Event-driven PHP – Igor Wiedler

Nice talk by Igor at TakeOff 2013: Event-driven PHP – Igor Wiedler.

Posted in Linked, PHP Development, PHP Frameworks, Pressed, Tools, Video | Tagged , , | Leave a comment

The Greatest PHP Value

Just two days ago I asked a PHP-quiz-question in the chatroom on Stackoverflow, something along the lines:

PHP: Which one is greatest?

PHP has a comparison operator to compare if one value is greater than the other (>). Which one of the three values INF, array() and (object) array() is the greatest?

  1. Infinity – INF
  2. Array – array()
  3. Object – (object) array()
  4. undefined

and it really is a PHP Quiz. The undefined means that you can not find out if a single one is the largest. If you want to guess your own, you should not read further yet.


Even the Array is greater than Infinity in PHP, the Array is less than an Object. Now you could say that Object then must be the greatest, however the Object is less than Infinity.

So between these three values you can not formulate any expression in PHP that describes the greatest one therefore the answer is undefined.

// http://eval.in/15219
$inf    = INF;
$array  = array();
$object = (object) $array;

var_dump($object > $array  and $object > $inf  ); # bool(false)
var_dump($array  > $object and $array  > $inf  ); # bool(false)
var_dump($inf    > $object and $inf    > $array); # bool(false)

So maybe some of them is equal to another? No not as well ;).

So what are the practical implications of this? A simple example that is impacted by that is the sort() function. When a sorting behavior that does not do any type-conversion is used (default), then the result is based on the order in the array and not on the values. That might be unexpected.

As always when I’m puzzled with PHP I write a more or less well formulated question on Stackoverflow about it and ping NikiC. Because he not only answers the question but also makes me learn a lot of new terms and is so firm with PHP internals. See for yourself: PHP Type-Juggling and (strict) Greater/Lesser Than Comparisons which has got quite some traction already.

array-larger-than-infinity

And if you’re using an older PHP version, the answer might not be undefined. Until PHP 5.1.6 Objects were greater than Infinity like Arrays are but less than Arrays allowing a clear winner: Array is greatest! 🙂

Read On: Comparison operators – PHP Sadness #52 – Very detailed and impressive description and visualization of comparison in PHP.

Posted in Developing, PHP Development, Pressed, The Know Your Language Department | Tagged , , , , , | Leave a comment

The Annotated XML Specification (by Tim Bray; 1998)

Posted on by hakre | Leave a comment

Late Static Bindings in PHP Callbacks

No idea if this is ever useful, but just found this not documented in the PHP manual so far (and the Callbacks entry looks already chaotic so I don’t edit it right now):

You can write callbacks of static class methods as a string in the form of "classname::methodname". This should be commonly known, an example of that is:

// http://3v4l.org/vdhJq

echo Module::work('hello world'), "\n";              # HELLO WORLD
echo call_user_func('Module::work', 'hello world');  # HELLO WORLD

abstract class Module
{
    public static function work($it) {
        return strtoupper($it);
    }
}

What I stumbled over and which I didn’t know is that since PHP 5.3 it is also possible to reference the current class with three additional strings for the classname placeholder above:

  1. "self::methodname" – use the current class.
  2. "parent::methodname" – use the parent class.
  3. "static::methodname" – use the class that was initially called at runtime.

Here an example that uses a callback function inside the module class to do some string replacements with the "static" string:

// http://3v4l.org/SsaZg

echo Module::work('hello world.'), "\n";  # [[[hello]]] [[[world]]].
echo MyModule::work('hello world.');      # {{{hello}}} {{{world}}}.

abstract class Module
{
    public static function work($it) {
		return preg_replace_callback('~\w+~', 'static::replace', $it);
    }

    protected static function replace($matches) {
        return sprintf('[[[%s]]]', $matches[0]);
    }
}

abstract class MyModule extends Module
{
    protected static function replace($matches) {
        return sprintf('{{{%s}}}', $matches[0]);
    }

}

Sidenote: The array callback notation works for that as well:

    preg_replace_callback('~\w+~', array('static', 'replace'), $it);

This came a bit unexpected to me because in another feature introduced in PHP 5.3: A call of static class methods with a variable for the classname PHP:

// http://3v4l.org/IWQtr

echo Module::work('hello world'), "\n";  # HELLO WORLD

abstract class Module
{
    public static function work($it) {
        $module = 'Module';
        return $module::strtoupper($it);
    }

    private static function strtoupper($it) {
		return strtoupper($it);
    }

}

Unexpected because it does not allow to use the strings "self", "parent" or "static" inside that variable:

// http://3v4l.org/p0RQv

echo Module::work('hello world'), "\n";  # Fatal error: Class 'self' not found

abstract class Module
{
    public static function work($it) {
        $module = 'self';
        return $module::strtoupper($it);
    }

    private static function strtoupper($it) {
		return strtoupper($it);
    }

}

Last but not least, there is this very special callback, I don’t have any name for. What it does is working exactly like the "self::methodname" callback:

    
    preg_replace_callback('~\w+~', array('self',   'self::replace'),   $it);
                                         // like self - http://3v4l.org/B6Lbe

    preg_replace_callback('~\w+~', array('static', 'static::replace'), $it);
                                       // like static - http://3v4l.org/adTgD

    preg_replace_callback('~\w+~', array('static', 'self::replace'),   $it);
                                       // like static - http://3v4l.org/GaCVT

    preg_replace_callback('~\w+~', array('self',   'static::replace'), $it);
    // like "final" (invalid callback in LSB context) - http://3v4l.org/oBeNN

So much for the magic static and self-self life in callbacks and class method calls. PHP is not well known for language consistency and I put that one as well into the book. One should not exploit this static feature anyway and a module class should be abstract final probably but sadly, PHP does not know that.

This post is just another write-up for the know-your-language department and not a recommendation at all.


Edit: Parts of my first conclusion on self-self were wrong, it does not do any LSB, what I thought was LSB was in the first static::replace example was wrong. I also made that example more distinct.

Posted in PHP Development, Pressed, The Know Your Language Department | Tagged , , , , , , , , , , , | 1 Comment

SymfonyLive San Francisco 2012 – David Zuelke – Designing HTTP Interfaces and RESTful Web Services

SymfonyLive San Francisco 2012 – David Zuelke – Designing HTTP Interfaces and RESTful Web Services

Posted in Linked, Pressed | Tagged , , | Leave a comment

Dive Into HTML5

Dive Into HTML5 (by Mark Pilgrim with contributions from others)

Posted in Linked, Pressed, Surviving the Internet | Tagged , | Leave a comment

New Year – New Attacks on your Freedoms

This year is business as usual, join the protests on February 23. #idp13

Posted in Pressed | Tagged , , , , , , , , , | Leave a comment

The Noun Project – Collection of Icons

Strange Icons

The Noun Project

Read On: Visualizing Change: An Interview with The Noun Project (16 Jul 2012; by Valerie Casey)

Posted in Libre Graphics, Linked, Pressed | Tagged , , | Leave a comment

Interview with John Allspaw of Etsy

Interview with John Allspaw of Etsy

Posted in Linked, Pressed | Tagged , , | Leave a comment

PSF: Python trademark at risk in Europe: We need your help!

python

python

Please spread the word and help: Python trademark at risk in Europe: We need your help! – it’s easy to fight trademark issues if there is clear evidence – by many of us – what the name means for you or your company. Because trademark can’t top real-life ;). But it’s some legal hassle, so your support is needed. Continue reading

Posted in Linked, Pressed | Tagged , , | Leave a comment

How foreach actually works

How foreach actually works – PHP internals nicely explained by NikiC

Posted in Linked | Tagged , , , | 1 Comment

SimpleXML Type Cheatsheet

A SimpleXMLElement can represent many different things, from an element, to a list of attributes or childelements.

Sometimes it’s good to know how to find out, especially with the magic the extension comes with. The following is a table with the different types and an expression for it, $element is the Simplexml element:

Type Test
Element $element->xpath('.') == array($element)
Attribute $element[0] == $element
and $element->xpath('.') != array($element)
Attributes $element->attributes() === NULL
Elements $element[0] != $element
and $element->attributes() !== NULL
Single $element[0] == $element
Empty List $element[0] == NULL
Document Element $element->xpath('/*') == array($element)

PHP Version Info: PHP 5.2.2 or higher needed.

Usage Example

Normaly dom_import_simplexml comes to the rescue to upgrade from SimpleXML to DOMDocument. It works for nearly any SimpleXMLElement object, but not for an empty attribute or element list. To prevent the warning, check:

$isEmpty = $element[0] == NULL;
$DOMNode = $isEmpty ? NULL : dom_import_simplexml($element);

Common Xpath Cheats

SimpleXML can be pretty limited, some of the missing features can be worked-around before upgrading to DOMDocument by making use of Xpath:

What Xpath Note
Parent Element .. Works also for attribute
Document Element /*

The SimpleXMLElement::xpath() method returns an array by default. The array can only contain element or attribute nodes, nothing else. On an empty list SimpleXMLElement the method returns NULL. A FALSE is returned in case the Xpath expression had an error. So you can safely cast to an array for streamlining. It returns an empty array if there is no result then.

Usage Example

Obtaining the document element which represents the SimpleXMLElement returned by new, simplexml_load_file() or simplexml_load_string(). For example if $element is an element somewhere in the XML but the full document should be output:

list($root) = $element->xpath('/*');
$root->asXML();

SimpleXML Line Separator

Is "\n" (LF, \x0A, 10), always. When the document element is output asXML() the first line is the XML declaration. The last line is empty (newline at the end of file).


See as well

How to tell apart SimpleXML objects representing element and attribute?
In SimpleXML, how can I add an existing SimpleXMLElement as a child element?
https://bugs.php.net/bug.php?id=52858

Posted in Hakre's Tips, PHP Development, Pressed, The Know Your Language Department | Tagged , , , , , , , , , | 1 Comment

XPath – Lecture: XML Technologies (PDF)

Just found a nice PDF (Kudo @jens-erat /via) about XPath worth to share the link along:

Xpath PDF – Lecture: XML Technologies Winter 2012/13 – Dr. Christian Grün

Google PDF Preview shorturl in case your browser does not like to open it (my Google Chrome had a hickup with it, Curl/Opera is fine): http://goo.gl/nqYTZ

Posted in Linked, Pressed | Tagged , , | 4 Comments

PHP Autoload Invalid Classname Injection

Along the River During Qingming Festival (Fragment A)

There are many ways to attack an application, many are working by injecting some malicious data hoping to trigger a deserved action in the end.

Most of these are possible when input data is not properly sanitized. This can have connotation in the programming language used, a famous PHP example is with register globals for example or the famous magic quotes.

These are fairly old stories and nowadays using a recent PHP version does not come with these rough edges so you’re normally more safe. However, this also means you need to look more specifically for areas of your code where injection is still possible.

Due to some recent work I needed to review code for autoloader invalid classname injection (see class autoloading). I did not found much concrete information online which functions/code are able to trigger this. Somewhat a pity, so first of all here is a list of functions which are (many by default) triggering autoloading:

call_user_func()
call_user_func_array()
class_exists()
class_implements()
class_parents()
class_uses()
get_class_methods()
get_class_vars()
get_parent_class()
interface_exists()
is_a()
is_callable()
is_subclass_of()
method_exists()
property_exists()
spl_autoload_call()
trait_exists()

All but one of these functions filter the classname parameter (the first character if "\" – and only the first – is removed). Only the function (spl_autoload_call()) passes the parameter in raw – that is the first character always unchanged.

This list is likely not complete (e.g. getting objects from the database with PDO/Mysqli and classnames), feel free to add your findings as well via comments or your own posting. Some of these functions – depending on PHP version – can not be used for injection by default.

Further potentially exploitable code is instantiating the ReflectionClass or making use of variable classname instantiation via new like new $classname;. The latter would result in a fatal error, however if an autoloader could be exploited via injection, the exploit would work before the fatal error is triggered.

Interestingly, the unserialize() function with PHP’s default unserializer can not be used to inject invalid classnames, unserialisation fails in that case highlighting the first mismatching character offset in a class / namespace name per a warning. PHP just refuses to parse those while unserializing. Howver, take care here for anything that has it’s own serialization and __sleep / __wakeup can be injection points on their own.

Less surprisingly, the get_object_vars() function does not work for injection because it needs an object, not a class. Sometimes you don’t know with PHP, so I included it in my review.

Along the River During Qingming Festival (Fragment B)

Defense In Depth at Classloader Level

So what is a valid classname anyway? Back in 2010 when I wrote PHP Syntax Regulary Expressed I noted that the syntax of namespaces remains undefined in PHP documentation. Reading PHPs source at least let one assume that it’s the same as for the classname plus the namespace separator (I write assume because it’s all at the tokenizer/parser level depening on what T_STRING stands for).

So expressing a valid fully qualified classname (with optionally prefixed by a namespace separator) as PCRE regular expression could look like (two variants):

\\\\?(?>[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\\\\)*[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*
\\\\?(?>[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\\\\?)+

Inside an auto-loader, this can be quickly checked with preg_match():

$pattern = '(^\\\\?(?>[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\\\\?)+$)';
$valid   = (bool) preg_match($pattern, $classname);

One might argue that because a prefix of the namespace separator \ is invalid and most of PHP function calls filter it away anyway, that it is more strict to exclude it from the regular expression:

$pattern = '(^(?>[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\\\\?)+$)';
$valid   = (bool) preg_match($pattern, $classname);

Next to a regular expression I’m not aware of any way to validate a classname in PHP. I just filed a feature request #64185 because one function that actually could be able to do that is not yet able so: is_callable() with the $syntax_only parameter set to true.

Take care and let me know if you find some more functions worth to look when reviewing the code.


Image Credits: Citations from Along the River During Qingming Festival, 18th century remake of a 12th century original by Chinese artist Zhang Zeduan; via Trialsanderrors

Posted in Features, Hakre's Tips, PHP Development, Pressed, The Know Your Language Department | Tagged , , , , , | 1 Comment

Debug with Xdebug on the Commandline with Phpstorm and Git Bash

Enable Phpstorm Xdebug listening:

$ export XDEBUG_CONFIG="idekey=PHPSTORM"

Press the listen button inside Phpstorm to actually listen:

xdebug-listen-phpstorm

To disable Phpstorm Xdebug processing in Bash again:

$ unset XDEBUG_CONFIG

This (PHPSTORM) is the default Phpstorm IDE-Key. You don’t need to disable listening after the variable is unset.

Should work with any other UNIXoide shell as well.

See as well:

Posted in Hakre's Tips, PHP Development, Pressed | Tagged , , , , | 1 Comment

EPL/GPL Commentary

EPL/GPL Commentary – Life at Eclipse (6 Apr 2010; by Mike Milinkovich)

Posted in Linked | Tagged , , , , | Leave a comment

The Open-By-Rule Benchmark

The Open-By-Rule Benchmark

Posted in Linked, Pressed, Uncategorized | Tagged , | Leave a comment

The case against Singletons in WordPress

The case against Singletons in WordPress

Posted in Uncategorized | Tagged , , | Leave a comment

PHP: Bug #63769 file:// protocol does not support percent-encoded characters

Posted on by hakre | Leave a comment

Assorted SPL Iterator Examples

This is an assorted list for three SPL iterator resources out there in the net. I’m sure there is more, so feel free to leave a comment I’m happy to add them.

spl-examples (salathe)

The idea is to have you folks add a few choice tidbits of goodness you have stumbled over when using the SPL (Standard PHP Library).

The (not so) secret motivation here is to get some nice examples to go in the PHP documentation. 🙂

Examples:

  • SplHeap (SplMinHeap; SplMaxHeap)
  • SortingIterator
  • FilterChainIterator
  • RecursiveDOMIterator

Link: https://github.com/salathe/spl-examples

PHP-SPL-Iterator-Interface-Examples (cballou)

This repository aims to be a community wiki (a la git pull requests) of useful PHP Standard Template Library (SPL) examples. The php.net website lacks user submitted examples in the SPL department, so Queen City PHP (http://qcphp.org) is taking the initiative to provide examples and spread the word.

All of the base level PHP files are working examples of their SPL iterator counterparts. Documentation will be added to the readme in the future.

Examples:

  • NavBuilder (CachingIterator)
  • Observable (SplSubject; SplObserver)
  • RecursiveRegexIterator

Link: https://github.com/cballou/PHP-SPL-Iterator-Interface-Examples

iterator_madness.inc.php

By Marcus Börger, SPL PHP core hacker

Examples:

  • DecoratingIterator
  • DualIterator
  • KeyValueIterator
  • DecoratingKeyValueIterator
  • KeyIterator
  • SugarDualIteratorIterator

Link: http://code.google.com/p/cvphplib/…/iterator_madness.inc.php

Posted in Hakre's Tips | Tagged , , , , , , | 4 Comments