Stefan KoopmanschapWeCamp: Everybody is welcome! (22.4.2014, 11:06 UTC)

Last month we announced WeCamp, an event where developers can improve their skills not just by listening to people, but also by actually doing things. Response has been amazing: Many people love the idea, we’ve already sold quite a few tickets, and we’ve even got Magma giving a ticket as a price (At the time of publishing of this blogpost there’s only a couple of hours left, so if you want to win, be fast!). Since announcing the event, I’ve talked to several different people who had the same doubt/question about the event, so I thought I’d clarify things a bit more.

Who should come to WeCamp?

Everyone! We don’t want to exclude anyone and we actually think everyone would be a huge asset to the event. I’ve had people say “I’m not experienced enough in development to attend”, to which I could only respond “untrue!”. The idea of WeCamp is that you don’t just train your technical skills but also your social skills. For a less experienced developer, the practical experience of working in a team with more experienced developers is priceless. In that same team, however, the most experienced developer gets the additional experience of helping a less experienced developer with the work, gaining a lot of experience and knowledge on how you can help others. This social aspect is easily just as important as gaining technical skills. So both developers come out of this gaining experience.

But I’m a frontend developer…

So? If you’re a frontend developer, have a look at the many websites created by pure backend developers… do they look good? Are they accessible? Built according to W3C standards? Most probably not. You’re needed! While we have a focus on PHP, you’ll learn to work with PHP developers: How to communicate with them, how they look at frontend work, what tools are available in the PHP ecosystem for frontend. And I know this may sound scary, but you’d perhaps even get some PHP skills as well.

Additionally: WeCamp is not just about technology. We’ll go through all stages of a project, starting at thinking of a good idea through planning to development, deployment and perhaps even marketing! There’s more than enough to learn throughout this whole process.

But I wonder about…

If you have any more doubts or questions, please let us know! This is the first time we’re organizing WeCamp so we’re still very much looking for what works best with a lot of things. If there’s any unclarity, or you have comments for improvements, let us know! You can always tweet at us @wecamp14 but you can also shoot us an email: We’re also here to learn, so please help us do just that!

Brandon SavageMeet Composer, your new autoloader (22.4.2014, 11:00 UTC)

Most PHP developers are familiar with Composer’s power as a package manager, and it’s ability to autoload all the packages it downloads. But what fewer PHP developers know about or use is Composer’s ability to load your code automatically, too.

In fact, developers can use Composer’s autoloader to autoload their own code, even if they don’t use one of the PSR standards for namespacing and path construction.

Using Composer with PSR-0 or PSR-4 for your own code

If you already apply either PSR-0 or PSR-4 to your own code, you can make use of Composer with relative ease. If you’re using PSR-0, you only have to give Composer the path and the namespace, like this:

    "autoload": {
        "psr-0" : {
            "Application": "src/"

The key tells Composer that all Application\ namespaced code iwll live in the src/ directory; PSR-0 expects that there will be an Application/ directory inside the src/ directory to contain all the code, too.

For developers who have upgraded to PSR-4, it’s as simple as making two small changes: switching the psr-0 to psr-4, and identifying the fully qualified namespace for the directory:

    "autoload": {
        "psr-4" : {
            "Application\\": "src/"

Using Composer for non-PSR-compliant applications

Legacy code often doesn’t follow the current PSR standards, and developers may find it impractical to switch. But that doesn’t mean that you can’t use Composer to autoload your code. In fact, with classmaps you can.

A classmap is a Composer feature that iterates through a directory and pulls the classes out of the files in that directory, and adds them to a classmap. Even though the application I’m using as an example implements PSR-0, we can still generate a classmap:

    "autoload": {
        "classmap" : [

This produces a classmap that looks something like this:


// autoload_classmap.php @generated by Composer

$vendorDir = dirname(dirname(__FILE__));
$baseDir = dirname($vendorDir);

return array(
    'Application\\Controller\\Dashboard' => $baseDir . '/src/Application/Controller/Dashboard.php',
    'Application\\Controller\\Defaults' => $baseDir . '/src/Application/Controller/Defaults.php',
    'Application\\Controller\\Entry' => $baseDir . '/src/Application/Controller/Entry.php',
    'Application\\Controller\\Logbook' => $baseDir . '/src/Application/Controller/Logbook.php',
    'Application\\Controller\\RequiresAuth' => $baseDir . '/src/Application/Controller/RequiresAuth.php',
    'Application\\Controller\\User' => $baseDir . '/src/Application/Controller/User.php',
    'Application\\Model\\LogEntry\\Defaults' => $baseDir . '/src/Application/Model/LogEntry/Defaults.php',
    'Application\\Model\\LogEntry\\Gateway' => $baseDir . '/src/Application/Model/LogEntry/Gateway.php',
    'Application\\Model\\LogEntry\\HourReports' => $baseDir . '/src/Application/Model/LogEntry/HourReports.php',
    'Application\\Model\\LogEntry\\LogEntry' => $baseDir . '/src/Application/Model/LogEntry/LogEntry.php',
    'Application\\Model\\LogEntry\\LogEntryCollection' => $baseDir . '/src/Application/Model/LogEntry/LogEntryCollection.php',
    'Application\\Model\\LogEntry\\Storage' => $baseDir . '/src/Application/Model/LogEntry/Storage.php',
    'Application\\Model\\User\\Gateway' => $baseDir . '/src/Application/Model/User/Gateway.php',
    'Application\\Model\\User\\Storage' => $baseDir . '/src/Application/Model/User/Storage.php',
    'Application\\Model\\User\\User' => $baseDir . '/src/Application/Model/User/User.php',
    / ...

This has some definite advantages for projects that are still stuck in legacy mode: the ability to autoload classes automatically, without rewriting massive amounts of the application. Though there is also a significant drawback: unlike PSR-0 or PSR-4, the classmap has to be updated every time a file is renamed or a new class is added. This can be avoided by using the classmap only for legacy classes, and writing new classes to be compatible with a PSR standard.

The bottom line

You don’t have to maintain your own autoloader or rely on outdated technology to keep autoloading your files. Composer offers a great number of options built into a tool you’re probably already using anyway. Give it a shot!

Liip content repository as a service (22.4.2014, 10:09 UTC)

Just before Easter I tweeted out an idea that I already threw out there a few weeks ago: Creating a PHP Content Repository (PHPCR) implementation on top of the content repository as a service. Well I had a lot of time on the train over Easter, so I decided to make it happen. Obviously coding against a remote service on the train isn't that much fun, so in fact I did a lot of coding, waited for the next train station, hit refresh a few times and so on and on. I briefly tried to setup php-vcr to log all web requests and replay them, but unfortunately the library isn't quite ready to do this yet .. but mit might be soon. Also as's content pages are actually all versioned we will soon hopefully get caching provided inside their PHP SDK. But I digress. So without further ado, I present to you an initial working version of PHPCR integration with There are obviously still a ton of todo's left .. fundamentally it works, I can read prismic documents as PHPCR nodes with properties.

Why bother?

At this point you may either be excited or wondering why I am bothering with this. If you are in the former group, you can maybe skip to the next section, if you are in the later group, let me expand. One reason to bother with this is to simply show its possible, that PHPCR indeed fullfils this promise of being able to provide a unified content repository API. We obviously have 3 implementations already but taking such a service seems to push the boundaries a little harder. The next reason is more practical: is simply a very useful service with an awesome user experience, especially for people focused on managing content rather than managing pages on a website. And they are doing this with an awesome UI, argueable the main week spot of the CMF (though I am quite excited about the work by the team).

The sky is the limit?

Now has some major differences in how content can be structured compared to plain PHPCR. Specifically they do not really structure their content into a tree per se. Instead they just have a pool of documents with UUIDs. Now it is possible to reference those UUIDs inside documents which kind of creates a tree structure. There is also native support for tagging and finally a way to bookmark document UUIDs to names. In a first step all I did was create a virtual root node that has the entire document pool as children where the names match the bookmark name (if one exists) or the UUID. All properties, including nested documents, are then mapped to properties on those children. Eventually nested documents should however maybe be exposed as child structures. Another limitation is that currently only provides a read API. But given their awesome UI, why would one want a write API? ;)

The sky is the limit!

But there is a lot possible yet. For example they provide a predicate based query API that I am very confident we will be able to map to the PHPCR query languages SQL2/QOM, similar to how we map them to SQL with Doctrine DBAL. They also support versioning, which can probably be mapped to the PHPCR simple versioning concept. They also support node types which I have already mapped but there is still work todo to map all the contraints. They also support custom namespaces which PHPCR also supports. The way they support images (and binaries) also lends itself very nicely to the stream based approach in PHPCR. So with a few more days of work, I think we can provide a pretty powerful PHPCR API for What will make the collaboration easier is that it turns out that Thibault, founding member of the Symfony CMF initative gone Scala-lover, works for who created But Rudy was actually the first one to jump on my tweets and he has already signed up to the CMF mailinglist and given important insights.

Where to go from here?

I am not sure how much time I will have on this in the coming days. The CMF 1.1 release is sti

Truncated by Planet PHP, read more at the original (another 923 bytes)

Bruno ŠkvorcDatabase Versioning with Ladder Migrations (21.4.2014, 16:00 UTC)

Version control systems are invaluable for tracking changes in your code, particularly when you’re working in a team. However, most applications don’t consist solely of application code. Managing changes to the database has always been a little more challenging, particularly when you’re adding new features which require changes to the schema.

Suppose you’re working on a module and realize one of the database tables needs an additional column. You might be tempted to open up a database query tool or the command line and simply add the column. However, this doesn’t leave a record of the change in the same way as version-controlled application code would. This gets exacerbated when working in a team - if a colleague pulls your code changes without running those same database updates, then it’s entirely possible their version of the application will break. This becomes even more problematic when you’re releasing a product update, when it could break the application not just for your fellow developers, but for your users.

One solution is to move responsibility for creating and modifying the database schema into code, using migrations. That way, changes can be managed along with the rest of your application, and features we take for granted in version control - such as being able to compare versions and keep an audit trail - can be used for database changes. It also allows these changes to be seamlessly incorporated into releases, since they can be made part of the same branch or tag.

Many major frameworks have their own migration implementation, but for those that don’t - and if you’re not using any framework - there’s Ladder.

Continue reading %Database Versioning with Ladder Migrations%

Paul M. JonesSubmit To The Central Scrutinizer (21.4.2014, 14:54 UTC)

(N.b.: I was unable to write this post without saying “ssscrrrrutinizer” out loud over and over. I blame my friend Ray Chavarie for inflicting Frank Zappa on me at an impressionable time in my life.)

After finishing Uncle Bob’s excellent Clean Code recently, I have been looking at my own code in Aura v2 even more critically. I started trying to apply more of the Clean Code principles to the different libraries, and thought I had done pretty well. But then I saw a scrutinizer.yml file in Luis Cordova’s Gush project, and I was curious about it.

I visited to read up on the project, and man was I floored. Here is a service that will analyze your project on Github and assign it a quality grade that aligns really well with the Clean Code principles (among others). After you register a repository with Scrutinizer and perform the first analysis, you can fine-tune the process with a config file so that the Scrutinizer looks in the right directories for source code, gives you code coverage analysis, and so on.

For one of my first experiments with the Scrutinizer, I started with the Aura.Sql_Schema v2 package. I thought it would come out pretty well, but even after pointing the Scrutinizer in the right direction, it only scored an 8.61 or so. I guess that’s OK — but could we do better?

Using the Hot Spots page I was able to find the worst offenders in the classes and methods. Because we have 100% test coverage on all Aura code, it was a only matter of applying appropriate refactorings — the tests help to assure that changes don’t break anything. (The Scrutinizer will even suggest refactorings for you to apply.)

After the refactoring processes, the Scrutinizer reported a 9.46. You can see the Scrutinizer report for Aura.Sql_Schema here. There’s still room for improvement, but at least I know where the greatest improvement opportunities are.

Now that I’ve got a few days’ experience with Scrutinizer, I find it a very valuable tool. It’s very helpful as an objective assesment of code quality, so much so that I have added Scrutinizer badges to each Aura v2 package readme. You can see all the badges for all the packages on the v2 packages page.

Maybe the rest of the world knew about Scrutinizer before this, and I’m late to the game. I had not heard about it until recently, and now that I’m aware of it, I think it’s a great service for any developer concerned about code quality. Congratulations to @schmittjoh and everyone else involved in Scrutinizer. Very nicely done!

UPDATE: In response to a question elsewhere: yes, Scrutinizer is free for open-source projects.

PHP ClassesIs the Hack Language Going to Replace PHP? - Lately in PHP podcast episode 46 (21.4.2014, 09:51 UTC)
By Manuel Lemos
The release of the Facebook Hack language has shaken the PHP community since it implements several frequently requested features that were never implemented, many users are considering to drop PHP in favor of Hack.

This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 46 of the Lately in PHP podcast.

They also talked about the OpenSSL Heartbleed security bug may affect PHP sites or not, ideas for the PHP 6 engine, the need for an official PHP specification, and an advanced email validation that can provide suggestions for address typos like Google did you mean feature.

Now listed to the podcast, or watch the hangout video or read the transcript to learn more about these interesting PHP topics.
Bruno ŠkvorcDatabase Versioning with DBV (19.4.2014, 16:00 UTC)

It’s good practice to always use a version control system in any of your projects. Be it a side-project in which you are the only developer, or a team project where five or more people are working on it together. But the idea of putting your database into version control isn’t really that widespread. Often times we take the database for granted.

But like the source files in our project, the database is constantly changing too. That’s why we also need a way to track the changes that we have made and easily share it to other members of our team.

In this article we will take a look at DBV, a database version control system written in PHP for MySQL databases so you need to have PHP and MySQL installed before you can use it, along with a web server like Apache or Nginx.

An important note about this software is that it is not a stand-alone database version control system, because it needs a version control system such as Git, Mercurial or SVN for syncing changes with your team.

Installing DBV

To start working with DBV, first you have to download the installer from their website, extract it into your project directory then rename the resulting folder to dbv. This will give you the following path:


An alternative approach is just cloning from Github.

DBV Configuration

You can start configuring the options for DBV by creating a copy of the config.php.sample file and renaming it to config.php.

The most important things to update here are the first two sections. Just substitute the values for my_username, my_password, my_database for the values in your current database configuration:

Continue reading %Database Versioning with DBV%

Christian WeiskePhancap: Your own website screenshot service (18.4.2014, 21:02 UTC)
Website screenshot
Full page screenshot

My bookmark manager SemanticScuttle is able to show screenshots for bookmarked websites, but always relied on an external service to generate them. The service shut down now - time to look for an alternative.

There are several dozen screenshot services on the internet; some have free plans that would allow you to re-enable screenshots on your self-hosted SemanticScuttle instance for free. But unfortunately this means registering at yet another service and being again dependent. Time for something new!


Over the last three weeks, I built phancap - a self-hosted website screenshot service. With it, your bookmark manager will never have to depend on an external service again.

It's easy to setup: Simply drop the .phar in your webserver's document root, install xvfb-run, cutycapt and imagemagick, and you're done.

It supports JPG, PNG and PDF output formats. PNG is ideal for screenshots, while full-text PDF is nice for long-time archiving of web pages.

You may configure the browser and thumbnail size, and can choose between a fixed height and full-page screenshots. Authentication may be enabled to prevent others using your server resources.

Download it or grab the source code (github mirror).

blog.phpdeveloper.orgThe Usual Suspects…now with XSS! (18.4.2014, 16:23 UTC)

I’ve just pushed the latest update of the most recent book in the Securing PHP ebook series – The Usual Suspects – and included an entire chapter covering cross-site scripting:

Next we come to something that’s probably a bit more widely known but often misunderstood, especially when it comes to the power that it offers to the attacker. Part of the confusion comes from the name of the attack. When you think about the attack method an XSS vulnerabilities allows, the only thing “cross site” about it is that it can possibly come in as a link from another site. Other than that, a cross-site scripting vulnerability can be more closely associated with injection. In fact, the main reason a site might have a cross-site scripting issue is because of improper output escaping.

This new chapter has loads of information about the different types of XSS issues, the different contexts it can happen in and plenty of code and configuration examples of how to prevent them. If you haven’t picked up a copy of it yet, there’s no time like the present!

Don’t forget about the first book in the Securing PHP series too! Core Concepts is a great introduction to security terminology, methods and principles that can help you lay a good foundation for more secure applications.

Bruno ŠkvorcA Look at Valentina (18.4.2014, 16:00 UTC)

Valentina is a set of tools including: Valentina DB (a new SQL database server), Valentina Studio (a database management tool), Valentina Report (a GUI to create reports to be used in an application like PHP) and a related development toolkit (called ADK).

In this article, we will take a look at:

  • How to use Valentina Studio to manage our MySQL database;
  • How to use Valentina Report to create a presentable report.

We will not, however, discuss the the Valentina Database as it is impossible to grasp a new database server and cover its underlying mechanisms in such a short article.

Valentina Studio

Valentina Studio, the database management tool, has two versions. One is free and can be downloaded here. Another is the Pro version, with more features, priced at $200 per unit. Both versions support Windows, Mac and Linux platforms, making it a cross-platform tool.

In this article, I will use Valentina Studio Pro. Thanks to Valentina for providing me with a key for my installation and evaluation.

The startup speed of Valentina Studio is fast, faster than another tool that I am using. Its main interface has 3 panes:

Fig. 1 The welcoming window

  • Servers: Provides CS based database management. It supports four types of “servers”: MySQL, PostgreSQL, Valentina and ODBC. It supports both local server and remote server connections. In my case, we can see there are two remote MySQL connections and one local connection. A red dot before the connection (or “Bookmark” in Valentina’s term) means the server is currently down. A green dot means it is up and running.
  • Database: Supports files based database management. Currently it supports Valentina DB and SQLite.
  • Projects: This is mainly used in report generation. A “report” generated by Valentina can reside locally and remotely. But it must have Valentina Report Server support (bundled with Valentina Server) to be called from an application. The report project manages the source, query and design of a report. We will cover this later.

After selecting a server, the databases in that server will be displayed in the following cascading column view:

This is my favorite view in Valentina Studio. In this view, different levels of entities (database, table, fields, links, indexes, etc) are displayed in columns in a cascading style. Selecting a database in column one, we can choose to display tables, links, views in column two; and for tables, view its fields, indexes, etc in column three. And the final level of details will be displayed in the right most pane. We can also create and modify an entity accordingly.

Another view, less used in my case, is the tree view:

When a table is selected, it displays the table data in a grid view; when a field is selected, only the column data is displayed. In the grid, we can right click on a record to export that record into CSV or SQL.

Continue reading %A Look at Valentina%

LinksRSS 0.92   RDF 1.
Atom Feed   100% Popoon
PHP5 powered   PEAR
ButtonsPlanet PHP   Planet PHP
Planet PHP