blog.phpdevPHP, Security & PSR-9/PSR-10 (22.5.2015, 12:36 UTC)

Late yesterday afternoon the PSR-9 and PSR-10 drafts were moved into master on the php-fig/standards repository, moving them along to the next step and to get the wider perspective of the main PHP-FIG group’s opinions on it.

What are PSR-9 and PSR-10, you ask? Here’s a brief summary so far:

At the end of last year (2014) Lukas Smith made a proposal to the PHP-FIG group for a standard that would make reporting security issues with PHP projects and libraries a much more structured thing. The general idea is that a standardized document (or documents?) in a project’s repository would provide information about current and past security issues in a well-defined structure that could have some automated tooling around it. Much discussion was had around what the proposal actually entailed and how it would integrate with the goals of the PHP-FIG process. As work progressed on it, a few others besides Lukas came on-board to help flesh out the standard and work out the kinks, including myself.

It wasn’t long before we realized that, while having a standardized method for reporting vulnerabilities was good there also needed to be a way to discover this documentation for a given project (more than just a “look for this file” kind of thing). So, the original PSR-9 was split, giving us the security advisory reporting standard (PSR-9) and the security disclosure workflow (PSR-10) to make discovery of the reports easier. Both PSRs have received the votes needed for entrance and consideration and, as I mentioned, work is moving forward on them in the wider PHP-FIG group.

So, what are the standards? Well, I’m not going to just copy and paste from the documents (you can find those here if you’re interested) but I will give a quick overview of what they contain and their goals.

Note: these standards are by no means complete so this information is a bit subject to change. I just wanted to share their current state though.

PSR-9

The main goal of the PSR-9 standard is to provide structure around the documentation a project provides to the wider community around security vulnerabilities that have been found (and fixed) and those that are still pending. The idea is that any given user could look at the document and have a security-centric view into where the project currently stands. Right now, with the exception of those participating in the security-advisories database, most projects make it a bit of a run around to try to figure out what issues have come up and what problems have been fixed. Sometimes it’s reported in the Changelog, other times it’s in the mailing lists and other times you just have to know what to search for in the project’s issue tracker to get the list. This PSR-9 aims to eliminate a lot of this hassle and give a single source for the information.

The security-advisories database has provided a great start around this same kind of information but with PSR-9 the burden of reporting this information falls on the project, not a single source. We’re not aiming to replace that database by any means, though. We just want to empower the projects to share the information in a vetted, well-defined way. The PSR-9 proposal provides a lot more context around the security issues too.

This information includes:

  • An entry for each vulnerability that includes a short summary, published date, link to more information and a unique reference ID
  • CWE and/or CVE information, if possible (not all vulnerabilities are reported as CVEs)
  • What versions the issue affects
  • Current status of the issue
  • A description of the remediation if resolved
  • A low/medium/high severity rating based on the impact to the project’s users

We discussed the versioning of this resource (multiple files) so new vulnerabilities could be added and a “history” of sorts could be tracked over time but nixed that idea in favor of a single file that would just evolve over time. A lot of this vulnerability metadata is similar to information currently reported by other projects, so it’s not too far of a stretch to see this dropped into a structured, easy to find document. Speaking of which, this brings me to the next proposal

Truncated by Planet PHP, read more at the original (another 2877 bytes)

Link
PHP ClassesReview: WordPress 4.x Complete (21.5.2015, 08:48 UTC)
WordPress 4.x Complete
Title
Reviewer
Lopo Lencastre de Almeida
Category
PHP books
Publisher
Packt
Author
Karol Król
Summary
If you are willing to know more about what is WordPress then you think you know, you should read this book: "WordPress 4.x Complete". It will definitly help you to understand the complete process of building a fully functional WordPress site from scratch.

As WordPress is such a massive winner among the known commercial and free software CMS platforms, with a huge share of 60%, you should really consider to have it as a potential tool in your belt. And this book is, for sure, a must have and a very good start point for all WordPress newcomers.
Link
Web Development Blog » PHP ScriptsHow to use the Flickr Photo Search API (21.5.2015, 06:22 UTC)
I have found one of the best places to find pictures to use on my websites is Flickr. They make it fairly easy to automatically embed Flickr photos onto your website using the Flickr photo search. This Flickr API tutorial will show you how to use the Flickr API to retrieve and display Flickr photos […]
Link
Ilia Alshanetskyphp[tek[: Business Logic Security Slides (20.5.2015, 22:01 UTC)
My slides from the php[tek] in Chicago on the topic of " Business Logic Security" are now available for download here:
http://ilia.ws/files/phptek_business_logic_security.pdf
Link
SitePoint PHPBootstrapping a Laravel CRUD Project (20.5.2015, 16:00 UTC)

In this tutorial, we’re going to build and run a simple CRUD application from scratch using Laravel 5.

Laravel Logo

Installation and Setup

If you’re already deep in PHP, then some of the stuff in this section will be common knowledge to you. In any case, let’s go over it. We create a fresh install of Laravel 5 using Composer. First, cd into your directory of choice. Now, run the following command:

composer create-project laravel/laravel MYPROJECT --prefer-dist

If you don’t have Composer installed, you’ll naturally need to do that first, but I recommend using an environment such as Homestead Improved for kickstarting your development flow anyway - it comes with Composer globally preinstalled.

The name “MYPROJECT” will be the name of your application directory. For this tutorial, I just called mine “crud”.

Continue reading %Bootstrapping a Laravel CRUD Project%

Link
PHP ClassesExtending PHP Classes and the Object Model (20.5.2015, 07:32 UTC)
By Dave Smith
Nowadays many PHP developers use Object Oriented Programming (OOP). However not every PHP developer really understands why that is a good thing.

Some use OOP just because they see others using it, without knowing very well its benefits nor how to create a consistent object model that addresses the needs of their applications.

Read this article to learn how objects can represent the real world through classes and how you can create an object model for your PHP application.
Link
Alan KnowlesMore on syntax checking vala - and a nice video (20.5.2015, 00:00 UTC)
Article originally from rooJSolutions blog
As I wrote last week. I had added full syntax checking to the editor. So it runs a full compile check as you type.
Here's a nice video of it working...

After the initial joy of adding this to code, I soon realized it had a fatal flaw, read on to find out more..

Link
Anna FilinaConference travel expenses (19.5.2015, 21:58 UTC)

Some conferences cover expenses of their speakers, other conferences don’t. Travel and accommodation can be extremely expensive and some speakers wonder why a conference would choose to put that burden on the speakers.

There are many ways to run a conference. I believe that all conference models are valid.

Ticket price

The price of a ticket directly affects what portion of the expenses organizers can afford to cover. Of course, organizing a conference can be very expensive, so even a high ticket price does not mean that there’s a big travel budget. These things can be very expensive. Coffee alone can cost in the five figures depending on the venue.

The higher the quality of the event, the higher the expenses. Where organizers choose to spend their money is entirely up to them. There is room for $5 conferences in universities that make you buy your own meal like there is room for $1000 conferences in 5-star hotels that serve warm lunch at your table. Every experience is unique and defines the event.

For-profit conferences would obviously like to make some money from it and there’s nothing immoral about this model. Some speakers may disagree and are welcome to leave their spot for those who are okay with that idea. I personally speak at such events now and then because I get tangible business opportunities from them.

Community

Different communities have different values. I wanted to invite a speaker once that asked $20,000 + business class flight for a keynote. That’s common practice in his industry and I respect that, although I can’t afford it.

Some communities strongly believe in the fact that everyone has to give back, which is why their speakers even pay their own conference ticket to come speak. As long as there will be speakers who would be okay with that, they will submit to these events and we can’t really judge them for that. If one day too many speakers decide that this model no longer suits them, they will submit elsewhere and the community will have to adapt.

Opportunities

Some event organizers spend a lot of money to create a strong brand and attract a valuable audience. They believe that to speak for them is rewarding enough. I can respect that too. Speaking at events with a high reputation can be good for one’s career. Some people are advanced enough in their careers that they no longer care for visibility. Remember: each event is organized differently and for a different purpose. It’s up to the speaker to decide whether they want to be a part of it.

What can speakers do?

If you’re a speaker and cannot afford to pay your own travel, I suggest that you inquire about speaker packages upfront. How much is the conference covering? Are there any prerequisites for that, such as giving multiple talks? Is the hotel also included? How many nights?

Some events will cover a percentage of the flight. Some events will propose financial aid for travel only if you ask. Some events will cover more expenses in exchange for more talks. Watch out: more than two talks can be a huge burden for the inexperienced. It is possible for events to get cancelled, so watch out for refund policies if you’re buying your own plane ticket.

What can organizers do?

Be clear about the rules. Don’t wait for people to ask for financial aid and just make clear rules that apply to everyone. I’d rather see everyone get a little less than a few people get everything. Asking for favours varies by culture and you may penalizing some people that way.

Sponsors can go a long way towards increasing your travel budget. It’s easier to find a single sponsor than finding multiple international speakers who are willing to pay their own flight.

Evangelists often have a travel budget with their company so ask them if their company can cover the expenses. A few companies who would say yes may enable you to bring more international speakers to your event.

If you can only afford to partially cover expenses, that works too. Many speakers are okay with splitting the costs, because they might want to take a vacation right after that. You can also ask them to give more talks. Three talks can be okay for experienced speakers but don’t push it. You don’t want to fill your conference with talks by exhausted people.

That’s it for today. Add more ideas in the comments below.

Link
Brandon SavageTake the summer session of The Object-Oriented PHP Masterclass (19.5.2015, 21:22 UTC)

A large number of people told me that they couldn’t make the February class of The Object-Oriented PHP Masterclass, and that they hoped I’d teach it again soon. Well, if you’re one of those people, I have great news for you: the Object Oriented PHP Masterclass is back, and registration is open! This class is […]

The post Take the summer session of The Object-Oriented PHP Masterclass appeared first on BrandonSavage.net.

Link
Paul M. JonesRadar: A PSR-7 Action-Domain-Responder Framework (19.5.2015, 15:00 UTC)

Radar is a PSR-7 compliant Action-Domain-Responder (ADR) system. While it may look like a micro-framework, it is more like a wrapper around the real core of your application domain. Its architecture makes it an excellent complement to Domain Driven Design.


Radar is superficially similar to a micro-framework. It has a routing system to point URLs to actions, a filter-style middleware system to modify the incoming HTTP request and outgoing HTTP response, and a dependency injection container and configuration system to wire everything together.

However, with Radar, you don’t specify “controllers” or “closures” for your routes. Instead, you specify up to three callables per route, all of which are optional:

  1. A Domain callable to be invoked with the user input. (If you don’t specify a Domain callable, the Responder will be invoked directly; this is unusual but sometimes convenient.)

  2. An Input callable to extract user input from the incoming HTTP ServerRequest. The default Radar Input callable will naively merge the route path attributes (path-info parameters), the query parameters ($_GET), the parsed body parameters ($_POST), and the uploaded files array ($_FILES) into a single associative array of user input.

  3. A Responder callable to convert the Domain output to an HTTP response. The default Radar Responder expects a Payload object from the Domain; it delivers JSON output and sets proper HTTP status codes for a wide range of scenarios.

These three callables are invoked within a standardized ActionHandler. As a result, the Action logic in Radar is always the same for every route. The only variations are in how input is collected, how output is presented, and of course in how your core application domain operates.

So, don’t think of Radar as a micro-framework. Think of it more like a wrapper around the core of your real application domain. Its only purpose is to guide input from the user into the domain, and to present output from the domain back to the user.

You can read the documentation for it here.

Link
LinksRSS 0.92   RDF 1.
Atom Feed   100% Popoon
PHP5 powered   PEAR
ButtonsPlanet PHP   Planet PHP
Planet PHP