Archive for the 'PHP' Category

Page 2 of 4

PHPBelgium meeting 20/08/’08 review

PHPBelgium logoLast night PHPBelgium organized the second meeting since it was founded. It was located at the auditorium of the Artevelde college in Ghent, which seemed to be a very good but unfortunately hard-to-find venue. The meeting schedule was packed, but we had a lot of fun stuff to announce so we tried our best to fit it all in a 2 hour timescheme. We had about 31 attendees, which is a success given the fact that our last meeting only had 4 people!

First off, we could announce some of the things we have accomplished, such as organizing a PHP TestFest together with the phpGG. Then, Ivo Jansch (one of our attendees!) was kind enough to raffle off a signed copy of his new book (“Guide to Enterprise PHP Development“) to one lucky person in the audience. A good way to start off the talks :-)

The first talk was given by me, and was called “Improved PHP development“. It takes a look at the different ways, methods and tools to improve your PHP development and take PHP development to a new level. Even though the talk was actually too long, the subject was very broad and could very well have taken a whole day to talk about. My intent was actually not to do this but have an overview of what can be done. I’m definitely planning more in-depth tutorials and talks for any of the subjects that were presented.

After a coffee break, we continued with Michelangelo van dam‘s talk on Extending Zend Framework. This presentation explained how you can extend Zend Framework classes to adapt them to your own needs. An example of this was the Zend_Translate adapter for storing translations in a database. A translation view helper was made to have this new translating functionality available in the view. It was an insightful and practical talk on what is possible with Zend Framework.

Next up, we raffled off an elePHPant using a random number generating php script. One elePHPant now has a home with a happy new owner ;-)

To close the evening, we had one last special announcement to make: we were able to give away a free ZendCon ticket to one of the attendees! Of all the people that attended the meeting, some were interested (and could actually make the nessecary arrangements in such short notice!), so we had a question about one of our talks, with an extra question to make up the winner in case there was more than one correct answer. We’re happy to announce that Juliette Reinders Folmer has the opportunity to meet up with her fellow phpwomen collegues next month in Santa Clara, CA!

We all had a drink afterwards, lots of people got to meet eachother and there was a really happy mood. All things considered, we’ve done pretty good for a second event, and we can’t wait to organise more events, workshops and meetings like this in the near future! Thanks to everyone that could attend, and help spread the word to make PHP gain in the popularity it deserves! See you next time!

Static analysis for PHP

Lately I’ve been interested in applying static analysis to PHP projects. Static analysis is the process of analysing software code – in our case PHP source code -, without actually executing the (compiled) result of the source code you’re analysing. In its simplest form, the php -l sourcefile command provides static analysis of a PHP file by analysing the source for syntax errors. Different other analysis methods are pattern-based static analysis, data flow static analysis, and code metrics calculation. Examples of this last analysis method are for example the PMD (Project Mess Detection) or Cyclomatic complexity metric in PHPUnit.

The biggest use for applying static analysis in PHP projects is security, stability and performance testing. For one, it could be used to determine unsafe practices in source code. Let’s imagine you have a $username variable, coming from $_GET['username']. Good practices tell you this (and all user-) input should be considered tainted, and needs to be filtered. If you provide certain patterns that look for actions on this tainted value, you could determine if some variable will cause a potential SQL injection attack or is safe enough to be used.

Other uses are for example gathering various statistics about a PHP project, like: How much of my application calls a memcache server, how is the coupling in a modular component structure (PHP_Depend could help out on that), what are the parts of my application that are most prone to bugs (Sebastian Bergmann‘s bug miner is suited here) and much more. Of course, much of the time a completely custom solution would be needed, in which case you could be helped by PHP’s tokenizer functions.

Unfortunately, one of the biggest problems with static analysis on PHP code lies in the fact that PHP is a very dynamic and implicit language, from a language semantics point of view. The C language, for example, implements include which resolves its arguments at compile time. PHP’s equivalent on the other hand (include()), takes any given (valid) expression as an argument, leading to runtime resolving of the parameters, and thus making it difficult to statically analyse.

How to make your code more statically analysable? Use as much expressions that can be evaluated at analysis time. Try to use constant expressions as arguments for include() and require(). Don’t use things like magic methods or eval (actually, never use eval()!).

After this introduction on the subject you might wonder what can actually be used to implement this. One project that has been dealing almost exclusively with static analysis for PHP is Pixy. It scans PHP code and currently aims to detect things like XSS or SQL injection vulnerabilities. Some basic support for include files is also available, so in theory you could make a data flow analysis through your application. Unfortunately, right now Pixy only operates on PHP 4 code, which is of course pretty problematic, given that we are about ready to get our hands on PHP 5.3. This aside, the fun thing is that this generates nice dot graphs, such as the call graph for a simple PHP file, like below:

This is generated by the following code:

class foo
{
        function bar($baz)
        {
                echo $baz;
        }
}
 
$x = $_GET['x'];
$foo = new foo();
$foo->bar($x);

Other useful information gets printed too, like if there’s a security vulnerabillty:

Vulnerability detected!
- unconditional
- /home/felix/staticAnalysis.php:4
- Graph: xss1

If you’re interested in analysis like this, have a look at the Taint support patch from Wietse Venema, which in a way has the same concerns as Pixy, but tackles it at the PHP engine itself. It isn’t really a complete implementation of taint support in PHP, but is a good start. At the moment it outputs warnings to tell you a tainted variable isn’t properly filtered.

Of course, static analysis is just one step that can be taken to guarantee your code is safe. It is by no means a definite solution to secure your PHP application, and there are much more measures around that further test PHP projects. Take for example PHPUnit, SimpleTest, PHPT or Selenium. Combine this with a continuous integration tool like phpUnderControl and you might sleep a bit better at night, knowing there are some ways to ensure things won’t go wrong :-)

08/08/08 and the day PHP 4 has gone

PHPToday is 08/08/08 and I like this day, especially since every last bit of support for PHP 4 is now over. PHP 4.4.9 has been released and it’s the last PHP 4 release you’ll ever get to see. Yes, even in case of security holes PHP 4 won’t be updated anymore and everyone is strongly suggested to update to PHP 5.

Have a look at your current PHP applications, and if any of them are running on PHP 4, think of the consequences. A security hole could be found and no one will be there to help you out. Your site will be vulnerable until the point you decide to take the step to PHP 5, benefit of all the new goodies on the way and can sleep tight again. If you’re not sure how to tackle the upgrade, have a look at Stefan Priebsch’s book on PHP 5 migration.

PHP 5.2.6 is now the latest stable version. Unlike PHP 4, it has a proper object model, SPL, Exceptions, PDO and much more. PHP 5.3 alpha 1 has just been released into the wild, with support for namespaces, late static binding, closures and lambdas, phar, new (or newly bundled) extensions, and it’s a pleasure to use. PHP 6 is in ongoing development, with full unicode support as one of the main features. Guess it’s time to let go of old stuff, RIP PHP 4. Isn’t that sweet :-)

PHP TestFest 2008

PHP.net has posted a nice overview of the PHP TestFest 2008 initiative, which aims to increase the PHP source code coverage through PHPT tests. Worldwide, the TestFest was carried out with different user groups, and of course the PHPBelgium and phpGG were also present. We arranged a meetup in Roosendaal earlier this year and with a group of 10 people, we managed to write about 40 tests! All efforts combined, there was about 10 % increase in code coverage for PHP, which was great to hear!

Actually, I found it so much fun and rewarding to help PHP as a whole in this new way, I decided to continue contributing tests to the submission system. You can imagine I was quite excited when the PHP-QA team actually asked me if I was interested in commit access to the PHP source tree! It’s a great way to give back to the community, and apparently I got mentioned for this in the php.net article, which of course made me somewhat proud ;-)

It was very cool to see the collaborative work around the world being rewarded with our favourite pets, and no less than 4 people from Belgium and the Netherlands (Michelangelo van Dam, Stefaan Koopmanschap, Rein Velt, Marc Veldman) were given an elePHPhant.

Actually I think initiatives like the PHP TestFest make this thriving and exciting community what it is right now, and it’s because of that I very much like the Emphpower initiative from Lucas Smith. To quote the mission statement: “emPHPower is a mediator and catalyst that empowers members of the community to follow their own ideas”. For example, things like the PHP TestFest could fall under the organisation of Emphpower.

I’m pretty much sure I’ll organise the next year PHP TestFest for Belgium (and the Netherlands), under the PHPBelgium / phpGG umbrella of course ;-) Testing is one of many great ways to engage in the PHP community, and the only thing you need to know is how to write PHP code. After all, most of you who are reading this probably know how :-) More information can be found on the PHP-QA website.

PHP TestFest 2008 on PHP.net” screenshot on flickr.

Generating PHP test coverage and ccache

Today I had a weird error while generating PHP code coverage for PHPT tests. If you’re writing PHP extensions, it’s quite common to use compiler caches like ccache. They cache compile results in a way that speeds up multiple compilation of the same source, something which happens quite a lot if you’re working on coding some C extension. So I have cc, gcc and g++ dynamically linked to the ccache binary, which does the caching after proxying the compile request to the actual compiler. This works great, but when generating GCC code coverage (gcov), things don’t work as expected. When running make lcov, the following happened at the end:

Generating php_lcov.info
Capturing coverage data from lcov_data/
Found gcov version: 4.1.2
Scanning lcov_data/ for .gcda files ...
ERROR: no .gcda files found in lcov_data/!
make: *** [php_lcov.info] Error 255

The .gcda files are the ones which contain the useful coverage data used by lcov, but they just weren’t there! It took a while to figure out that disabling ccache fixed the problem. Actually the problem itself isn’t fixed, so if anyone has any idea why ccache and gcov data don’t like eachother, let me know in the comments! But for now, at least there’s a way around it, just disable ccache :-)

Dutch PHP Conference 2008, afterwards.

I just got back from the Dutch PHP Conference at the RAI in Amsterdam, and I had a great time! The 2 days conference (organized by the great people of Ibuildings and Zend) in Amsterdam were packed with fun stuff, interesting talks and people, and a cool football match (although I’m totally not into sports :-))

At thursday evening, we arrived in Amsterdam by car and first checked into our hotel. Afterwards there was still some time left to go to the city centre, so we did a bit of sightseeing. We knew quite some guys were going to a place called Fidelio, so after a good meal we went over there. As it was pretty late then, quite some people were already gone, but we still found Sebastian, Lorna, Derick, Scott, Stefan and some PHP London guys over there. It was closing time soon, so we decided to go to the hotel then.

Next day I chose the Zend Framework tutorial by Matthew Weier O’Phinney. After a short introduction and an overview of the Framework, we looked a bit deeper into specific components of the framework. Topics that were covered are how to use and write action and view helpers, the plugin architecture, extending Zend Framework classes, creating custom decorators, validators and filters, forms, how to test your code and much more! Matthew is a great speaker and the tutorial touched a lot of advanced topics, so it was definitely worth it :-)

That evening, there was a pre-conference social at the Werck bar in the city centre. We first went to diner at a great vegetarian place called “De Bolhoed” and got just in to see the start of the football match with the netherlands and france. At about half time, I decided to have it a bit and ended up with Matthew Weier O’Phinney, Remi Woler and Terry Chay talking about scalability issues and social network architectures. Really interesting stuff! The Dutch football players won the match with 4-1, so you can imagine a big party was about to start. We decided to take a walk to the central station so we could see (and feel) some of the victory happyness, afterwards we took the metro back to our hotel.

The last (and the main conference) day started with meeting some friends, such as Michelangelo and Andries. The first keynote by Zeev Suraski talked about a bit of history of PHP and where it is today. It was a funny and interesting talk with a lot of nice facts about PHP and the PHP community I didn’t know. Then Marco Tabini took the stage with his keynote “PHP and the taste of mayo”. After a pretty funny introduction, Marco moved on to keeping it simple in PHP (just as preparing mayo should be simple). He also talked about the revenue generated per visitor in different types of websites. As always, Marco delivered a good talk which makes you think about some topics.

After lunch, I accidentally missed Gaylord Aulke‘s talk “An Infrastructure for Team Based PHP Development”, but instead had a very interesting talk with Terry Chay. We talked about the viral workflow of a social networking site, data analysing techniques and photo cameras. Even though he states in the closing keynote he’s not a good photographer, he has very thorough knowledge on how cameras work. He’s great in explaining difficult topics in a way you actually could understand it :-)

Next up, Lorna Michell went to the stage with her talk “PHP Deployment with subversion”. While she said in advance she was very nervous about it, she actually did great, and I very much enjoyed her way of presenting the topic. Her overview of what is possible for deploying PHP projects was nice. After all, if you throw in references to Super Mario and Nabaztag‘s, what could go wrong? ;-)

Finally, Terry Chay prepared for the closing keynote, titled “The internet is an Ogre”. After making the analogy of the internet being big ugly fat ogre with layers, he continued on Stability, Scalability, Speed and Security and why you should handle them in that order. It’s always fun to hear Terry’s ideas, and while he might use some explicit language to get his point across, I mostly agree with what he’s saying.

This was a great conference. I got the chance to meet old friends, friends I only knew from IRC or online, but also meet interesting new people. The speakers presented some new ideas and it was very cool to see PHP be so much “alive”. A big thanks to all organizers and speakers for making this possible. I can easily say it was the best PHP conference I’ve attended yet, and I’m very much looking forward to going back next year! See you!

Testing Databases, streams and files with PHPT

Writing PHPT tests is pretty easy to learn. Basically, you execute php code, and define what output is expected from the code. That’s fine for testing string manipulating functions or some other basic function, but what do you do if databases or streams need to be tested? What if you need files or directories to execute code upon?

For databases, things can either be a bit difficult or not. Testing MySQL functionality is still a bit difficult, currently this is done mostly by fetching environment variables. You can set variables for MYSQL_TEST_HOST, MYSQL_TEST_PORT, MYSQL_TEST_USER, MYSQL_TEST_PASSWD, MYSQL_TEST_ENGINE, MYSQL_TEST_SOCKET to define connection parameters for your MySQL tests (for PDO_MYSQL they’re named a bit different, but you get the idea). An example of getting the hostname is:

$host = getenv("MYSQL_TEST_HOST") ? getenv("MYSQL_TEST_HOST") : "localhost";

Testing sqlite on the other hand is a whole lot easier. If you know that sqlite supports in-memory databases, you can pretty much get everything tested without a database dependency or files on the filesystem. Just open the database handle like this:

// procedural
$db = sqlite_open(':memory:');
// or OO-style
$db = new SQLiteDatabase(':memory:');

PHP streams are a similar subject when it comes to PHPT testing. If you want to test functions that interact with a stream handler, just use the php://memory built-in stream, like this:

$fp = fopen("php://memory", "r+");
// Now just use it as a regular PHP stream
fwrite($fp, "foobar");

If you do need to create files or directories for testing (for example for testing the SPL DirectoryIterator classes), best is to create them in the directory where the tests are located. Give them a descriptive name, and be sure to clean up after you’re done! This is done with a --CLEAN-- section in a PHPT test. Remember that the --FILE-- and --CLEAN-- parts of a PHPT test are called totally separate, so any variables that live in the --FILE-- part are lost in the --CLEAN-- part. This is an example to make it all a bit more clear:

--TEST--
Test is_file() function: basic functionality
--FILE--
<?php
$file_path = dirname(__FILE__);
$file_name = $file_path . DIRECTORY_SEPARATOR . "is_file_basic.tmp";
$handle = fopen($file_name, "w");
var_dump( is_file($file_name) );
fclose($file_name);
?>
--CLEAN--
<?php
// Rebuild file path, because we can't use the $file_name variable anymore.
$file_path = dirname(__FILE__);
$file_name = $file_path . DIRECTORY_SEPARATOR . "is_file_basic.tmp";
unlink($file_name);
?>
--EXPECT--
bool(true)

EmPHPower for PHP

I’ve been following Lukas‘ posts and news about EmPHPower for a while now, with great interest. To quote the mission statement:

emPHPower is a mediator and catalyst that empowers members of the community to follow their own ideas

This seems like a great initiative to me. Basically with the same views and motivations, we (Mike and me) have started PHPBelgium, to advocate the use of PHP with developers, companies and educators.

While our initiative is mostly regional (Belgium and to some extent, the Netherlands), emPHPower aims to be a central place to advocate and promote the use of PHP. It wants to connect PHP Core devs, companies and end users by providing a general platform (as a mediator) for them.

I fully support such initiatives (as I’ve been doing same things but for Belgium then) and hope this works out and actually will turn into something that helps every party involved. If there is something that can be done, I’d be glad to help out. In the end, this’ll create more visibility for PHP as a serious alternative, provide a place to go to as a company that wants to use/sponsor/develop PHP, and much more. PHP TestFest is an example that I believe could fall under organization of emPHPower.

Please note that emPHPower is currently just an idea. By the end of the year, if things look feasible, Lukas will actually start and take things further for emPHPower.

If you want to have a short overview of what emPHPower aims to be, have a look at this presentation

Using DateInterval class in PHP

DateInterval is (amongst others) a relatively new addition to the date extension in PHP 5.3. It allows to describe an interval in time, and you can perform actions with that interval. Basically, it allows to calculate with dates in a very easy way, and do even more fun stuff with it.

Unfortunately no documentation exists today for DateInterval and friends, but PHP is open-source so you can easily have a peek at the code to see what’s happening under the engine. This is more or less what the documentation for DateInterval and some helper functions could look like:

Prototype:

DateInterval DateInterval::__construct (string $interval)

Creates a DateInterval instance, based on the interval provided.

Parameters:
$interval: ISO 8601 style time interval notation. (see Wikipedia)

Return Values:
Returns DateInterval object on success or FALSE on failure.

Example:

// Interval. This acutally means 3 years, 6 months, 
// 4 days, 12 hours, 30 minutes and 5 seconds.
$interval = 'P3Y6M4DT12H30M5S';
$i = new DateInterval( $interval );

This alone isn’t very exciting, but the fun stuff begins if you use some extra date functions with it:

// let's assume $i is still around from the previous example
$format = 'Y-m-d H:i:s';
$d = new DateTime('2008-01-01 12:25');
date_add( $d, $i );
echo $d->format( $format ) . PHP_EOL;
date_sub( $d, $i );
echo $d->format( $format ) . PHP_EOL;
 
$d2 = new DateTime('2008-01-01 12:25');
$diff = date_diff( $d, $d2 );
date_sub( $d2, $diff );
echo $d2->format( $format ) . PHP_EOL;

There’s a lot more possible (have a look at the DatePeriod class too), but that’s for another time. This is a pretty new group of classes within PHP, so expect these to expand in functionality in the future.

php|architect’s Guide to Enterprise PHP Development

There’s a new book available for pre-order on the php|architect website, titled php|architect’s Guide to Enterprise PHP Development, by Ivo Jansch of Ibuildings.

This book is great for anyone who’s interested in learning how to use PHP in an enterprise environment. It has every step on the way covered, such as planning, development tools, deployment and much more. If you’re (planning on) using PHP in your company, this book is going to prove invaluable for everyone involved in the development process, going from developers to development managers or project managers. I believe pretty much everyone involved with software development can benefit from a book like this.

Also, as far as I know, it’s the first book ever on enterprise PHP development specializing on this subject. There still aren’t that much resources available around on enterprise PHP development, so I expect this book to be very popular on the PHP developer’s bookshelf. I definitively pre-ordered mine already! ;-)