Tag Archive for 'PHP'

Goodbye Ibuildings, hello Egeniq

A couple of years ago, when I joined Ibuildings, it was because I had a passion for PHP and the PHP community, and Ibuildings was THE company embodying this spirit. I’ve got the opportunity to work at some of the most amazing projects, and met some of the smartest people in PHP-land. However since about a year, I’ve noticed my interests shifting a lot to mobile and mobile development. Of course I’m still as passionate about PHP as I was a few years ago, but I feel that mobile development is quite close to web development in a couple of ways, especially nowadays when people often expect to have internet available at all times. After focussing more and more on mobile development and seeing a huge future in it, I decided it was time for me to move on and leave Ibuildings.

To better match my combined interest of PHP and mobile development, I decided to join Egeniq. For those who don’t know Egeniq, they’re an awesome mobile technology company, founded 7 months ago by my former colleagues PeterBas and Ivo. Other than your average mobile app shop, they focus on proper software engineering, architecture, performance and scalability. They build on the years of experience they have in the PHP world and bring that expertise to the mobile business. They’re also really into geek stuff, and mobile devices fit nicely into that category, too :-)

Even though deciding on leaving Ibuildings was probably the hardest career decision I ever had to make, I very much look forward playing around with all things mobile and working closely with my former colleagues again. Exciting! :-) I’d like to thank Ibuildings for the opportunities they gave me and all the wonderful people over there, from whom I’ve learned so much. I will be at Ibuildings until the end of April, starting at Egeniq at the start of May.

This is quite a big step, and I thought about taking this step for a long time. But you know you should pursue something, if you have a very strong gut feeling that you just need to do this. The feeling that, if you don’t do this, you will regret it. The feeling that you get when considering all the pros and cons, but deep down inside yourself you know you already made up your mind. It goes without saying that I’m very much looking forward to the new things to come at Egeniq!

PHP UK Conference review

The past days I’ve been in London to attend the PHP UK Conference 2009. I’ve been to the previous edition which I liked very much and thanks to my employer, I was able to go to this year’s conference too.

No conference is a real PHP conference without the pre- and post-conference socials, and luckily we were spoiled in that part. Thursday evening, there was a pre-conference social in the Brook Green Hotel Bar. Already running in a bit late, we were just in time to see Derick be done with talking about dbus which was a shame, because I looked forward to that talk. Nevertheless, I got to see old friends and meet new friends, which made the social a success.

The conference day started with collecting our badge, which went pretty smooth. I went to check out the Ibuildings stand and got myself an Ibuildings shirt to wear. The opening speech by Marcus Baker had an original take to it, and made it clear that a reasonable amount of the conference visitors was from a foreign country. Some pictures were taken and promised to put online, but I’ve not heard from those since. If anyone knows where they are, please let me know!

Next up on stage was Aral Balkan with “The future’s so bright, I gotta wear shades”, a refreshing view on new trends and tools for developers. He’s got an energetic and playful way of presenting, which was received well by the audience. Through the talk, he definitely made his points across. Differentiation in development work is largely based on having fun in what you do and working on things you really get inspired from.

The next talk was David Sorria Parra on Sharding Architectures. This was one of the more advanced talks but at the same time one of the talks I looked forward to the most. David talked about different sharding techniques, describing the advantages and pitfalls of each. He concluded that consistent hashing is the best (and most scalable) approach to sharding, something I’m definitely going to look into a bit more.

David Axmark, one of the co-founders of MySQL, talked a bit about Drizzle. Drizzle is a database server optimized for cloud and internet applications. By focussing on for example scaling, multi-core support and high concurrency, Drizzle is on its way to become quite an interesting alternative to MySQL. David mentioned where the Drizzle project is today, explained some of the features and where Drizzle is heading. Although clearly far from usable for production, I’m very much looking forward to at least try it out. It also opens up a lot of possibilities for writing plugins, which is a cumbersome task in the current MySQL distribution and made a lot easier with Drizzle.

After skipping a track (well not really, the hallway track is quite interesting too :) ), my collegue Stefan Koopmanschap was ready to deliver a talk on symfony. With “MyPHP-busters”, Stefan busted some of the myths that the Symfony framework has been suffering from. All of his points were certainly valid, and the presentation as a whole looked very nice. Kudos to Stefan for this one.

To close the day off, I saw Chris Shiflett talk on Security Centered Design. This must have been the one presentation I was underestimating the most. By regularly applying psychology patterns to security and user interface design, Chris emphasized there’s much more to developing an application than only functionality. This is certainly a topic that appeals to me, maybe even enough to have a look at the book recommended by Jon Gibbins: Defensive design for the web.

After the open bar provided by MySQL/Sun, we went off to the bar again to have the post-conference social, to conclude a nice conference. Congrats to the PHP UK organizers, you succeeded in having a great and enjoyable conference with lots of interesting talks. You can expect me again next year.

Speaking at IPC Spring edition 2009

My upcoming conference schedule:

I’ll be doing a talk there titled: “PHPT: Lessons learned from PHP TestFest”. If you want to know the ins and outs of PHPT and testing PHP Core, this might be of interest to you.

See you in Berlin!

Setting up phpUnderControl

On a regular basis, I get contacted by people who want to install phpUnderControl but don’t really know how to set up their projects and use the features provided by phpUnderControl completely. So, aside from providing a quick-and-easy setup guide for cruisecontrol and phpUnderControl, I’ll share the setup scripts I have here and hope it’s useful for someone. This guide is mostly focussed on getting phpUnderControl to work on a Debian system, but there’s not that much OS specific to it.

Getting it installed

You probably will need some tools that are related to the PHP project you want to deploy on the phpUnderControl installation and for the sake of briefness I’m not going to cover how to install them, but instead just list what might come in handy for the continuous integration system to set up:

$ apt-get install subversion subversion-tools sun-java6-jre sun-java6-jdk

Also, install php, phpdoc, phpcs, phpunit and xdebug, you’ll need it later on for unit testing, generating reports and analyzing your code. Next up, you can install cruisecontrol. Just get the cruisecontrol archive and unpack it somewhere. (I chose /opt):

$ cd /opt/
$ wget http://heanet.dl.sourceforge.net/sourceforge/cruisecontrol/cruisecontrol-bin-2.8.2.zip
$ unzip /opt/cruisecontrol-bin-2.8.2.zip
$ mv -f cruisecontrol-bin-2.8.2 cruisecontrol

By default, cruisecontrol doesn’t have a start-up script. That’s not very easy when you want to start, stop or restart the server, so let’s make it (in /etc/init.d/cruisecontrol):

. /lib/lsb/init-functions
test -x $DAEMON || exit 5
UGID=$(getent passwd $RUNASUSER | cut -f 3,4 -d:) || true
case $1 in
log_daemon_msg "Starting Cruisecontrol server" "cc"
if [ -z "$UGID" ]; then
log_failure_msg "user \"$RUNASUSER\" does not exist"
exit 1
cd /opt/cruisecontrol/
./cruisecontrol.sh > /dev/null 2>&1
log_end_msg $?
log_daemon_msg "Stopping Cruisecontrol server" "cc"
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
log_end_msg $?
rm -f $PIDFILE
$0 stop && sleep 2 && $0 start
pidofproc -p $PIDFILE $DAEMON >/dev/null
if [ $status -eq 0 ]; then
log_success_msg "Cruisecontrol server is running."
log_failure_msg "Cruisecontrol server is not running."
exit $status
echo "Usage: $0 {start|stop|restart|force-reload|status}"
exit 2

Set the file to have executable rights, and start the cruisecontrol server:

$ chmod +x /etc/init.d/cruisecontrol
$ /etc/init.d/cruisecontrol start

Right now, if you go to http://yourhost:8080/dashboard/, you should see a working cruisecontrol server page. If you don’t, please have a look at the previous steps and try again. A quick look at the cruisecontrol logs in /opt/cruisecontrol/cruisecontrol.log to find out what might be the problem.
For now, you can stop the cruisecontrol server:

$ /etc/init.d/cruisecontrol stop


This is even easier to install. We’ll just take the bleeding edge SVN sources so we can enjoy the latest goodies that phpUnderControl has to offer :) :

$ cd /opt/
$ svn co svn://svn.phpunit.de/phpunit/phpUnderControl/trunk phpuc
$ /opt/phpuc/bin/phpuc.php install /opt/cruisecontrol
$ /etc/init.d/cruisecontrol start

That’s it! phpUnderControl should be installed by now, which you can verify by going to http://:8080/cruisecontrol/ and see the new phpUnderControl interface. Of course, there’s not much information available at this time, let alone a useful project. But we’ll get to that in a minute :)


All phpUnderControl projects are configured in a single config.xml file, located in the cruisecontrol install directory, in our case /opt/cruisecontrol/config.xml. To give you an idea on how this looks for most of my PHP projects, here’s an example:

<project name="phpfoo" buildafterfailed="false">
<plugin name="svnbootstrapper" classname="net.sourceforge.cruisecontrol.bootstrappers.SVNBootstrapper"/>
<plugin name="svn" classname="net.sourceforge.cruisecontrol.sourcecontrols.SVN"/>
<currentbuildstatuslistener file="logs/${project.name}/status.txt"/>
<svnbootstrapper localWorkingCopy="projects/${project.name}/source/"/>
<modificationset quietperiod="0">
<svn localWorkingCopy="projects/${project.name}/source/"/>
<schedule interval="60">
<ant anthome="apache-ant-1.7.0" buildfile="projects/${project.name}/source/build.xml"
target="build" uselogger="true" usedebug="false" />
<log dir="logs/${project.name}">
<merge dir="projects/${project.name}/build/logs/"/>
<currentbuildstatuspublisher file="logs/${project.name}/buildstatus.txt"/>
<artifactspublisher dir="projects/${project.name}/build/coverage" dest="logs/${project.name}" subdirectory="coverage" />
<artifactspublisher dir="projects/${project.name}/build/api" dest="logs/${project.name}" subdirectory="api" />
<execute command="/opt/phpuc/bin/phpuc.php graph logs/${project.name}"/>
<htmlemail mailhost="xx.xx.xx.xx" returnaddress="foo@example.com"
returnname="phpUnderControl server" logdir="logs/${project.name}">
<failure address="fail@example.com" reportWhenFixed="true" />

As you can see, this file actually just looks out for changed subversion modificationsets, updates the source and then fires off the build.xml inside the project source directory. That one is actually the most interesting one, so I’ll list it here too:

<?xml version="1.0"?>
<project name="phpfoo" default="build" basedir="../">
<target name="php-documentor">
<exec executable="phpdoc" dir="${basedir}/source" logerror="on">
<arg line="-o HTML:frames:DOM/earthli -ti '${ant.project.name} documentation' -dn default -i tests/
-s on -ue on -t ${basedir}/build/api -d ." />
<target name="phpcs">
<exec executable="phpcs"
output="${basedir}/build/logs/checkstyle.xml" dir="${basedir}">
line="--ignore=*/tests/* --report=checkstyle
--standard=PEAR source" />
<target name="phpunit">
<exec executable="phpunit" dir="${basedir}/source/tests" failonerror="true">
line="--log-xml ${basedir}/build/logs/phpunit.xml
--log-pmd ${basedir}/build/logs/phpunit.pmd.xml
--log-metrics ${basedir}/build/logs/phpunit.metrics.xml
--coverage-xml  ${basedir}/build/logs/phpunit.coverage.xml
--coverage-html ${basedir}/build/coverage
AllTests" />
<target name="build" depends="php-documentor,phpcs,phpunit" />

This builds API documentation, runs the PHP Codesniffer and runs the unit tests, which in turn provides the code coverage, metrics, PMD and other statistics. That’s all there is to it!

Dutch PHP Conference 2009 dates!

As ever, I’m excited for a new year, and with that comes a new year of PHP conferences. Last year, the Dutch PHP Conference really amazed me with their speakers, talks, organization and location. I got to know exciting new technologies, met a lot of new friends and got to see old friends again. Add the amazing social events (that was a memorable football match, france vs the netherlands!) to the mix and you get the recipe for a superb PHP conference.

Of course the good folks at Ibuildings will be organising the Dutch PHP Conference (DPC) again in 2009, and the dates are known! So grab your agendas and put a big mark on June 11-13 2009 (that’s right, 3 days of conference goodness!). That’s all there is for now, but more details will undoubtly follow.

One thing that I’m particularly proud of: last year I could only admire a company that provides professional PHP services, is very active in the PHP community and delivers a top-notch PHP conference. This year however, I can say that since recently, I’ve joined Ibuildings. Seeing how they are engaged in enterprise PHP and everything around it makes me feel glad about the choice I’ve made to join ’em.

Ibuildings announces ‘PHP Center of Expertise’

Ibuildings, the PHP professionals, had another great announcement to make today. Being the innovative company they are, they announced the ‘PHP Center of Expertise’. Ibuildings has a lot of very talented, community-involved people working over there and they have a great way of interacting with that PHP community through support for user groups and organizing conferences or seminars. And that’s where the PHP Center of Expertise kicks in to bring those activities to the next level.

The PHP Center of Expertise (which isn’t a definitive name) will deal with all activities that involve PHP expertise, knowledge or community interaction. For example (from the Ibuildings blog):

  • Contributing to/supporting open source projects
  • Supporting user groups/communities
  • Organizing conferences/seminars
  • Developing training material
  • Forming and maintaining partnerships
  • Developing professional services

About every point on the list is already something I’m loving to do in my spare time, and to see that Ibuildings is actually serious enough about those subjects to start a whole new department for it is great. I see fun initiatives where community members could actually cooperate to produce a knowledge platform that helps everyone in the PHP community forward. Michelangelo van Dam already suggested doing podcasts, to give an example.

They already rock in being the number one PHP development and services company, and it’s just refreshing to see that they give back to the community in such a way. It’s a kind of mindset that you don’t encounter much with similar companies, but Ibuildings does it and is pretty successful in it. I’m curious to see the new expertise center initiative grow in the coming months!

Agile development with the Agilo for Scrum Trac plugin

Trac is a well known issue tracking system with an integrated wiki, version control browser and more. It allows for a more streamlined development process with software tickets, changeset views and roadmaps. An excellent fit for helping with PHP application development, for example.

Now, agile development has certainly proven its use in the PHP world, but imho lacks a good tool to track everything that surrounds it. We’re talking about a way to manage user stories, requirements, tasks, time tracking, sprints, product and sprint backlogs, all in a preferably web-accessible way. The only ways I know of before are using Excell or the Phprojekt Scrum addon (which I honestly didn’t try yet, I’m not (yet) familiar with Phprojekt). Some weeks ago though, I stumbled on Agilo for scrum.

Agilo for scrum is a Trac plugin that uses the issue tracking system and extends it with features that enable you to follow a more agile development process. It’s still in early beta, but looks very promising already. It’s got an Apache Software License 2.0 so you can always have a look under the open-source hood ;-) Installation is possible with a python egg, so you can easy_install the whole thing, provided you have the needed dependencies (matplotlib and the python imaging library, to name a few). After setup, Trac is modified quite substantially so let’s have an overview.

The main change is the new dashboard link, which hosts some nice graphs on the sprint burndown and displays resolved or open tickets.
This is an example of such a burndown graph:
Dashboard chart

Below the charts, the available actions and reports are displayed. Actions include creating requirements, tasks, user stories or bugs. Reports are for example the product backlog and sprint backlog. The great thing about the changed issue tracking is that it’s now possible to build relations between different registered issues. This way it’s possible to have a user story with different tasks linked to it.
Every task now can be assigned to be fixed for a certain sprint:

User story

Different Trac users can be assigned to development groups and the amount of possible spendable hours can be set on a per-day basis for each developer. This way it’s possible to see how much time something should need and how much developer time there’s still available to implement a feature.

It’s a pretty sweet enhancement to Trac, and although it isn’t totally ready for production use (yet), it’s worth to have a look and test it out, you might like it! More information can be found on the agile42 website.

PHPBelgium meeting 20/08/’08 review

PHPBelgium logoLast night PHPBelgium organized the second meeting since it was founded. It was located at the auditorium of the Artevelde college in Ghent, which seemed to be a very good but unfortunately hard-to-find venue. The meeting schedule was packed, but we had a lot of fun stuff to announce so we tried our best to fit it all in a 2 hour timescheme. We had about 31 attendees, which is a success given the fact that our last meeting only had 4 people!

First off, we could announce some of the things we have accomplished, such as organizing a PHP TestFest together with the phpGG. Then, Ivo Jansch (one of our attendees!) was kind enough to raffle off a signed copy of his new book (“Guide to Enterprise PHP Development“) to one lucky person in the audience. A good way to start off the talks :-)

The first talk was given by me, and was called “Improved PHP development“. It takes a look at the different ways, methods and tools to improve your PHP development and take PHP development to a new level. Even though the talk was actually too long, the subject was very broad and could very well have taken a whole day to talk about. My intent was actually not to do this but have an overview of what can be done. I’m definitely planning more in-depth tutorials and talks for any of the subjects that were presented.

After a coffee break, we continued with Michelangelo van dam‘s talk on Extending Zend Framework. This presentation explained how you can extend Zend Framework classes to adapt them to your own needs. An example of this was the Zend_Translate adapter for storing translations in a database. A translation view helper was made to have this new translating functionality available in the view. It was an insightful and practical talk on what is possible with Zend Framework.

Next up, we raffled off an elePHPant using a random number generating php script. One elePHPant now has a home with a happy new owner ;-)

To close the evening, we had one last special announcement to make: we were able to give away a free ZendCon ticket to one of the attendees! Of all the people that attended the meeting, some were interested (and could actually make the nessecary arrangements in such short notice!), so we had a question about one of our talks, with an extra question to make up the winner in case there was more than one correct answer. We’re happy to announce that Juliette Reinders Folmer has the opportunity to meet up with her fellow phpwomen collegues next month in Santa Clara, CA!

We all had a drink afterwards, lots of people got to meet eachother and there was a really happy mood. All things considered, we’ve done pretty good for a second event, and we can’t wait to organise more events, workshops and meetings like this in the near future! Thanks to everyone that could attend, and help spread the word to make PHP gain in the popularity it deserves! See you next time!

Static analysis for PHP

Lately I’ve been interested in applying static analysis to PHP projects. Static analysis is the process of analysing software code – in our case PHP source code -, without actually executing the (compiled) result of the source code you’re analysing. In its simplest form, the php -l sourcefile command provides static analysis of a PHP file by analysing the source for syntax errors. Different other analysis methods are pattern-based static analysis, data flow static analysis, and code metrics calculation. Examples of this last analysis method are for example the PMD (Project Mess Detection) or Cyclomatic complexity metric in PHPUnit.

The biggest use for applying static analysis in PHP projects is security, stability and performance testing. For one, it could be used to determine unsafe practices in source code. Let’s imagine you have a $username variable, coming from $_GET['username']. Good practices tell you this (and all user-) input should be considered tainted, and needs to be filtered. If you provide certain patterns that look for actions on this tainted value, you could determine if some variable will cause a potential SQL injection attack or is safe enough to be used.

Other uses are for example gathering various statistics about a PHP project, like: How much of my application calls a memcache server, how is the coupling in a modular component structure (PHP_Depend could help out on that), what are the parts of my application that are most prone to bugs (Sebastian Bergmann‘s bug miner is suited here) and much more. Of course, much of the time a completely custom solution would be needed, in which case you could be helped by PHP’s tokenizer functions.

Unfortunately, one of the biggest problems with static analysis on PHP code lies in the fact that PHP is a very dynamic and implicit language, from a language semantics point of view. The C language, for example, implements include which resolves its arguments at compile time. PHP’s equivalent on the other hand (include()), takes any given (valid) expression as an argument, leading to runtime resolving of the parameters, and thus making it difficult to statically analyse.

How to make your code more statically analysable? Use as much expressions that can be evaluated at analysis time. Try to use constant expressions as arguments for include() and require(). Don’t use things like magic methods or eval (actually, never use eval()!).

After this introduction on the subject you might wonder what can actually be used to implement this. One project that has been dealing almost exclusively with static analysis for PHP is Pixy. It scans PHP code and currently aims to detect things like XSS or SQL injection vulnerabilities. Some basic support for include files is also available, so in theory you could make a data flow analysis through your application. Unfortunately, right now Pixy only operates on PHP 4 code, which is of course pretty problematic, given that we are about ready to get our hands on PHP 5.3. This aside, the fun thing is that this generates nice dot graphs, such as the call graph for a simple PHP file, like below:

This is generated by the following code:

class foo
        function bar($baz)
                echo $baz;
$x = $_GET['x'];
$foo = new foo();

Other useful information gets printed too, like if there’s a security vulnerabillty:

Vulnerability detected!
- unconditional
- /home/felix/staticAnalysis.php:4
- Graph: xss1

If you’re interested in analysis like this, have a look at the Taint support patch from Wietse Venema, which in a way has the same concerns as Pixy, but tackles it at the PHP engine itself. It isn’t really a complete implementation of taint support in PHP, but is a good start. At the moment it outputs warnings to tell you a tainted variable isn’t properly filtered.

Of course, static analysis is just one step that can be taken to guarantee your code is safe. It is by no means a definite solution to secure your PHP application, and there are much more measures around that further test PHP projects. Take for example PHPUnit, SimpleTest, PHPT or Selenium. Combine this with a continuous integration tool like phpUnderControl and you might sleep a bit better at night, knowing there are some ways to ensure things won’t go wrong :-)

08/08/08 and the day PHP 4 has gone

PHPToday is 08/08/08 and I like this day, especially since every last bit of support for PHP 4 is now over. PHP 4.4.9 has been released and it’s the last PHP 4 release you’ll ever get to see. Yes, even in case of security holes PHP 4 won’t be updated anymore and everyone is strongly suggested to update to PHP 5.

Have a look at your current PHP applications, and if any of them are running on PHP 4, think of the consequences. A security hole could be found and no one will be there to help you out. Your site will be vulnerable until the point you decide to take the step to PHP 5, benefit of all the new goodies on the way and can sleep tight again. If you’re not sure how to tackle the upgrade, have a look at Stefan Priebsch’s book on PHP 5 migration.

PHP 5.2.6 is now the latest stable version. Unlike PHP 4, it has a proper object model, SPL, Exceptions, PDO and much more. PHP 5.3 alpha 1 has just been released into the wild, with support for namespaces, late static binding, closures and lambdas, phar, new (or newly bundled) extensions, and it’s a pleasure to use. PHP 6 is in ongoing development, with full unicode support as one of the main features. Guess it’s time to let go of old stuff, RIP PHP 4. Isn’t that sweet :-)