Author: Manuel Lemos
Posted on: 2012-03-01
Categories: New site features, PHP Security, Lately in PHP Podcast, PHP community
Meanwhile, a few weeks ago, the security expert Stefan Esser claims that PHP source security bug prevention has a lot to be desired because PHP core developers do not have the habit of using source code auditing tools to prevent security bugs.
The matter of the PHP source code quality and security bug prevention was one of the main topics discussed by Manuel Lemos and Ernani Joppert in episode 21 of the Lately in PHP podcast.
Among other interesting topics, they also discuss the new features of Apache 2.4 and whether it is already possible for PHP sites to take advantage of this new Apache release.
Listen to the podcast now or read the transcript to learn about these and other interesting PHP related topics.
Download Size: 24MB Listeners: 2231
Introduction music: Harbour by Danilo Ercole, Curitiba, Brazil
RSS 2.0 feed compliant with iTunes:
In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.
- Article on the PHP 5.3.9 security vulnerability
PHP-internals mailing list message by Stefan Esser suggesting that PHP core developers are not using audit tools to prevent security bugs
- Apache 2.4 new features
Article on the Enhancements done on the Friends of the Site initiative
PHP and other Open Source projects have less defects per line (0:51)
What is new in Apache 2.4 (14:37)
Enhancements done on the Friends of the Site initiative (24:08)
PHP Programming Innovation Award winners of December 2011 (43:17)
Introduction (0:20)Manuel Lemos: Hello and welcome to the Lately In PHP Podcast. I'm Manuel Lemos, the host of this podcast, this is episode 21, and as always I have here with me Ernani Joppert to comment on many of the interesting topics, happenings that occurred in the PHP world lately. Hello, Ernani, how are you doing?
Ernani Joppert: Hello, Manuel, I'm glad to be here, lots of things to talk about, so looking forward to it.
PHP and other Open Source projects have less defects per line (0:51)Manuel Lemos: Okay, and we are going to start with commenting on an article that has been published recently that is about mainly the evaluation of many aspects related to open source and proprietary software projects.
And the basic conclusion of this report is that Open Source projects have a very good quality of code with a very low rate of defects, I mean defects per line in average. Actually they come in several open source projects starting from Linux, PHP and PostgreSQL. Actually they comment that PHP has one of the lowest defect rates.
Ernani, did you look into this article? What were your impressions about this?
Ernani Joppert: Yes, I've read it and it looks very nice from the stand point of the open source world. It seems that it's more truly tested, right?
Manuel Lemos: Right.
Ernani Joppert: And having the community support a big project such as Linux and PHP itself and PostgreSQL they can really, really summarize the potentials of issues that may arise, and having that community supporting the product really helps.
Manuel Lemos: Yeah, actually I think this is mainly a reflex of the maturity of the development methods used in open source projects, many of them have a very good solid testing frameworks that provide good coverage of the code that is being evaluated to find eventual bugs, so it doesn't ship with many bugs.
And this is actually very interesting, an interesting conclusion, because just a few weeks ago PHP 5.3.10 had to be released, I would say sort of in a rush, because it was found security vulnerability in the code that was actually being used to implement a workaround to another security vulnerability.
And although this report actually points out that PHP code is very solid in terms of quality, it seems that somehow the code could still have serious security problems.
And I think that one of the things that I remembered about this vulnerability is that Stefan Esser, the developer of the Suhosin patch and extension, he actually commented something interesting in the PHP Internals mailing list regarding security problems, which seems to be the fact, I don't know if this is exactly the case that despite there is this solid testing framework in PHP, it seems the core PHP developers do not seem to be using much tools to analyze the code and find potential security vulnerabilities.
And it's a bit ironic to reach this conclusion about this study that scanned several projects, open source projects and also commercial projects.
Ernani, what did you think about this conclusion in contrast with the fact that as Stefan Esser claims there is not a regular practice of using those tools to find eventual security problems?
Ernani Joppert: Yes, it seems that most of the security issues within PHP, they are very well addressed. Some of those are held up between releases because of the lack of better understanding of the whole procedure of committing patches, etc..
And it seems that since the times I used to be more focused on the PHP core itself, it is very hard to be welcome at that community.
I know that it may be problematic because to evaluate somebody's work it's hard, especially when it is related with the PHP core itself, but Stefan has produced a very, very nice piece of work, Suhosin addresses lots of security issues itself.
And I haven't been using it but it makes me curious to implement it and ensure that at least my servers, or the servers that I would deploy into production level, would be more secure.
Manuel Lemos: Right. Actually I've been testing it, Suhosin in my development environment, and from what I can see it really does not affect much the code that you are running, I didn't see any warnings that may lead me to be more cautious in implementing in production.
So I really plan to implement in production which should happen very soon, actually by the time that people will be listening to this podcast it may have already been implemented because I'm just waiting for a new proposal to upgrade the PHP Classes site server to a better server, and it should happen in the next days, probably next weekend, we'll see.
But, well anyway, as you pointed out, Stefan Esser is very skilled at finding these vulnerabilities, but what he suggested is that it seems that he uses those tools, those commercial tools, actually I forgot their names, but he commented on them in the PHP Internals mailing list.
And basically he says that people are not using those tools, if they use those tools they would probably catch many of those bugs. So I think there is room for improvement, at least improve further the quality of the development of the PHP core code.
And, well, I don't know if it is something hard because I think some of the tools that he mentioned seem to be commercial, I'm not sure if that is the case, but, well there are commercial companies involved in PHP development, obviously Zend is one of them, so I'm sure that money is not an issue regarding using those tools.
And although after you put it, it seems obvious that they should be using those tools, maybe it was just a lack of practicing on using those tools that could justify the fact that they are not using it in the past, but I think it would be wise, not just for PHP core development but any other open source project. I think those tools he mentioned are for auditing coding C and C++, which is the case of PHP.
Anyway, moving on with our podcast, we are going to just comment a bit briefly on something that is not exactly about PHP but is somewhat related and concerns most PHP developers, which is the fact that Apache 2.4 was finally released after five or six years without a major release.
Ernani Joppert: Oh, yes, there was a major release and it has lots of benefits. But before moving to that topic, I just wanted to still talk about those Suhosin parts. And the other thing that I saw that is quite difficult is when you have Suhosin implemented within your servers and you have a problem, there were some issues addressing any issues regarding that specific installation.
And I hope, and this is my personal request here, that the community joins forces and tries to assist whenever they can, and if Suhosin can be... or some of Suhosin implementation can be promoted to the PHP itself it would be really, really better.
Manuel Lemos: Yeah. Well, according to Stefan Esser that always happens, and that seemed to be one complaint that he had is that when he presents problems there is a frequent refusal to admit that the problems exist, I mean refusal from the core developers that are involved in the PHP security team, which from what I understood they are gathered in a closed mailing list, we don't even know who they are.
I think from what I remember I saw Pierre Joye mentioned that he was one of the persons that were involved.
Ernani Joppert: Hopefully they are not Anonymous, right.
Manuel Lemos: That would be an interesting irony, right.
Ernani Joppert: Oh, yeah. But it would make sense.
Manuel Lemos: I'm sure there are people from Zend involved and probably Rasmus himself because they are key people in the PHP development, but probably the release managers, and, well, in the case of PHP5.4 that would be Stas Malyshev and David Soria Parra.
And well, actually it doesn't really matter who those people are, what matters is that there is that closed team, and I remember that Stefan Esser was part of that team many years ago and he excluded himself from that team, I'm not sure what was the problem, I think it was about disagreements in how to handle all these problems of security, what should and should not be addressed, because there are so complaints that Suhosin will slow down PHP like 10%, well, I think if it's just 10% it's not a big deal.
Anyway, regarding your comment that you mentioned that they should all gather forces, from what Stefan Esser mentioned, that will never happen because there will always be disagreements, and Suhosin itself is the proof that those disagreements exist, so he says that there will always be reasons for Suhosin to exist, which is basically an extension that mitigates problems, and as long as he's the only person that controls its development, it does not depend on agreeing with the others to have that extension being developed precisely to mitigate those security problems.
Well, it's a shame, unfortunately as you hoped it is not going to happen, and I'm afraid we'll see more of these episodes of security problems not being addressed until somebody from outside, which was the case of the guys that raised the problem about that security problem of the parameters, request parameters being sent in very large quantities to flood PHP and make it very slow, which was one of the problems that Suhosin addressed many years ago.
And, well, if you hope for a more secure PHP installation, whether or not you like the idea I'm afraid that Suhosin is the way to go.
What is new in Apache 2.4 (14:37)Manuel Lemos: And, well, now back to the actual topic that I was starting which was about the just released version of Apache 2.4, Ernani, what do you think were the most important features that would be worth commenting about in the interest of the PHP developers that may be considering to do an eventual upgrade of their Apache server version?
Ernani Joppert: Yes, I guess the major one since we've been discussing this is the Event MPM, which is no longer experimental, but it's now fully supported as the core enhancements. They have some new modules, like the ones that I like is the mod_proxy_fastcgi, which is the FastCGI protocol backend for mod_proxy.
Manuel Lemos: I mean they have it now built-in, right?
Ernani Joppert: Yes, they are new modules and they are built-in within the server itself.
Manuel Lemos: So it's not exactly a new feature, just integration.
Ernani Joppert: Yeah, yeah. And as far as I can understand this is a previous module but is now integrated with the Apache itself.
And other than those they reduce memory usage, which makes sense to my understanding, but it's always good to see that people are working on this effort.
Manuel Lemos: Right.
Ernani Joppert: And there are some other competitors which we know about, Nginx is one of those, and Node.js as well on some portion, but it's nice to see that Apache is keeping up with their work, and this is my overview of it.
Manuel Lemos: Right. It seems there were not many new features for such a long development period of five or six years, but anyway, those new features are quite welcome.
And, well, I would just like to make a couple of comments on something that you mentioned regarding other competitors, web servers that are eventually getting more attention, precisely your comment on Nginx. And basically I don't know if you are aware but Nginx is now the second most used web server after Apache, which is the great leader.
Ernani Joppert: Right.
Manuel Lemos: And the interesting thing on that is being the second it means it has surpassed the share of Microsoft IIS. And I think this means a lot because in the past the competition used to be Apache versus Microsoft IIS, and over time Microsoft is losing ground on many web related areas, not just in web servers as we are seeing but also in browsers, Microsoft Internet Explorer is losing ground every time.
Well, among developers its share is quite small, in the case of PHP developers just looking at statistics of the users that access the PHP Classes site it is now less than 10%, which is a very small fraction.
I'm sure other users in general use Internet Explorer much more because it's still the default browser in Windows, and Windows is still the leading platform on the desktop. But this is just to say that Microsoft is losing share in many web related areas, and I'm sure that many developers that for some reason do not sympathize with Microsoft are quite happy with that.
But I think a healthy competition environment would mean that all the companies or open source projects would be active on developing their products, so the competition benefits the whole market because each company or project is trying to get their products even better, and in the end everybody would benefit.
And the other comment that I wanted to mention is related, both with Node.js as you commented, and also the new mode of processing that is being introduced as officially supported, which is the MPM Event, which is an alternative to the MPM prefork, which is what most of PHP developers use when they run their websites.
Basically the prefork consists of having PHP, each PHP request, be handled by a separate process, and there is also the worker processing mode which is basically multi-threading, but usually this is not recommended because not all PHP extensions are thread safe.
And now this event processing mode I'm not sure if it will ever be supported by PHP because from what I understood it's quite complicated, and this was somewhat related with the way Node.js works.
This means that there is a single process handling all the requests, and every request that comes in is handled asynchronously, so this means every time a request is handling asynchronous operation another request can be handled, and this makes a much better use of memory, and makes Node.js more suitable for things that require too many simultaneous requests without exhausting machine memory.
And now with Apache event, in theory it would be able to also work its way, but PHP would have to be adapted to work together with this new mode. I don't know if and when it will happen. It seems that from my first impressions it will take a few years to happen.
Anyway, one thing that I saw being commented on in the PHP Internals list is that if you want to use Apache 2.4 even in prefork mode it is still not quite ready because some things were changed in Apache and there are a few problems to solve to make PHP compile.
So we have to wait and see. Probably we have to wait for PHP 5.4.1 because PHP 5.4.0 is probably being released very soon. Actually its release was postponed again, I got it because of that security problem.
And for those that were willing to try Apache 2.4 they have to wait for those problems of building PHP to be fixed. So, Ernani, were you considering to try Apache 2.4 now, or you were not so much in a hurry?
Ernani Joppert: No, I'm not in a hurry. Lately I've been investigating other technologies as well, and Apache somewhat is a done deal for me. I know how it works. The versions that I have here which is 2.3-something works very nice. And so far I haven't had any issues and it does the job very well.
Manuel Lemos: Well, actually the odd versions are unstable or not recommended. Anyway, I use Apache 2.2 and I'm also not in a hurry because in spite of the advantages of Apache 2.4 are interesting, are tempting, I think I would need to give it some serious testing before I decide to move on.
Well, that is all about Apache that we have to say, so we are going to move on with the next section of this podcast.
Enhancements done on the Friends of the Site initiative (24:08)Manuel Lemos: Actually I would just like to comment on an initiative that is sort of relaunch of an initiative that was launched originally in 2002 which is the Friend of the Site initiative.
Basically this is an initiative to encourage current users of the PHP Classes site to bring more friends to the site. The idea is that if you know somebody that could benefit from the resources available on the site, you could recommend them to come to the site.
And then for every user that registers on the site because you led that user, you will be credited and there is a ranking that shows the top users that brought more users to the site.
And this initiative, as I said, is not new, it exists since 2002, since then over 25,000 users were brought to the site thanks to those friends, the current top friends has practically 400 users, this means that 400 friends of the site brought those 25,000 users, and this certainly helped the site to grow because some of those users actually became contributors of the site and shared interesting components.
So what's new in this initiative is that now the site is making it easier for you to refer the site to other users and eventually being credited for any new users that you register on the site, because if you look at the navigation bar of practically all pages, there are some buttons for you to refer your friends in social networks like Facebook and Google+, Twitter, and others.
And what's exactly new is that the URLs that are passed to those social networks contain some special parameters that help identifying you when you share those pages that you find interesting in the site.
When you share those pages in the social networks, those parameters that are passed in the URLs that are shared identify you, and you are credited for referring your friends to the site.
That is one of the new things. Now if you want to participate in this initiative and be credited, get some recognition for being a friend of the site, you have these buttons which are now adapted to refer, to identify you as a referrer.
And the other thing that is new is that apart from a top page that shows the top friends of the site, there are a couple of new pages that show different tops. One of them shows the top friends of the site that actually led authors, led users that became authors and contribute to the site, and there is one top page for that.
And there is another top page which is slightly different, instead of accounting the number of authors that each friend sent, it accounts the number of packages that those authors submitted to the site.
And it's interesting because it lets everybody that wants to be a friend of the site and participate in this referral initiative to actually see how far they have gone and how successful their efforts have been to help the site. Ernani, have you seen these tops of friends of the site?
Ernani Joppert: Yes, I've seen it so far and this really motivates the contribution, and it is nice, it is very nice to see these implementations coming up. And one point that you mentioned here, there are three main tabs here on the friends page, and there is one here which is the top friends led by authors or author packages, those are more concise statistics which can help to see measurement of your true reach on social networks such as Google+, Facebook, Twitter, etc..
So if I like a package and I immediately put it on my Google+ or my Facebook or my Twitter, it would help other users to come to the site and I will be credited for it, so it's very nice to see this happening.
Manuel Lemos: Actually I didn't notice, are you one of those 400 authors, I mean friends that sent any new registered users to the site?
Ernani Joppert: No, no, I am not, but I will try to, and this very motivates me to go forward and this going on.
Manuel Lemos: Maybe you were not aware about this, this was released in 2002, and since then we have not advertised much about this interesting feature.
Well, the idea is more than just helping the site, just so show some fun statistics, I hope people have fun and also try to be helpful, not just sharing interesting pages in social networks, it also can go on foreign sites and tell other people, for instance, when they ask for a solution to a problem for which there is a class or some other resource in the site to let them know there is this facility to point users.
Ernani Joppert: I wasn't aware and I don't have a blog so it wouldn't be fair to compare my reach with others, but I really like it and it truly will help other members of the site to promote their work, and at least help PHP Classes and get something back in this process, so it is nice to see it going forward like that.
Manuel Lemos: And I hope also these rankings, these top charts, also motivate people to see how they are doing and they keep getting better in referring friends to the site, because after all this is a community site, and the more people you bring in the more people can share their work and will also benefit from the eventual work that those people share.
So, other than those buttons that have the special parameters there is also a way, which existed since the beginning of this initiative in 2002, to refer friends of the site which just consist in making a small alteration to the URL of the page that you are referring.
For instance, if the URL is www.phpclasses.org and something else in the front, you just replace the www part by your access name and followed by a dot, and then the name users and then the dot. For instance, if your account is, your access name is joppert, I think it's yours, right, Ernani?
Ernani Joppert: Yes, yes.
Manuel Lemos: You just pass a URL which would be joppert.users.phpclasses.org, and this is a very easy way to refer pages to other people that you want them to see, and if anybody asks why there is that prefix in the URL, joppert.users.phpclasses.org, feel free to let other people know that it is a part of Friends of the Site initiative, and you want to know how far you are being successful in leading more people to the site.
And, anyway, this is just an interesting initiative, there will be other enhancements regarding this, but I have not finished them. Anyway, we are recording the podcast a few days before there will be an announcement article in the blog of the site, which I will also mention in the podcast article, and you will have more details about what and why you would participate in this initiative.
So, Ernani, would you like to start? Which of the latest JS Classes components would you like to mention?
Ernani Joppert: Yes, I have found two which are very interesting, I'll go from my priority order here, my order of preference, so the first one is Robotamer backup, it's from an American user from United States.
Manuel Lemos: No, wait, you are talking about the PHP ones.
Ernani Joppert: Oh, yeah, so the JS Classes, right?
Manuel Lemos: Right, we'll get back to that.
Ernani Joppert: So, yes, I found two on the JS Classes site as well, the first one is File Drop, so far it's from Russian Federation friend, his name is Pavel, but I don't have his surname, hopefully he can update it later on.
Manuel Lemos: Probably it is very hard to spell.
Manuel Lemos: Right, and since there are some differences between browsers this object provides an abstraction, and so you can have a solution that works in all browsers that support somehow drag and drop files for uploading.
Ernani Joppert: One of the mentions of the user is that it uses file API if the browser supports it or uses iFrames otherwise.
Manuel Lemos: Right. And other than that, it is also interesting that it provides means to listen to several types of events relating to the whole drag and drop and upload operations. So you can listen to when there is a drag started and dropped, actually I'm not sure if drag is supported but I think it's the case, and when somebody drops the file in a certain target element, as well when the actual upload started how far the upload has gone.
I think this requires the file API, as you mentioned, to know how far the upload has gone, because this uses AJAX requests if possible to send file uploads, because at least in the past it was not possible to do file uploads with AJAX requests. You would have to use iframes, as it was mentioned, because you couldn't just configure... you don't have access to actual content of the file when you do the upload, otherwise it would be a security problem.
Ernani Joppert: Yes, I like the HTML 5 Canvas Puzzle. It's a class that implements a game of shuffling an image in part as in a canvas. So it takes an image and splits it in multiple pieces, and then you can play a very tile-based game. It's very nice to see these kinds of implementations. And the user is a Spanish user, his name is Daniel Martinez, congratulations, it's really nice to see this here.
Manuel Lemos: Actually it is interesting because Daniel has been sending several interesting objects. And for that he is actually ranked higher, he's currently the number two of the top authors that have been having more users downloading his packages.
And he previously sent a class that makes it easier to create games and updating the frames of games with different graphics representing the game objects.
And somewhat if not based on the other class, this puzzle game seems to be using the same principles of rendering graphics on canvas, in this case it would be a puzzle made of images that can be tiled, and the number of tiles of the game vary depending on the difficulty level.
And apart from the game itself, I think what is more interesting is the fact that looking at Daniel's code you can learn how to do things which in the end are very simple, in this case manipulating graphics on canvas, but for those that want to learn this seems to be yet another great example of code that can be useful for anybody that wants to learn.
Ernani Joppert: Oh, yes, I've seen it.
And gives a good feeling of page loading speed, which is great and very, very nice to anybody that is interested in knowing how to implement those things. So kudos to Hensel, and I hope he can keep sending more interesting components like this.
Other than that, another component that I would like to comment on from our top contributor, Arturs Sosins. Every month we have always nice components to comment about from him.
And there are several of them this month, but unfortunately we don't have time to comment on all of them, just comment on this one which is actually one of the coolest components that he's sent so far, which is basically a visual effect that imitates a lightning bolt that is being rendered on top of any image, any page elements, using canvas objects to render that lightning effect.
It's actually very cool because he managed to emulate the glow effect of a lightning bolt, and as well the randomness of the directions that the lightning bolt follows until it reaches the ground.
And it's very interesting because you can put it on a specific element, and it can also animate the lightning bolt like you see in one of the examples that you can drag the mouse pointer around the page and the end of the lightning bolt follows the mouse pointer, and it gives a nice effect, it seems that he's electrocuting somebody using this effect, and kudos, again, for Arturs for sending yet another nice component.
PHP Programming Innovation Award winners of December 2011 (43:17)Manuel Lemos: Now we are going to move on to our final section of the podcast, which is to comment on the latest components that were nominated to the Innovation Award, actually they were nominated in December, so they were voted during January, so this month, February, they were announced the final results.
And this month we had six nominees, they were all great classes, we don't have exactly enough time to comment on all of them, but we are going to comment on a few. Ernani, from those that you have seen what seemed to be the most interesting ones?
Ernani Joppert: Oh, yes, I guess I've already started it before, but I will start with order of preference here, RoboTamer Backup is something that seems to be very useful, not for the same point of PHP but for day-to-day activities, and since PHP can be scheduled in a crontab and a user can benefit from the PHP knowledge, it can help backing up files using your rsync
Does read from a .INI file configuration, the files that define at least the sourcing destinations, and it then executes the rsync program to synchronize a file within the source and destination, as usual rsync processes do.
And you can exclude lists of files and define them as separate execute files since rsync does that, but it logs some information and a separate PHP file is created with the values of the current backup session, so then it can be read next time the backup process is executed.
And this somewhat is helpful for solutions like WordPress, etc.. it can benefit from it when doing some crazy backup situations or between versions, or major versions changes, so I see this as a very useful package.
Manuel Lemos: Actually this class from Dennis Kaplan from the United States uses are rsync, as you mentioned, but for those that may not be familiar about this program, rsync is basically a program, it would be something external to PHP, PHP just calls that program and the class helps in passing the necessary parameters to the program to configure rsync.
And what rsync does is to synchronize files from one directory to another, the source and destination directories can be in a remote machine, it could be using SSH protocol to make the transfer secure so nobody can tap into your connection and see what you are transferring.
To minimize the amount of data that is transferred because if it just updating some files in the destination. Well, other than that, rsync tries to be as efficient as possible, because when it's transferring files between a source and destination directories it just transfers the data that has changed.
So it can compare files not just in size and timestamps but also the contents, so if a file has been changed just partially, it transfers only the portions of the file that have changed. So this is good for incremental backups, and that is why using rsync is great, it is good to also use a class like this that helps to configure the use of rsync directly from PHP.
Other than that, any other class that you would like to mention, Ernani?
Ernani Joppert: Oh, yes. The second one is the PayPal Invoice API, it's from Mubashir Ali, he's from Pakistan, and basically it creates and manages invoices using within PayPal invoicing API, and I guess it explains it for itself, so it can send HTTP requests to the PayPal invoicing API server, performs several operations to create and manage sales invoices.
Manuel Lemos: It's basically just a use of an existing API, but it's actually very useful, and there were no components before that could be used to generate invoices. Despite this is still an external service it's great that you can do it directly from PHP to generate invoices, and many people that are involved in businesses they need to issue invoices to their customers, and I'm sure this class will be very useful to anybody that is interested in using it.
And on my part I also would like to comment on a couple of classes. One of them is precisely the class that was number one, Web Socket Service by Nathan Bruer from the United States. And this is at least from what I know the first implementation of Web Sockets protocol purely written in PHP, I mean on the server side of course.
And for those not familiar with Web Sockets, this is basically a recent standard that was meant to define a means for browsers to communicate with servers interactively, so there will be sort of a channel to communicate from the browser to the server and from the server to the browser, and all this on top of HTTP requests.
And what this class does it's actually far out because not only does it take care of handling the connections to the server, this is basically a component that will listen to a socket and handles the request all in PHP, so you don't need a web server to use this.
And also it uses child processes to handle each of the connections, so it will be able to handle simultaneous connections of different Web Sockets eventually from different users.
Ernani Joppert: That's really, really nice.
Manuel Lemos: Right. So if you want to implement for instance a chat service, you could use something like this. The only drawback is the fact that Web Sockets standards are still recent, so unfortunately it's not supported yet by all browsers being used, and by most of the users on the Web, but for those that are already using them I think at least Chrome and Firefox, if I am not mistaken, already support it, I'm not sure about the others.
Anyway, this is something that it's the future for interactive communications between browsers and servers.
Ernani Joppert: Oh, yeah.
Manuel Lemos: Using Web Sockets you don't have to rely on hacks to implement interactive communications, and the web applications can be even faster than they are today. So, kudos to Nathan for this great component that implements Web Sockets, at least on server side in PHP.
And other than that, the other component that I would like to comment about is one named Arroba by Evaldo Barbosa from Brazil. And this is actually a very interesting class that seems to address something that has been asked many, many times by different developers to the core developers.
But actually we had Guilherme Blanco here in the past commenting about his proposal to implement annotations in PHP, and it seems that the proposal ended up being refused, and so there are no native support in PHP to implement annotations.
But this did not stop Evaldo to implement a way, an alternative way, to implement annotations, which is basically on top of comments that are put on classes. For those not familiar with the purpose of annotations, Ernani, I think this comes mainly from the Java world, and you are more familiar with the Java world, can you give a brief explanation of what annotations can be good for?
Ernani Joppert: Oh, yes, the Java world probably introduced this, I'm not sure if other legacy languages used to do so, but annotations can be used for several kinds of tasks, most of them are dependency injection which you can annotate something to be injected into a class loading mechanism such as Spring framework does into Java.
Manuel Lemos: Right, but for PHP developers that are not familiar with the Java world, what would be some interesting use cases that you'd find?
Ernani Joppert: I never have used any, any other frameworks in the PHP that I can tell about, but I'm sure that Doctrine would use it in its implementations since it's very well object oriented.
Manuel Lemos: Right, I mean what would be the purpose of using annotations.
Ernani Joppert: Yes, for dependency injection, it's a design pattern, so if anybody's interested...
Manuel Lemos: And for those that are not familiar with dependency injection, what could be some simple examples that they could find useful to use annotations?
Ernani Joppert: Yes, I was going to tell about it right away. The point is Unit testing, you can use annotations to process some specific parameters, similar-alike on the server side, let's put it this way.
You can implement specific behaviors of classes so it will behave differently based off of annotations, and other than that it's hard to explain, it's just a concept and I just know the theory, I don't know the... I just know the practical use, I don't know the theory.
Manuel Lemos: Right. I think another purpose that you did not comment on is, for instance, object relational mapping on which you need to tell any framework that generates code which variables of the object map to each tables and fields in the database.
Ernani Joppert: Yes, this was first implemented using XDoclet which was a legacy technology that you could use XML to annotate your code, and later on the Java annotations improved this with the annotations for Hibernate, which was the most famous ORM tool, then later on Doctrine has its own implementation in PHP could use annotations to declare specifics of mapping let's say a database table or an entity as they would call, and Java performance API does that as well.
Manuel Lemos: So in this case this implementation by Evaldo which basically allows to extract annotation parameters from comments, it's all done in pure PHP. Do you think there is a disadvantage when compared to Guilherme Blanco proposal to do it natively?
Ernani Joppert: Yes, I am sure that everything native would perform better, but it's just the adoption, I mean if you need to do it within your code it's nice to see somebody creating a component that can be benefited from without having the need to be native.
And since most annotation tasks are done just to help you generate code or somehow to help your reflection classes to perform better it's hard to tell, but having this as an external implementation is very helpful.
Manuel Lemos: Right, but usually annotations are not used at runtime, right, just at code generation time.
Ernani Joppert: No, yeah, sometimes it is through reflection, and sometimes it's just for tooling and for scanning the code and ensuring that you're reading the proper annotations.
Manuel Lemos: But what would be the case they would be using at run time, I mean when you have a site in production would you use annotations to do anything useful?
Ernani Joppert: Yes, when you are using dependency injection you probably would have a class loading mechanism which would then scan for your classes, and probably then investigate the annotations within that class in order to behave as it should through the annotation directives.
Manuel Lemos: Okay, anyway, well for those that were looking forward to having an implementation of annotations they can use Evaldo Barbosa implementation. Since it is done in pure PHP it doesn't require one of the latest versions, it can work on older versions, but, well, for those that are interested in this they can look further into this class.
Conclusion (58:14)Manuel Lemos: And this basically this concludes our podcast, it was yet another great podcast, I would like to thank you again Ernani for coming.
Ernani Joppert: Yes, I'm very welcome to be here and glad to participate.
Manuel Lemos: Well, I'm glad too because your insights are always useful, especially your experience in the Java world, and whatever PHP has been adopting from that world.
And I think for me that's all for now.
Ernani Joppert: Thank you, bye, bye.
You need to be a registered user or login to post a comment
Login Immediately with your account on:
No comments were submitted yet.
1. PHP Really That Unsecure? Nah! (2012-03-14 00:03)
Every programming or scripting language has its vulnerabilities as do many things, including appliances...