18 Jul

Fabien Potencier – The PHP Ternary Operator: Fast or not?

On my laptop, snippet 1 takes more than two seconds, whereas snippet 2 takes about 0.05ms. That’s a big difference! But if the variable to test does not host many data, the speed is almost the same.

So, why does the ternary operator become so slow under some circumstances? Why does it depend on the value stored in the tested variable?

The answer is really simple: the ternary operator always copies the value whereas the if statement does not. Why? Because PHP uses a technique known as copy-on-write: When assigning a value to a variable, PHP does not actually create a copy of the content of the variable until it is modified.

via Fabien Potencier – The PHP Ternary Operator: Fast or not?. Huge speed hits using the ternary operator on larger variables. Fortunately it looks like there is already a patch to resolve the problem.

15 Jul

Mark Story – My thoughts on the built-in php server

Earlier today I saw the announcement that PHP5.4 will have a built-in web server . I mentioned on twitter that I wasn’t too happy about the server being added. In the discussion that followed, I feel like I wasn’t able to properly convey my thoughts through tweets. I figured I might be able to better explain myself in a post.

I have mixed feelings about the built-in web server to be honest. Having a low effort web server is great for lowering the barrier to entry when building things with PHP. I can also appreciate the instantaneous feedback you get from a simple command line server, and not needing to fiddle with Apache or other more complex web servers. All of these things seem really great in isolation, and when you ignore some of the problems that it creates.

I can think of a few problems that the new command line server creates. First, while its intended for quick and dirty development, it will invariably end up being used as a production server somewhere. PHP already has a spotty track record with providing features meant to be helpful, but later become painful. I’m thinking of things like magic quotes and register globals. All of these features were at some level intended to make development easier. Instead they have become huge headaches, and are only now being removed.

via Mark Story – My thoughts on the built-in php server. I think he reached into my brain and said exactly what I was thinking.

28 Jun

Utoxin’s Random Insanity – CakePHP + Symlinks = Pain

Now that I’ve had a day or so to recover, I’m going to tell you about what I just spent 2-3 weeks trying to resolve. By way of explanation, our main product at work is a CakePHP based CMS application. It has a lot of neat features, including the ability for users to upgrade to newer versions any time they choose. We keep all versions present in /etc/precious_core/<version_number>/, and each user has a symlink to the relevant directory in their webroot.

When they upgrade, part of the process is to replace that symlink with a new on that points at their new version. For a long time we’ve known there was a problem of some kind related to CakePHP’s cache that developed after upgrades, but it was never a huge problem, so we mostly just ignored it. However, in a recent release, it started causing major problems, and I got tasked with finding and fixing the actual bug. I figured it would take a day or two, and I’d be done with it. Little did I know just how painful this was going to be.

I initially tried several ways of forcing the cache to get cleared when the app was upgraded. That worked well, as far as it went, but then a new problem surfaced. At least half the time, the cache would re-populate with bad data after an upgrade. Some of the cached file paths would be for the wrong version of the central app, for no apparent reason. I tried throwing even more thorough cache clearing at it. Things got a little better, but it still wasn’t working.

Finally, I fully duplicated our production setup on my local dev machine, parallel version directories included, and installed a PHP debugger, so I could step through the code and figure out what exactly was going on.

via Utoxin’s Random Insanity – CakePHP + Symlinks = Pain. Debugging oh what a joy it is.

22 Mar

PHP Fog Blog – How We Got Owned by a Few Teenagers (and Why It Will Never Happen Again)

Hi, I am Lucas Carlson, founder and CEO of PHP Fog and the guy who hasn’t slept in almost 4 days. This is my story.

via PHP Fog Blog – How We Got Owned by a Few Teenagers (and Why It Will Never Happen Again). Incredible detail into what happened and thoroughly explained how it will never happen again and how they are much more secure moving forward. If I was using PHP Fog my faith in their service would be stronger because of this.

23 Feb

najafali.com – Why PHP is better than Ruby

PHP is better than ruby. There, I said it. In this article I’m going to show you why, and probably upset some twenty-something, flip-flop clad, mac-using hippie fanboys in the process.

via najafali.com – Why PHP is better than Ruby. Overall these are very intelligent and reasonable complaints against Ruby.

Update: I didn’t get the sarcasm in the article and yeah it was a pro-Ruby article.

16 Feb

Ars Technica – Anonymous speaks: the inside story of the HBGary hack

So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren’t patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.

The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems. They didn’t have to, for example, use any non-public vulnerabilities or perform any carefully targeted social engineering. And because of their desire to cause significant public disruption, they did not have to go to any great lengths to hide their activity.

Nonetheless, their attack was highly effective, and it was well-executed. The desire was to cause trouble for HBGary, and that they did. Especially in the social engineering attack against Jussi, they used the right information in the right way to seem credible.

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

via Ars Technica – Anonymous speaks: the inside story of the HBGary hack. Apparently it’s not too hard to hack a world renowned security company.

11 Dec

Mark Story – Getting PHPUnit setup from Git

This of course meant I’d need to get PHPUnit setup using Git. I figured this would be easier, since PHPUnit has recently moved to github. I think there are only a few ways it could be harder. I’m sure Sebastian had the best of intentions when he split up PHPUnit into several repositories. However, it has made working with PHPUnit from Git mildly painful. Since PHPUnit doesn’t use submodules at all, you are left to your own devices to solve its various dependencies. I wanted to work off the master branch, as thats where the next version of PHPUnit looks like it will come from.

via Mark Story – Getting PHPUnit setup from Git. In case you ever want to work on PHPUnit through Git.

29 Nov

SQL injection with raw MD5 hashes – cvk | nc -l -p 80

One challenge at yesterday’s CTF was a seemingly-impossible SQL injection worth 300 points. The point of the challenge was to submit a password to a PHP script that would be hashed with MD5 before being used in a query. At first glance, the challenge looked impossible.

via SQL injection with raw MD5 hashes – cvk | nc -l -p 80. Seemingly impossible to build a password that would after being MD5 hashed return a SQL injection, but nope it is possible even within a reasonable time frame.

18 Jul


CakeFest is the official conference for CakePHP. Thanks to my work with Smartfield in building and launching CropInsight I’ll be attending CakeFest this year in Chicago from September 2nd through the 5th.

CakePHP is a fantastic web development framework that I absolutely love working with every single day. CropInsight is a web application built using CakePHP, jQuery and a whole lot of sweat and time. Not only do I work with CakePHP for my full-time job, I also use it for personal projects, it’s a great tool for PHP developers. Trey Reynolds and I will get to spend time learning more about the inner magic of Cake and hopefully helping the core developers of Cake learn more about one of their users.

Photo Credit from Flickr user: koyhoge.