (edit file in place) it has – to great extend because of How to add a newline to the end of a file? (Unix & Linux SE):

find . \( -name '.git' -o -name '.idea' -o -name 'vendor' \) -prune -o \
    -type f -exec grep -Iq . {} \; -exec sed -i -e '$a\' {} \;

this does not produce any output, but you can review the changes then with git diff. All those \ No newline at end of file should be gone then.

As usual, keep a backup before running modifications over a whole directory tree automated. Take care to not traverse into directories where you don’t want to.

Composer Clear Cache

It’s one of the best kept secrets of popular PHP dependency manager Composer: How to flush composers cache.

You normally don’t need it, however if you create some composer.json and you want to put it to a test, this can be useful to know. Or let’s imagine your composer cache grows some gigabytes large. Here are two ways:

First, you can just nuke it from above:

$ rm -rf "`composer config cache-dir`"

(if you’re using Windows, use git-bash.)

The second way is to tell Composer where to find the cache via environment variables:

$ COMPOSER_CACHE_DIR=/dev/null composer install

This second method is perhaps better if in your tests you don’t want to influence the whole system.

The third but not yet available method is to make use of a composer command. This is discussed in the feature request Add command to clear composer cache which also exchanges some arguments pro and con. But I though I spare that for this little TLDR; type of blog-post.

Update 5 Jun: Just in a recent Pull-Request “Add clear cache command” (#3034) such a concrete command has been offered to merge by David Neilsen.

Update 14 Jul: See as well If all else fails Slide of Using composer correctly (confoo) (26 Feb 2014 by Igor Wiedler).

PHP turtles – Turtles all the way down

Some nice line-up for the know your language department: PHP turtles – Turtles all the way down.

XPath Null Byte Injection in PHP

Back in July this year, in Mitigating XPath Injection Attacks in PHP I was writing about how to properly quote a string in PHP’s Xpath 1.0.

The code presented there was based on the assumption that the resulting expression is binary safe.

However that was too shortsighted because Xpath in PHP can be attacked using null-byte-injection. The PHP extension does cut-off the string at the first null-byte, allowing you to truncate an expression early.

/*/user[name = 'Mirza']/secret<NUL>]/location

Technically XML covers the full Unicode repertoire excluding the surrogate blocks FFFE and FFFF and excluding most US-ASCII control characters (those below space), only Tab, Line-Feed (LF) and Carriage-Return (CR) are allowed in XML.

This is also the reason when you need to safely transport binary data with XML, that you need to encode it, for example in base64 (See base64Binary primitive XML datatype), because otherwise the XML would be broken resulting in data-loss.

Back to the mentioned XPath injection attacks and how to mitigate them. If an injected string is able to cut-off at the first null-byte position, the quoting as described does not work stable any longer. An attacker can break out of it by injecting a null-byte. The impact is not very high, because of the quoting that xpath_string() applies, injecting a null-byte will result in a Unfinished literal warning.

However when data is injected not as string with the help of xpath_string(), null-bytes do still play against you in PHP Xpath. As those are not valid anyway in XML and therefore no text or identifiers can contain it, you can safely reject or sanitze null-bytes further up in the input processing. For example as Suhosin can do.

So better keep in mind to verify incoming (Unicode) data your application accepts. Even valid Unicode, it might not always be appropriate.

See Also:

• Poison Null Byte – Hakipedia
• WASC Null Byte Injection
• OWASP Periodic Table of Vulnerabilities – Null Byte Injection

Devil’s Dictionary of Programming

Devil’s Dictionary of Programming

Professional Webdevelopers At Work – Yahoo Mail Endless Redirect Demonstration

So familiar with these 1996 Web-Technologies but not having the time to care in these rushing 201x days as this two minute documentary of an endless redirect-chain shows. Thanks to random URL parameters used to prevent ancient caching woes in combination with cookies – but failing to test if cookies actually work on the target domain. (Recordered 2013-10-26)

Just a little follow up to Your Guide to Composer in WordPress as I was stumbling over while surfing (and equally short just for the log):

Bryan Petty (tierra) was so kind to mirror the WordPress Source/Development branch on Github, it is here: tierra/wordpress. While I was stumbling over it, I also discovered another project he is involved in: pluginmirror.com – GitHub mirrors of every plugin in the WordPress.org plugin repository.

The Plugin Developer Guide has some details how it works. Full source of it is also available on Github: WordPress Plugins GitHub Mirror Application.

Interestingly there is also WordPress Plugin Tests but I didn’t had the time to review it, it perhaps makes sense.

Ircmaxell’s Rambling On Internals

Ircmaxell’s Rambling On Internals raises a very important point about the use of RFCs in the PHP community and the problem they have been introduced as a tool to only negotiate – not solve – the problems of the PHP Internals list.

His arguments are as always pretty weighted and need more voice, so read and spread the word. He has my support and it’s a loss for PHP and Internals as a whole should stop sitting on their legs.

I’m not so good with arguing, so I prefer to share my opinion because that is the least I can do to not let this pass unnoticed (which would be an even bigger mistake):

In my personal opinion Pierre and Stas suck most (now I said it). And that is my personal opinion. Pierre weights harder because I’ve met him in person and he has a split tongue, all he feared in that discussion was totally untrue and never happened. All he promised to do otherwise didn’t happen either. So only hot air for nothing, just for the sake of influencing others for technical arguments – not reality. Ircmaxell on the other hand not only explains he is also a do-er.

From Stas I’m just getting ill by reading that much text only because he has the time to write so many emails whole day long. I wish he would go down with us in the swamps of the PHP tag on Stackoverflow, perhaps that will envision him. It would be a benefit for the PHP community as a whole and he wouldn’t have so much time writing emails in Internals. Now that’s a productive suggestion I’d say.

I know it’s hard to run a project, especially for years and with a big userbase. But seeing Ircmaxell leaving with no further action from the Internals community itself is not excused by that.

Just my 2 cents, share yours.

See as well: I don’t understand PHP beaurocracy but I do understand Anthony Ferrara!.

Free The Cuban Five! 12. September 2013

Especially for our German speaking visitors: Unterstützen und Verbreiten – spitzenaktion.de.

And for our US-visitors: Miami, FL, Sept. 8 | Washington, DC, Sept. 12 (White House) | Washington, DC, Sep 13 (University of the District of Columbia Law School) http://www.freethefive.org/calendar.htm

Greeting, Greetings and the GreetingFactory

Just stumbled over: If you ask Is this correct object oriented programing in php? and then get an answer from Gordon, well, see for yourself. (via)

The Sky. The Universe. The Missing Unit Tests

Out there in the Universe. Now comparisons get Epic Pictures when it comes to WordPress and Unit Tests: Beta Sagittae. via The Loop.

Reminded me of Development By The Numbers – Slides (May 2013; by ircmaxell) having also nice comparisons for numbers.

Your Guide to Composer in WordPress and there is WordPress Packagist. I only knew about Composer Installers (incl. WordPress ones) so far.

The Negative Influence of WordPress on PHP

The current The TIOBE Programming Community Index for July 2013 shows an increase for PHP, gaining grounds fast and as an ongoing trend over the last year:

If compared to January 2013, PHP is the fastest climber with an increase of +1.64% […]. The major driver behind PHP’s popularity seems to be the new PHP Zend Framework that was released in September 2012.

It clearly shows the stamina and power PHP as a programming language has, with the two recent milestones of the two popular PHP 5.4 and 5.5 releases. Those new releases are a key driver for next generation frameworks like the bespoken Zend Framework 2.

PHP is strong standing against negative influences popular but legacy PHP applications put onto it, namely and most foremost the most popular of all these: WordPress. WordPress is continuously bringing down PHP since years as Google Trends shows:

As this Google Trends graph revals, WordPress popularity is constantly hurting PHP

So how long can PHP resist against this bad influence? What will happen when those two lines cross? Will the world as we know it fall apart?

---

You probably have come to the conclusion that comparing two independent statistics allows you to draw all kind of crazy assumptions – so do I. What has been outlined above is pure irony as you might have already noticed (but it’s said that irony does not work well in the internet, so you probably didn’t even notice).

Manuel Lemos (Google Profile) from phpclasses.org yesterday was spreading his opinion that WordPress has made PHP popular – not PHP and not any PHP Frameworks.

Well, make your own mind, what I just wanted to show is that running wild assumptions normally does work even badlier than irony in the internets. And comparing two totally unrelated statistics (“small lies, big lies, …”) shows more about your own opinion than anything else.

My 2 cents.

Atomic deploys at Etsy

Atomic deploys at Etsy

Mitigating XPath Injection Attacks in PHP

PHP has two libxml based extensions that allow to execute XPath 1.0 expressions: DOM (by the DOMXPath class) and SimpleXML (with its xpath() method).

Both extensions are prone to XPath Injection Attacks, a common attack form. Albeit all this, and information about the topic is available, it seems that concrete PHP code to deal with these is harder to find. Continue reading →

SimpleXML and JSON Encode in PHP – Part III and End

The previous two parts (Part I; Part II) did outline PHP’s standard behaviour when JSON encoding a SimpleXMLElement with json_encode().

As outlined this does not always fits the encoding needs and for some potential problems some workarounds have been showed. However those worked by affecting the XML document instead of affecting the JSON serialization.

By default what json_encode() contains as data and structure is exactly following the rules of casting a SimpleXMLElement to an array. This is because internally (see lxr json.c) json_encode() does this cast and then builds the JSON object output based on that structure.

Luckily since PHP 5.4 the JsonSerializable interface allows to interfere exactly at that point. Instead of the standard array cast, a more tailored array or object – even a string or number – can be returned. Just anything which json_encode() would normally accept. This allows to create an own JSON encoding easily by extending from SimpleXMLElement and implementing the interface as I will show now. Continue reading →

SimpleXML and JSON Encode in PHP – Part II

In the previous post (Part I) I was giving a little overview for common woes turning a SimpleXMLElement into JSON when XML structural information is available that JSON is not capable to encode easily. The explanations given there were intended to users new to the matter and to understand the general dilemma that kind of encoding/serialization is dealing with.

In this part I will point onto some more detailed issues and show straight-forward ways how to deal with them specific to encoding a SimpleXMLElement object as JSON.

As it might be known, SimpleXML is simple and like PHP which wants to do things the simple way, it turns out that within the details, these simple things are extremely differentiated and complicated. In short: Next to dealing with what JSON can’t deal with of XML from the last part, in this part I’m more concerned about what SimpleXMLElement can’t deal with of XML. Continue reading →