Author: Manuel Lemos
Posted on: 2012-02-01
Categories: Lately in PHP Podcast, PHP community, PHP opinions
They also discuss the final release of PHP 5.4.0 and whether you should upgrade it or not, the repercussion of the PHP Hash Collision Vulnerability, as well the trends of PHP world based on the analysis of the PHP Zeitgeist 2011 initiative.
Listen to the podcast or read the transcript now to learn more in detail about these interesting PHP topics.
Download Size: 24MB Listeners: 3579
Introduction music: Harbour by Danilo Ercole, Curitiba, Brazil
RSS 2.0 feed compliant with iTunes:
In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.
PHP 5.4.0 Final Release (1:05)
PHP Hash Collision Vulnerability (7:49)
PHP Zeitgeist 2011 (19:46)
MicroPHP versus Complicated PHP (25:29)
PHP Programming Innovation Award winners of November 2011 (50:34)
Introduction (0:20)Manuel Lemos: Hello, welcome to the Lately in PHP Podcast. I am Manuel Lemos, this is episode number 20, and as always I have here with me to discuss the latest of the most interesting topics that happened in the PHP world, Ernani Joppert. Hello, Ernani, how are you doing?
Ernani Joppert: Hello, Manuel, I am glad to be back, and lots of things to talk about as usual, and glad to be here.
Manuel Lemos: Yes, that's great because I'm going to talk about several things that maybe you have a better insight regarding certain topics.
PHP 5.4.0 Final Release (1:05)Manuel Lemos: But first let's move on with the latest releases of PHP. PHP 5.4 will be released, well, it is expected to go out on February 2, we are recording this before that date, but it by the time that people are listening to this podcast it may have already been out.
PHP 5.4, we already talked about its features, what are the main features that have been developed in the latest months. It has gone through many release candidates, six so far, and the latest was launched, released on January 24, RC 6.
And there is really nothing new because it's practically the last release candidate before the final. But for those that probably were not following this release of PHP 5.4, as far as I can remember the main features are things like traits, which is a sort of form of implementing inheritance.
Another feature is a built in web server that will allow you to test your own PHP applications without relying on separate web servers like Apache or something else, and several other probably less important features, but for those that are always looking out for new versions, probably with performance enhancements, this will probably be a very interesting release.
Well, probably the main question that people will be asking is whether they should upgrade to PHP 5.4 and benefit about all the enhancements or maybe wait.
Ernani, what do you think, do you think it is something that people should wait for PHP 5.4 release a little while, or maybe they should just start trying using it, what do you think?
Manuel Lemos: Yes, well I brought this up because by the time we are recording it is not yet out, but I plan to release an article talking about criteria that people should follow on deciding whether they should upgrade or not to PHP 5.4.
Well, in my opinion, this is a very personal opinion, not necessarily the opinion that everybody should follow, it depends on the situation of each developer. I think, as you said, I always recommend people to wait at least maybe one month. It's an arbitrary period, but it should be enough for at least the main bugs to be discovered and fixed.
Despite PHP 5.4 has gone through a long release candidate process, in practice what we notice is that there are always bugs that are only detected after the new version is exposed to the vast majority of the users that actually give it a real try and eventually start reporting bugs that may be more serious and affect them most.
And other than that, other than just bugs it is very important also to notice that there will be backward incompatibile changes.
Although it's a release candidate, so the production version is way different than a development version.
Manuel Lemos: Yeah, because in reality people, most people will not try anything else before official final releases, and as we have noticed before, I think it was 5.3.6 or 7 that had a bug, not exactly a backwards incompatible change, but in any case it's another reason for you to wait some time.
And be careful, I think that for those that practice, at least to some degree, test-driven development, or if they do not practice they have a minimal set of test scripts that evaluate if their code works, it's always good to run the tests before you actually decide to upgrade.
This is basic common sense, but some people do not really pay much attention to this. So, in any case, I'll be releasing an article that will give more insights on this.
PHP Hash Collision Vulnerability (7:49)Manuel Lemos: But one important topic that we already mentioned is that new versions can always have new bugs, and bugs may or may not be related to security issues. And this is also a reminder about an important vulnerability that was found, actually it was found a long time ago, but only recently developers have been paying attention.
It's a vulnerability that affects not just PHP but many languages. And I even released an article that really got a very large audience because security is always a topic that raises the attention of all developers because nobody wants to be vulnerable.
In this case this so-called hash table collision vulnerability can affect potentially millions of PHP servers, actually web servers that run PHP or other language that also have this vulnerability.
Ernani, did you follow the repercussion of this announcement, although it was not exactly new it was still an announcement, what did you get from it?
But, yes, the concern is very critical, it may be old but we are an information podcast here targeting PHP developers, and sometimes people don't have the time to read news, and sometimes people listen to podcasts in their cars, so it's something that we, as a commitment here, to the community.
Manuel Lemos: Yeah, actually I was talking about the article that was published in the blog of PHP Classes site, and it is sort of... one thing that you also notice, Ernani, is that it is amazing that some people were protesting because we are talking about it as if you should not make a big deal out of it.
Manuel Lemos: Well, if there is a vulnerability that can bring your server down very easily why not talk about it, and I don't know what those people that protest have in their heads, but everybody should know about this as soon as possible.
Manuel Lemos: You mean the earlier, right?
And then you are relaxed at home and you are listening to the podcast and then you are getting more richer content because you are discussing here about those topics.
And, yes, I've seen lots of people, not lots of people, but some people ranting about this article and the repercussions in some portals, and it's weird because people just brag about it as being old news, but they don't have the time to elaborate any useful answer about it.
It could be old news to him, or to the one who addresses it, but it could be something new to somebody else, and it's not them to be entitled to address this, and this is just a personal opinion.
Manuel Lemos: Right, and it's not just that, I actually read... I think you're right as well, people complaining because we were sort of making... I was sort of making a big deal out of it. It's not a matter of making a big deal out of it, it's just a matter of telling people what they need to know as soon as possible.
Manuel Lemos: And it's true that it can affect millions of PHP severs, so why not put it in that way, it's interesting, actually it's amazing, some people were claiming I was trying to trick the audience, making it as if it was a sensationalist article.
So imagine Oracle being a software vendor and a very, very professional database vendor, which has lots of systems relying on having that repercussion, and if Oracle wouldn't care about the vulnerabilities that they hold, imagine what customers could complain.
And PHP being an open source solution it's more susceptible for people checking the code and understanding the deeper whereabouts of the PHP engine itself. It's even more reliable because we have people checking things that could happen and trying to address it and solving bugs.
But that can pass as well, and sometimes it happens, so we have to address it, it's public awareness that we are doing here.
Manuel Lemos: Right. And like the guy that did the presentation about this vulnerability and that security event, one thing that he mentioned is that above all languages PHP is more representative because I was not aware of this number, but it seems that 77% of the web servers have PHP installed, so it's a lot of severs in the world to be targeted.
And in days when there are groups of people like Anonymous and others that can organize and use vulnerabilities to cause damage to whatever are the institutions they are against, if those people at those institutions are not aware they can easily exploit these vulnerabilities to cause them damage.
And just a brief note, I'm not taking part the merits of people that perform those attacks or not, I'm just saying that everybody that can be susceptible to be attacked should know, so it's never too much to spread the news about this vulnerability.
And from the comments that we got in the blog post, many, many developers appreciated being informed because despite PHP 5.3.9 provides a workaround to this vulnerability, was released publicly, most people are not really paying attention what exactly was this release about.
Manuel Lemos: And one thing, by the way, talking about PHP 5.3.9, now talking about the actual workaround, it's not exactly a fix, it's a workaround, what it does it limits the number of the parameters that requests.
PHP will process in request, for instance, if you get a GET or a POST request the parameters that come with the request, if you get many parameters in the request with specific names it may cause that PHP will start taking too much time processing those parameters, and this can bring down any server with just a few requests.
It doesn't take denial of server, a distributed denial of server attack to achieve this, a single person can cause a lot of damage to a vulnerable server if they do not have a way to protect against this, and what the article explained is that what you can do to prevent these attacks.
One of the things is to upgrade to PHP 5.3.9 if you can, some people can't because they are not using a server that the hosting company allows them somehow in case they are not using a dedicated server or a virtual private server.
Either others can't upgrade because they do not have attach from the provider of the server distribution they are using, and for those that cannot use, upgrade actually to a newer version, one solution that I presented there is to use the Suhosin patch, I think it's the way to pronounce it, I'm not sure.
That was developed by Stefan Esser, a respected security expert that is responsible for finding many security vulnerabilities in PHP and other software projects, and many years ago, I think in 2004, he developed this extension for PHP that already implemented this limit of input variables that are sent to HTTP requests handled by PHP, and that would be an alternative.
Actually I did not try that extension. I don't know if you can use it in more recent versions because there are all these changes in PHP extensions interfaces, but I think it can be at least a workaround, a way to prevent those attacks for older PHP version.
And also talk about PHP 5.4, obviously this new version, PHP 5.4, also has this new variable that you can use to protect against these eventual attacks. So, well, the article already gave enough information about that, and we are just here talking a bit more about this for those that for some reason may have not paid attention to the article, but I think we already said a lot about it, and we need to move on in this podcast.
PHP Zeitgeist 2011 (19:46)I'm going to comment just a bit about an initiative for those that follow the PHP Classes blog and they are aware, which is the PHP Zeitgeist, in this case 2011 edition, which is basically an initiative very similar to the Google Zeitgeist initiative.
For those that are not familiar, basically it consists of gathering statistics about the searches that users have been doing more in 2011, at least compared with previous years. And this is a very interesting initiative because not only does it give us an idea about what people have been searching for, but also the demand for things that people are still looking for but there are not very good solutions.
And there was an article that posted in PHP Classes site that analyzes the PHP Zeitgeist edition and just tries to elaborate a bit on what were the most relevant topics that have been searched and for which there is a greater demand in 2011.
And I also notice there were a few topics that... actually a few keywords that seemed to have grown in demand, but they are still unfulfilled because this PHP Zeitgeist initiative is based on statistics of searches done on PHP Classes site.
And basically there were a few things about probably components people are searching for, for which until now there are no components about those topics.
Ernani, did you look into this article, did you analyze the topics that were most relevant in 2011 and those that still represent searches for things that people are still looking for but there are no results?
It's also a public service representing about your users' behavior and the visitors of your site as well.
Manuel Lemos: Right, exactly. I hope it also... it can also be useful for people that are not exactly users at PHP Classes site because despite there are many people that do not use the site, the number of users of the site is so high this is representative of demands of PHP developers, things that they are looking for.
And it can also be useful for other people, companies that develop their own components and are not exactly related with the PHP Classes site and then can just come here, look at the statistics, they are public, and maybe take some hints about directions that their business should follow, probably to address needs of the PHP community.
And since the site is already going to be two years of age, in the second year it is possible to have statistics that allow the site to compare past trends with recent trends and take some conclusions about what is new.
MicroPHP versus Complicated PHP (25:29)Manuel Lemos: And moving on with our podcast, I would like to comment on a different topic, I would say an unusual topic, for those that are not familiar there is this Micro PHP Manifesto. I think it is an initiative sort of launched by Ed Finkler, a well known PHP developer, that, well, basically it looks to me like it is a rant against this trend to build very complex frameworks that get you buried in complex PHP development processes.
And he rants about this for several reasons that he explains in the manifesto article. Ernani, did you look into this, what are your first thoughts about this when you looked into this?
Yeah, sometimes it depends how you want to implement things, sometimes you have to follow coding guidelines and you have to rely on things within the scope of the project that you are involved in.
But sometimes you want to be simple, and it's also something in the past that Joel Spolski I guess mentioned, well, as the pragmatic programmer which is a very, very famous blog post, which brings to the table how deeply he wants to get your code ready, and how much resources, I mean human resources as well as financial resources and time resources to allocate in order to have the code following all the frameworks, etcetera, benefitting from design patterns such as dependency injection and others, and in order to get something working.
There is a very old saying from a quote that I've seen recently and it reminds of that, that I guess Buddha mentioned, and not related by religion here, but he says, "An idea is not valid if it's not put in practice".
Manuel Lemos: Well, it's a simple thought but it's well thought.
Manuel Lemos: Right. Well, basically this manifesto, well, my interpretation of it, seems to be a rant against people that make things even more complicated than they should be.
Manuel Lemos: And basically, well, he actually mentions explicitly Zend frameworks, Symphony or CakePHP, because these are probably the most popular frameworks.
And basically what he seems to be complaining about is how complicated needs to be the code to use those frameworks, you have to go through a learning process that, well, eventually it will be an investment.
Manuel Lemos: Well, I don't know, I cannot speak for personal experience because I do not use these frameworks in particular, I have my own components, but I think this is basically a complaint about what seems to be people that overdo the use of things that probably they learned in college like design patterns.
Well, design patterns are fine, you should follow the patterns because you don't want to reinvent the wheel. The problem is that sometimes people want to use tens of design patterns on things that do not need to be that complex, and in the end they add so much complexity, that projects that should take a very short time end up being complex and take more time than they should
And all this boils down to the problem that sometimes all these developers that like to use all sorts of design patterns actually they push things to justify using design patterns just because they like them.
And this I think in my opinion, of course this is a very personal opinion, is that what is wrong is that in college you learn all the design patterns and you sort of score if you know all of the design patterns well. So your teachers value if you know as many design patterns as you can.
The problem is that in the real world pushing the use of design patterns that make things more complicated, it's against the people, whoever is employing you, because if you take more time to justify the means to use more complex processes who is paying is your boss, and if you are not making use of the time that your boss is paying for you are a liability, and you are actually wasting your boss' money.
And in the end it may not matter because your projects will probably not be as efficient as they should be, they will be so complicated and will take much more time and money to maintain, and in the end the complication that you added to the project actually...
Manuel Lemos: Yeah, doesn't pay the effort and shows that unlike what you thought you are not being very smart, because an employee just working for a company is just there and making the company spend more money than they should on development or whatever is reducing the company profit.
And my advice to all those people that probably will disagree, and I expect that some people will disagree, they try...
Manuel Lemos: Right, of course, as always... and they should consider if not possible in the near future, maybe in longer term try to build a business all by themselves, having themselves developing software using those processes that they used, complicated frameworks, all forced design patterns, and they realize that the time passes and they are spending their own resources, and when they are spending their own resources, I mean money, salaries or whatever you are investing, they are realizing they are acting against themselves.
And all this to say that people should be pragmatic, like you said, you quoted Joel Spolski which is a very respected professional on the software development world. I do not exactly agree with everything he says, but in this case I remember he commented something about test-drive development.
Well, test-driven development is great in an ideal world, and if you can you should have at least a minimum set of tests, for instance, for thing like I just commented before like testing your project in a newer PHP version to see if there are backwards incompatible changes.
But that doesn't mean that your life should revolve around tests, tests are very resource expensive, you take a lot of time to do them, and if you are not a person that actually enjoys to write tests you will be even worse because it will not so motivated because it's not really as much fun as writing code that just works and provides an immediate result.
And I remember that Joel Spolski sort of ranted about this because...
Manuel Lemos: Yeah, I remember it was something like that, and the truth is Joel Spolski is a business owner, he knows that, well, I suppose he doesn't program anymore these days, but I suppose that if he realizes that one employee is wasting his time about things that are not productive and are great in the ideal world but are not really necessary in the real world, he probably will go after that and make the developer rethink the approach and do it in a way that is more efficient, takes less time and gets results, reliable results, it's very important to get reliable results, that's why I mentioned have a minimum set of tests.
And also commenting about tests, you should have tests for things that are critical, if you do not have time for developing tests for everything like some people want to promote, do it for things that are critical like things that deal with money or deal with other people's lives, things that may hurt your business if they break, and this should be your main criteria, I mean in my opinion. Ernani, what do you think about this?
Manuel Lemos: Right.
Manuel Lemos: Exactly.
Manuel Lemos: Well, if you are not in a blue ocean it is even worse because you have competitors biting your business.
Manuel Lemos: Yeah, exactly. Well, people should realize when they are working for their employees their teachers that teach them to use many design patterns, and I'm not ranting against design patterns, I think you should follow design patterns, but only apply those that make sense to each context.
Manuel Lemos: All those hype trends. When talking about hype, I just realized that there is a recent hype in the PHP world talking about... I actually mentioned it before about dependency injection, I think it's what you meant.
There are a few people who are commenting, Oh, dependency injection, this and that and that one, well dependency injection is just one of many design patterns that you may use or not depending on the context.
By the end of the day you may look cool to your friends if you say oh I use dependency injection, but for your boss it doesn't matter, and for your boss' customer, which are those that pay your boss or boss' money, even matters less because they do not see any programming at all.
It may matter to your teacher in college when you learn about all those design patterns because it is the goal to teach you good practices, but if you got the idea that you should use more design patterns and force, make excuses to use more design patterns than you really need, you really miss something about that.
Well, that's basically my opinion, I'm sure this is an open subject.
Manuel Lemos: I'm sure that will give another topic for another podcast, but we need to move on. Anyway, this is an open topic I'm sure, and anybody that is interested to comment, give your point of view, maybe agree or disagree, it doesn't matter as long as it's a genuine point of view, feel free to post a comment to this podcast.
I just want to make a brief comment on the fact that we are seeing an increase in the number of contributions which is very positive, this is sort of a consequence of an initiative that was launched last month and it was working very well.
It's basically for those that are not following, there is now a report that is sent to authors that contribute to the PHP Classes site and also to the JS Classes site because it's the same code, which gives authors tips on how they can improve their contributions and get a greater visibility and eventually get greater recognition, feedback from the users, and this is working fairly well.
And as I mentioned, there is an increase in the number of packages that is being published, and for that I would like to apologize to all authors that have submitted packages, mainly to PHP Classes site because it's more popular, and their packages were not yet approved, I can only approve a few everyday, and if your package was submitted and was not yet approved, please be patient, we'll get there.
Manuel Lemos: Yeah, actually, well nowadays most browsers already sort of implement this on textarea inputs, and it allows to expand in cases that you feel it's very short, and it is very useful. But this jQuery plugin that Michele sent is for use on any type of page elements, so kudos for him for sending this plugin, I'm sure it will be very useful. Any other class you would like to mention?
Manuel Lemos: Right. Actually this could be used on any environment on which the SQLite database is available. Actually this is an abstraction, it's not specific, there is a driver for SQLite but it's not specific, the API itself is not specific.
It's just actually there is code to help you build common SQL queries, and there is a SQLite driver, and in spite of this SQLite is sort of going out of... it's no longer being supported as a standard for browsers as SQL database, some browsers supported it, but they all agreed to not follow this route.
But since this is a driver, since this is an abstraction layer with drivers, any future development to support other approaches even if they do not provide a SQL interface can use this package by using some driver to a newer database.
Well, on my part I would also like to comment on a couple of objects for different reasons, one is yet another plugin, jQuery PhotoWall by Andrey Nikishaev, well, I'm not sure if I'm pronouncing his name right, he is from Ukraine, and this is his first class that he's published in the JS Classes site, but he has been a long time contributor of PHP Classes site, so kudos for him also contributing to this site.
Manuel Lemos: Well, maybe that's the soft way to put it, but there is sort of misunderstanding, this object just what it does it basically to show you a wall of pictures eventually of different sites, different sizes, and what it seems to do is very similar to what Google image search does in presenting many pictures styled on a wall of pictures.
And just because Andrey used as an example an image gallery he developed, it contains some pictures that some people found to be a bit I would say probably too intense, well, this is art, people should not take it with the wrong impression.
Anyway, I think this is very useful. And the other object that I also want to comment on is Ace Snow by Arturs Sosins, the current top contributor of the JS Classes site, and also a good contributor of the PHP Classes site.
Basically this is very interesting, actually this is a very simple snow falling effect, but the good thing about it is that it uses Appcelerator Titanium API that can be used to develop applications, native applications for mobile phones of different architectures like iOS and Android, I think Blackberry.
And so kudos to Arturs Sosins for sort of starting this section on Appcelerator Titanium components, I'm sure he is ready to send a few more.
Manuel Lemos: Yeah, he's very active, and it's great to have good participants like him. And I mentioned that he is a top contributor of JS Classes site, but because of that initiative that I mentioned before of encouraging authors, this week he was not the first of the authors with most the users downloading his packages.
You mentioned Michele Prigigallo, and he is the number one of the last week because he sent several components that were also well appreciated. And this is just a healthy implicit competition that should not be taken too seriously, but in the end what results is several people sending very interesting components.
Ernani Joppert: Soon you may also implement the Innovation Award as well, right?
PHP Programming Innovation Award winners of November 2011 (50:34)But talking about Innovation Award, let's move on to the latest components nominated to the Innovation Award that were released in November, they were voted in December and then in January the announcements of the winners came out. Ernani, which do you think are more worth being mentioned?
Ernani Joppert: Oh, yes, I would vote for the Angell EYE PayPal Payments library.
Manuel Lemos: Oh, right.
Ernani Joppert: It seems to be a very extensive library here from what I see, and it helps lots of applications which the author has listed here. By the way, the author's name is... he is from the U.S., his name is Andrew Angell.
Manuel Lemos: That's why is named Angell EYE PayPal Payments.
Ernani Joppert: Oh, yeah, yeah. So it's a very extensive library, and I see lots of sites using it already for donations.
Manuel Lemos: But there is actually a reason for that, that is the reason why it was nominated as innovative because there are many PayPal components, but this one is the first that uses the PayPal Adaptive Payments library, sorry, Adaptive Payments API of PayPal.
For those that are not familiar, this is a new possibility that PayPal implemented which basically allows you or anybody that is selling products, services in sites to define how the money that is received is shared between different vendors.
Ernani Joppert: PayPal accounts.
Manuel Lemos: Right, they should have PayPal accounts. Let's imagine that you have a site that is reselling products from another company, using this API you can determine that a certain percentage of the payment goes to another account, and another part goes to your account.
Ernani Joppert: Which could be good for a shared blog, right?
Manuel Lemos: Well, it could be for any site that is reselling products of other people, and since the share of the original vendor goes directly to his account he doesn't have to pay additional PayPal fees.
Ernani Joppert: Oh, very nice.
Manuel Lemos: And that is why it was mentioned, and that is the reason for this class to be nominated. Ernani, what would be another class that you would also like to mention?
Ernani Joppert: Oh, yes, this one is the winner for this contest, it's from Richard Keizer from the Netherlands, and Richard has been provided lots of compliments here with the quality code, and this one is far beyond from what I've seen here.
Manuel Lemos: Right. Well, this is basically a solution for a very difficult problem which is how to handle uploads and be able to show progress to the upload to users, and in this case he uses an interesting scheme that basically consists of implementing a web server that will take the upload request in parallel. And this is a non-trivial development and kudos for Richard for yet another great class.
And other than that, on my case I have actually also picked a couple of classes to comment on, one is called Tor, and I'm not sure if we already mentioned that before, but Tor is a network that allows users to access sites and other network resources by basically anonymizing the requests.
And the problem is that in some cases it causes problems to certain sites because they cannot take requests of users without being able to track their origin, and with this class it is possible to know if a certain IP address that is accessing a site is from... is using the Tor network.
And this class was contributed by Alexander Hover from Germany, and at least for this purpose that I have been mentioning I think it is very useful.
Well, other than that, I also would like to comment about a class for image manipulation named GD2 Imaging by Artur Graniszewski, wow, I'm not sure if this is the right way to pronounce his name, I hope I'm not pronouncing it too far from the correct spelling.
And, well, basically what this class does, well there are many classes that can use different image manipulation effects, but in this case this does several unusual effects, and they are implemented in PHP like detecting the color, the background color of an image, detect and de-skew an image if for some reason it was skewed by, eventually it scanned and it was not in the right alignment it can de-skew it, and so on, several other non-trivial effects that Arthur implemented in this class, so kudos also for him for this great class.
And, well, as I said, the number of classes contributed to PHP Classes has been increasing, and I hope next month, actually I don't hope, I'm sure the next month we have even more great classes to talk about.
Conclusion (57:17)Manuel Lemos: Well, we are basically at the end of this podcast, I would just like to thank again Ernani for coming to this podcast, and I don't know if you have some final remarks, but for me that's all for now.
Ernani Joppert: That's all for now for me as well, Manuel, it has been very nice, thanks for inviting me here and keeping me here, and I really appreciate to be part of this and to be part of the community in a sense.
Manuel Lemos: Okay, bye.
Ernani Joppert: Thank you, bye, bye.
You need to be a registered user or login to post a comment
Login Immediately with your account on:
No comments were submitted yet.