On the PHP-Security.net blog today there's a new post showing how to get the latest version of the Suhosin security patch for PHP installed.With the recently released PHP 5.4, the Suhosin patch and extension were removed from many Linux distribution packages (i.e., Debian et al.) and until three weeks ago, there was no possibility to compile and run the Suhosin extension under PHP 5.4. This little howto shall serve as installation instruction for Debian Wheezy users - your mileage may vary. I blogged...
There is a vulnerability in certain CGI-based setups that has gone
unnoticed for at least 8 years. Section
7 of the CGI spec states:
Some systems support a method for supplying a array of strings to the
CGI script. This is only used in the case of an `indexed' query. This
is identified by a "GET" or "HEAD" HTTP request with a URL search
string not containing any unencoded "=" characters.
So requests that do not have a "=" in the query string are treated
differently from those who do in some CGI...
There is a new PHP bug that just became public today (leaked accidentially, it seems...). A flaw in the PHP CGI's input sanitation process allows attackers to set command-line options via the query string.This behavior seems to be an oversight / misplaced design decision from 2004 and is only exploitable in specific web servers. Apache is one of them...
This opens interesting opportunities. I have blogged about those here: New Exploit @ php-security.net
By the way, Suhosin partially mitigates one of the...
On the Software Development Video & Tutorial site they've shared a video that introduces the PHP to Couchbase connection from Jan Lenhardt.Couchbase Server is a fully memcached API compatible database that solves performance, scaling and querying needs. It relies on proven technologies like memcached and Apache CouchDB along with a chunk of open source components that make the whole thing work. Couchbase developed a PHP extension to work with Couchbase Server. This video discusses the architecture of the...
On PHPMaster.com today there's a new tutorial by Daniel Gafitescu showing you how to work with Redis (a key-value store) via PHP with the help of the Predis library.There is a lot of argument whether Redis or Memcache is better, though as the benchmarks show they perform pretty much on par with each other for basic operations. Redis has more features than Memcache has, such as in-memory and disk persistence, atomic commands and transactions, and not logging every change to disk but rather server-side...
Making the Web Faster with HTTP 2 Protocol
By Manuel Lemos
The HTTP protocol version 2.0 is in the process of being defined. There was a call for proposals and several researchers submitted specifications and ideas that can make the Web faster and better in several other aspects.
Read this article to learn about the details of these proposals and what Web developers can expect to prepare to take advantage of the planned improvements of the HTTP 2.0 protocol.
Yesterday, I saw this tweet:
@lornajane @nabeels tips on starting to write an API to interact with Smartphone App?? :-s
On 2-5-2012 12:48:53
from Twitter for Mac
in reply to Lorna Mitchell
I have lots of advice for Olly (whom I know personally) but there's no way it will fit into a tweet! So here it is, in rather longer form :)
Whatever data format you pick, whatever app you are building, whichever approach you choose, be consistent. Your whole API should call...
Christopher Kunz is trying out the new web acceleration tool Google recently released (SPDY) when his site is served under HTTPS (warning, self-signed cert).The reason this posting lands in the PHP category is that I want to have a playground testing PHP applications with mod_spdy. Currently (and probably also in the future), this machine uses mod_php instead of php_(f)cgi(d) - this is not recommended for interoperation with mod_spdy. To test the real-life impact of the possible thread safety issues, I...
Here's what was popular in the PHP community one year ago today:PHPBuilder.com: Building Web Apps with the Limonade PHP Framework
DevShed: 7 PHP Frameworks Tested For Speed - Benchmarking PHP Frameworks
Web Developer Juice: PHP Magic Functions: Best Part of Object Oriented PHP - Part 1
Symfony Blog: Symfony2: Getting easier (Parts 2 & 3)
Script-Tutorials.com: Creating a Modern Looking Animated Login System in PHP
Chris Aitchison's Blog: You are NOT a Software Engineer!
Community News: Dutch PHP...
There is a vulnerability in certain CGI-based setups that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states: Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters. So requests that do not have a "=" in the query string are treated differently from those who do in some CGI...
In his previous post Sebastian G√∂ttschkes introduced a set of classes you could use for different types of testing in your Symfony2 applications. In his most recent post he expands on these examples, giving the UnitTestClass an extra ability.In one of my last articles on Testclasses for symfony2 I explained some of the classes I use for my tests. Since then I found a great article on metatesting and want to update my UnitTest class to show some practical examples.His update allows the class to access...
In this new post to the GotoTech.com blog Eric Burns talks about a way he's "tamed Doctrine's 2000 flushes" with a wrapper around the EntityManager to make controlling the database flushes simpler.For my project I decided to use the Doctrine 2 ORM to manage my data layer. We also use this at work, so the biggest reason I chose this was to be able to learn more about Doctrine to help me in my job. But this decision also makes sense for my project because my entity relationships will likely be fairly...
Kevin Schroeder has a new post in his series looking at dependency injection in Zend Framework v2 applications. In this new post he shows how to work with setter injections that coordinate to properties in the class.In a previous article I showed how you could pass in a fully qualified parameter name into the Dependency Injection Container (DiC) if you needed to be specific about where you need to have something injected. There is an alternate method here that is cleaner than what I did before.He...
This website (as long as you access it via HTTPS) is now serving pages with SPDY, Google's still-experimental web acceleration protocol. Since SPDY mandates usage of SSL, I am using a CACert certificate to serve up pages. If you want to know why I didn't buy a CA-signed certificate, please see this talk for a couple thoughts: SSL and the future of web authentication (PDF)
The reason this posting lands in the PHP category is that I want to have a playground testing PHP applications with mod_spdy....
On the MaltBlue.com blog today there's a new post about a new podcast that's in the works targeted at PHP developers working on cloud-based applications - the PHP Cloud Development Podcast.You've watched RailsCasts, you've watched ZendCasts - but what about screencasts for PHP Cloud Development techniques? Well, we were surprised to find that there was nothing, yet, available to satisfy that need. There's cloud development casts for .Net developers and presumably for Java developers as well. But not much...
Vertical DegradA© Image
Simple REST Library
Simplices XML into Array
DB MySQL Class
ApPHP Data Validator
PHP Highlight script
On the Voices of the ElePHPant podcast, the latest episode has been released - FIG, PUD & FOMO, a discussion with members of the PHP Standards Group: Matthew Weier O'Phinney, Jeremy Lindblom and Paul Jones.Cal's questions center around the Standards group and what kinds of discussions they have about the language and the progress the group has made so far (like PSR-0):
What's the purpose of the group?
Is the purpose of this group to take PHP from everyone's hands and enforce the "one true grace" on...
Court Ewing has a new post to his blog describing some of the most common cryptic errors that you might come across in your day-to-day development.If you've been programming for awhile, then you've probably experienced your fair share of cryptic error messages. It's understandable that building in detailed error messages that are clear to even novice developers is not always a high priority for programming languages when there are so many other features to create and issues to address. The PHP language...
On the ServerGrove blog there's a new post that helps to bridge a gap between Symfony PHP developers and the designers that might be working with the result of their hard work. The post shares solutions to four common problems the designer might have.For designers, Symfony2 has been a welcome change from those old flat PHP files. Twig is beautiful, the framework separates the code from the layout, and we no longer have to find our way through lines of PHP code. But if you are a designer working on a...
PHPMaster.com has a new tutorial posted today (by George Fekete) about preventing cross-site scripting attacks in your PHP-based applications.Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to...
Latest PHP Tweets