Monthly Archive for August, 2008

Agile development with the Agilo for Scrum Trac plugin

Published on August 23, 2008 in PHP. 2 Comments Tags: , , , , .

Trac is a well known issue tracking system with an integrated wiki, version control browser and more. It allows for a more streamlined development process with software tickets, changeset views and roadmaps. An excellent fit for helping with PHP application development, for example.

Now, agile development has certainly proven its use in the PHP world, but imho lacks a good tool to track everything that surrounds it. We’re talking about a way to manage user stories, requirements, tasks, time tracking, sprints, product and sprint backlogs, all in a preferably web-accessible way. The only ways I know of before are using Excell or the Phprojekt Scrum addon (which I honestly didn’t try yet, I’m not (yet) familiar with Phprojekt). Some weeks ago though, I stumbled on Agilo for scrum.

Agilo for scrum is a Trac plugin that uses the issue tracking system and extends it with features that enable you to follow a more agile development process. It’s still in early beta, but looks very promising already. It’s got an Apache Software License 2.0 so you can always have a look under the open-source hood ;-) Installation is possible with a python egg, so you can easy_install the whole thing, provided you have the needed dependencies (matplotlib and the python imaging library, to name a few). After setup, Trac is modified quite substantially so let’s have an overview.

The main change is the new dashboard link, which hosts some nice graphs on the sprint burndown and displays resolved or open tickets.
This is an example of such a burndown graph:
Dashboard chart

Below the charts, the available actions and reports are displayed. Actions include creating requirements, tasks, user stories or bugs. Reports are for example the product backlog and sprint backlog. The great thing about the changed issue tracking is that it’s now possible to build relations between different registered issues. This way it’s possible to have a user story with different tasks linked to it.
Every task now can be assigned to be fixed for a certain sprint:

User story

Different Trac users can be assigned to development groups and the amount of possible spendable hours can be set on a per-day basis for each developer. This way it’s possible to see how much time something should need and how much developer time there’s still available to implement a feature.

It’s a pretty sweet enhancement to Trac, and although it isn’t totally ready for production use (yet), it’s worth to have a look and test it out, you might like it! More information can be found on the agile42 website.

PHPBelgium meeting 20/08/’08 review

Published on August 21, 2008 in PHP. 0 Comments Tags: , , , .

PHPBelgium logoLast night PHPBelgium organized the second meeting since it was founded. It was located at the auditorium of the Artevelde college in Ghent, which seemed to be a very good but unfortunately hard-to-find venue. The meeting schedule was packed, but we had a lot of fun stuff to announce so we tried our best to fit it all in a 2 hour timescheme. We had about 31 attendees, which is a success given the fact that our last meeting only had 4 people!

First off, we could announce some of the things we have accomplished, such as organizing a PHP TestFest together with the phpGG. Then, Ivo Jansch (one of our attendees!) was kind enough to raffle off a signed copy of his new book (“Guide to Enterprise PHP Development“) to one lucky person in the audience. A good way to start off the talks :-)

The first talk was given by me, and was called “Improved PHP development“. It takes a look at the different ways, methods and tools to improve your PHP development and take PHP development to a new level. Even though the talk was actually too long, the subject was very broad and could very well have taken a whole day to talk about. My intent was actually not to do this but have an overview of what can be done. I’m definitely planning more in-depth tutorials and talks for any of the subjects that were presented.

After a coffee break, we continued with Michelangelo van dam’s talk on Extending Zend Framework. This presentation explained how you can extend Zend Framework classes to adapt them to your own needs. An example of this was the Zend_Translate adapter for storing translations in a database. A translation view helper was made to have this new translating functionality available in the view. It was an insightful and practical talk on what is possible with Zend Framework.

Next up, we raffled off an elePHPant using a random number generating php script. One elePHPant now has a home with a happy new owner ;-)

To close the evening, we had one last special announcement to make: we were able to give away a free ZendCon ticket to one of the attendees! Of all the people that attended the meeting, some were interested (and could actually make the nessecary arrangements in such short notice!), so we had a question about one of our talks, with an extra question to make up the winner in case there was more than one correct answer. We’re happy to announce that Juliette Reinders Folmer has the opportunity to meet up with her fellow phpwomen collegues next month in Santa Clara, CA!

We all had a drink afterwards, lots of people got to meet eachother and there was a really happy mood. All things considered, we’ve done pretty good for a second event, and we can’t wait to organise more events, workshops and meetings like this in the near future! Thanks to everyone that could attend, and help spread the word to make PHP gain in the popularity it deserves! See you next time!

Static analysis for PHP

Published on August 14, 2008 in PHP. 0 Comments Tags: , , .

Lately I’ve been interested in applying static analysis to PHP projects. Static analysis is the process of analysing software code – in our case PHP source code -, without actually executing the (compiled) result of the source code you’re analysing. In its simplest form, the php -l sourcefile command provides static analysis of a PHP file by analysing the source for syntax errors. Different other analysis methods are pattern-based static analysis, data flow static analysis, and code metrics calculation. Examples of this last analysis method are for example the PMD (Project Mess Detection) or Cyclomatic complexity metric in PHPUnit.

The biggest use for applying static analysis in PHP projects is security, stability and performance testing. For one, it could be used to determine unsafe practices in source code. Let’s imagine you have a $username variable, coming from $_GET['username']. Good practices tell you this (and all user-) input should be considered tainted, and needs to be filtered. If you provide certain patterns that look for actions on this tainted value, you could determine if some variable will cause a potential SQL injection attack or is safe enough to be used.

Other uses are for example gathering various statistics about a PHP project, like: How much of my application calls a memcache server, how is the coupling in a modular component structure (PHP_Depend could help out on that), what are the parts of my application that are most prone to bugs (Sebastian Bergmann’s bug miner is suited here) and much more. Of course, much of the time a completely custom solution would be needed, in which case you could be helped by PHP’s tokenizer functions.

Unfortunately, one of the biggest problems with static analysis on PHP code lies in the fact that PHP is a very dynamic and implicit language, from a language semantics point of view. The C language, for example, implements include which resolves its arguments at compile time. PHP’s equivalent on the other hand (include()), takes any given (valid) expression as an argument, leading to runtime resolving of the parameters, and thus making it difficult to statically analyse.

How to make your code more statically analysable? Use as much expressions that can be evaluated at analysis time. Try to use constant expressions as arguments for include() and require(). Don’t use things like magic methods or eval (actually, never use eval()!).

After this introduction on the subject you might wonder what can actually be used to implement this. One project that has been dealing almost exclusively with static analysis for PHP is Pixy. It scans PHP code and currently aims to detect things like XSS or SQL injection vulnerabilities. Some basic support for include files is also available, so in theory you could make a data flow analysis through your application. Unfortunately, right now Pixy only operates on PHP 4 code, which is of course pretty problematic, given that we are about ready to get our hands on PHP 5.3. This aside, the fun thing is that this generates nice dot graphs, such as the call graph for a simple PHP file, like below:

This is generated by the following code:

class foo
{
        function bar($baz)
        {
                echo $baz;
        }
}
 
$x = $_GET['x'];
$foo = new foo();
$foo->bar($x);

Other useful information gets printed too, like if there’s a security vulnerabillty:

Vulnerability detected!
- unconditional
- /home/felix/staticAnalysis.php:4
- Graph: xss1

If you’re interested in analysis like this, have a look at the Taint support patch from Wietse Venema, which in a way has the same concerns as Pixy, but tackles it at the PHP engine itself. It isn’t really a complete implementation of taint support in PHP, but is a good start. At the moment it outputs warnings to tell you a tainted variable isn’t properly filtered.

Of course, static analysis is just one step that can be taken to guarantee your code is safe. It is by no means a definite solution to secure your PHP application, and there are much more measures around that further test PHP projects. Take for example PHPUnit, SimpleTest, PHPT or Selenium. Combine this with a continuous integration tool like phpUnderControl and you might sleep a bit better at night, knowing there are some ways to ensure things won’t go wrong :-)

08/08/08 and the day PHP 4 has gone

Published on August 8, 2008 in PHP. 0 Comments Tags: , .

PHPToday is 08/08/08 and I like this day, especially since every last bit of support for PHP 4 is now over. PHP 4.4.9 has been released and it’s the last PHP 4 release you’ll ever get to see. Yes, even in case of security holes PHP 4 won’t be updated anymore and everyone is strongly suggested to update to PHP 5.

Have a look at your current PHP applications, and if any of them are running on PHP 4, think of the consequences. A security hole could be found and no one will be there to help you out. Your site will be vulnerable until the point you decide to take the step to PHP 5, benefit of all the new goodies on the way and can sleep tight again. If you’re not sure how to tackle the upgrade, have a look at Stefan Priebsch’s book on PHP 5 migration.

PHP 5.2.6 is now the latest stable version. Unlike PHP 4, it has a proper object model, SPL, Exceptions, PDO and much more. PHP 5.3 alpha 1 has just been released into the wild, with support for namespaces, late static binding, closures and lambdas, phar, new (or newly bundled) extensions, and it’s a pleasure to use. PHP 6 is in ongoing development, with full unicode support as one of the main features. Guess it’s time to let go of old stuff, RIP PHP 4. Isn’t that sweet :-)

PHP TestFest 2008

Published on August 1, 2008 in PHP. 0 Comments Tags: , , , .

PHP.net has posted a nice overview of the PHP TestFest 2008 initiative, which aims to increase the PHP source code coverage through PHPT tests. Worldwide, the TestFest was carried out with different user groups, and of course the PHPBelgium and phpGG were also present. We arranged a meetup in Roosendaal earlier this year and with a group of 10 people, we managed to write about 40 tests! All efforts combined, there was about 10 % increase in code coverage for PHP, which was great to hear!

Actually, I found it so much fun and rewarding to help PHP as a whole in this new way, I decided to continue contributing tests to the submission system. You can imagine I was quite excited when the PHP-QA team actually asked me if I was interested in commit access to the PHP source tree! It’s a great way to give back to the community, and apparently I got mentioned for this in the php.net article, which of course made me somewhat proud ;-)

It was very cool to see the collaborative work around the world being rewarded with our favourite pets, and no less than 4 people from Belgium and the Netherlands (Michelangelo van Dam, Stefaan Koopmanschap, Rein Velt, Marc Veldman) were given an elePHPhant.

Actually I think initiatives like the PHP TestFest make this thriving and exciting community what it is right now, and it’s because of that I very much like the Emphpower initiative from Lucas Smith. To quote the mission statement: “emPHPower is a mediator and catalyst that empowers members of the community to follow their own ideas”. For example, things like the PHP TestFest could fall under the organisation of Emphpower.

I’m pretty much sure I’ll organise the next year PHP TestFest for Belgium (and the Netherlands), under the PHPBelgium / phpGG umbrella of course ;-) Testing is one of many great ways to engage in the PHP community, and the only thing you need to know is how to write PHP code. After all, most of you who are reading this probably know how :-) More information can be found on the PHP-QA website.

PHP TestFest 2008 on PHP.net” screenshot on flickr.