Login   Register  
PHP Classes
elePHPant
Icontem

The Security of Future PHP Versions - Lately in PHP podcast episode 45 - PHP Classes blog

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog The Security of Futur...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  
<< Previous: How to Use a Webcam t...>> Next: Hack Language is All ...

Author: Manuel Lemos

Posted on:

Categories: PHP Security, Lately in PHP Podcast, PHP opinions

As the plans for the upcoming PHP 5.6 and PHP 6 versions are being finalized, some of the proposals are about improving the security of these future PHP versions.

That has been one of the main topics discussed by Manuel Lemos and CÚsar Rodas on the episode 45 of the Lately in PHP podcast.

They also have talked about several other types of proposals and ideas for PHP 6, as well a tutorial on How to Use a Webcam to take Pictures in PHP Application.

Now listen to the podcast, or watch the hangout video or read the transcript text to learn more about these interesting PHP topics that were discussed.




Contents

Introduction (0:20)

PHP Releases 5.4.25, 5.5.9 and Imagecrop Security Bug (1:38)

PHP Releases 5.6 alpha 2 and beta 1 (6:21)

Deprecated PHP User Functions (10:35)

Proposal: Configurable Length Uniq Identifiers with uniqid (14:52)

Proposal: Escaping / for HTML (21:24)

Declare Minimum PHP Version and Modules (25:24)

Proposal: No <?PHP tags in source (27:30)

Proposal: Combined Comparison Operator (29:59)

Type Hinting for Array elements with ArrayOf (34:27)

Ideas for PHP 6 (39:48)

How to Use a Webcam to take Pictures in PHP Application (50:13)

JavaScript Innovation Award Winners of December 2013 (58:12)

PHP Innovation Award Winners of December 2013 (1:04:22)

Conclusion (1:14:06)


Contents

Listen or download the podcast, RSS feed and subscribe in iTunes

Watch the podcast video, subscribe to the podcast YouTube channel

Read the podcast transcript


Click on the Play button to listen now.


Download Size: 59MB Listeners: 1924

Introduction music Harbour used with explicit permission from the author Danilo Ercole, from Curitiba, Brazil

View Podcast in iTunes

RSS 2.0 feed compliant with iTunes:

http://www.phpclasses.org/blog/category/podcast/post/latest.rss

In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.

Watch the podcast video

Note that the timestamps below in the transcript may not match the same positions in the video because they were based on the audio timestamps and the audio was compacted to truncate silence periods.

See the Lately in PHP podcast play list on YouTube and Subscribe to this channel there.

Show notes

Introduction (0:20)

[Music]

Manuel Lemos: Hello, welcome to the, finally, Lately in PHP Episode 45. This is a podcast in form of Hangout that we record every month. At least we try after we struggle with Google Hangout. Every month is another struggle.

Again, this time, I have here with me Cesar Rodas. Hello, Cesar. How are you doing?

Cesar Rodas: Hello, Manuel. How are you doing? I'm doing just fine.

Manuel Lemos: Where are you now? Are you in New Zealand or Paraguay?

Cesar Rodas: No, I am in my country in Paraguay. I work from my place. And I'm outside in the garden because here, it is summer, so I am outside.

Manuel Lemos: Yeah, that's good to know you're still enjoying the weather over there. Here, it's still hot but it has been more pleasant.

PHP Releases 5.4.25, 5.5.9 and Imagecrop Security Bug (1:38)

Manuel Lemos: Well, here, we are going to talk about many interesting topics about PHP. And this time, let me... I think my video disappeared. I don't know if it's going to appear anytime.

Anyway, I am going to talk about several topics. I'm going to start with a few here about PHP. And as usual, we'll start about the latest PHP releases that had been done like...

Well, I'm trying to share the screen but for some reason I think it's... Can you see it now?

Cesar Rodas: Yes, I can see it now.

Manuel Lemos: Well, here we have the latest PHP releases. Specifically, there was a PHP 5.5.9 revision on February 6th along with 5.4.25, basically very similar list of bug fixes.

Let me go here and let's start in the right spot. Actually, there's already a newer version but we'll talk about that later next month.

From these bug fixes, the only difference that I noticed is regarding a security bug that affected only PHP 5.5. Let me see if I can find more detail about it. Here it is, this is the bug report that happened already in December and it is about the imagecrop() function which I think it was introduced in PHP 5.5.

And there was a security bug reported. And only in February, a similar fix was released. And this didn't affect previous PHP versions, 5.4 or 5.3, because this function did not exist then.

Well, to tell you the truth, I have not tried this function before precisely because I don't use yet PHP 5.5. I don't know about you, are you using PHP 5.5, Cesar?

Cesar Rodas: Yes, I am using PHP on production on a couple of servers that I own, 5.4. In my development machine, I have 5.5 just because it makes my life easier. I can just use the PHP built-in server and it works everywhere. So for my development machine, it is very, very handy.

And yeah, but I've never used that image function though, so I don't know. And I'm not using any external library that relies on that library, on that function call. I'm trying to think but it seems so, yeah.

Manuel Lemos: I think this is probably to replace the usual command that you use when you want to crop some image and just try to then call a single function, that's it, and the bug that was reported just affected that function. So, it has a security bug.  Probably didn't affect many HP developers that had been using it, I don't know.

Cesar Rodas: I don't know either. I tried to follow the bug report. And it looks like a very complex thing. I don't even know how to exploit that. But I'm glad that they fixed it.

PHP Releases 5.6 alpha 2 and beta 1 (6:21)

Manuel Lemos: And also talking about newer versions, there is another... Actually, this is the second one, I haven't mentioned PHP 5.6 alpha versions. This is already the second alpha version that has been out for testing. I haven't tried it either.

But well, whoever is interested in testing the new features, there is already a package for download, either from source, from this URL. Let me try to probably increase the font... http://downloads.php.net/tyrael/. I don't know, it's probably the name on account of the release Manager.

And there is also another program update built for Windows. Well, I haven't tried this. What about you, Cesar? Have you used this?

Cesar Rodas: I haven't tried it yet. But I might give it a try. But I don't know.

Manuel Lemos: You are not very...?

Cesar Rodas: Yeah, I don't see many reasons why to switch. But I will eventually switch when this gets stable.

Manuel Lemos: Right. I think as PHP matures, there is not much great motivation for the developers to actually start poking on new versions.

Sometimes, the new versions implement features that we probably had been doing without and they have already newer ways to achieve those features with the previous versions. It's not something that you get so excited to try. But OK, whoever is interested in this should try to go in these pages and try.

Cesar Rodas: I think, personally, that there is more excitement like from bigger version switch like 5.3 to 5.4 and see how the program, how the same exact code runs faster or use less CPU or less memory.

The same happened with 5.5. So, I should wait to see what are the things they have and definitely just... What I usually do is I don't load, I compile them and I run the test suite. I haven't done that lately but I should keep doing that because that is my tiny contribution to the PHP community.

Manuel Lemos: Right. And talking about PHP 5.6, the first Beta a is expected to go out soon. There is this announcement from some Ferenc Kovacs just near the end of the month on which he announced that it will be available soon. People should also get ready to do whatever they planned to improve, prepare for any features that needs to be finalized for this upcoming release.

Deprecated PHP User Functions (10:35)

Manuel Lemos: Well, this was just one topic. So moving on with the next topic, which is more related with the upcoming features or at least proposals for features.

And one of those features is precisely about a new eventual modifier that is being proposed that is to be called deprecated. Actually, the proposal is not exactly new but it is one under discussion.

And basically, it's to have a modifier function, so they are considered deprecated. It's probably meant, for instance, library or framework developers to mark some functions that are not meant to be used in newer versions so they can issue some warnings.

Well, this may be interesting as a purpose, but I don't think we really need a new modifier in the PHP language to issue a warning. It probably could trigger an error of type user_deprecated without actually having this a modifier.

I don't know. What do you think,  Cesar?

Cesar Rodas: I personally believe that language extensions, they should be used only in case where you have a problem that you cannot do it from the user land or if you cannot do as efficiently from the user land.

This particular case, I think that it will add more problems than what it tries to actually solve. Because I can do that right now. I can throw one exception if one function is deprecated and they shouldn't be using. Or I can create a trigger error to something that will be removed eventually soon.

I believe that those approaches should be used. And adding or modifying the whole language just to add this, what happens if I... That will force me to upgrade to a certain version just to have this tiny feature.

Say, I want to use a library that you published and say that has that modifier which is deprecated. So if I run that right now, that will just fail because that token does not exist. So that would create like fatal errors for older PHP versions. So it is not backward compatible and that is something important.

Manuel Lemos: But it will be much simpler if you just put a call to trigger error.

Cesar Rodas: Exactly.

Manuel Lemos: Or an error log entry to be so little to even trigger errors. But in this case, it is meant to trigger a user-deprecated error. So, it would be simpler than trying to push a new feature that in reality doesn't add nothing that it was not possible to already implement without any penalty in current PHP versions. Well, that is what I think.

Proposal: Configurable Length Uniq Identifiers with uniqid (14:52)

Manuel Lemos: And talking about feature proposals, there are actually plenty of feature proposals last month, in February, that came precisely from one person which is Yasuo Ohgaki. His name sounds Japanese.

And Yasuo has been very, very active sending several proposals, many of them were specifically related with security. And this interesting because while PHP may not have any significant features in terms of the language in newer versions, it can evolve in becoming a more secure language.

And in the case of this proposal, what he's suggesting that uniqid() function which is a function that is typically used to generate a identifier that you don't want to clash with others being used in the same context.

His proposal to have an additional parameter that would determine the length of the unique identifier which is returned. And this may be interesting because in cases you want a unique identifier, you would need it to be of specific length, at least a minimum length that is sufficient for certain purposes.

I do not recall any specific example but sometimes you need very long unique identifiers. And this seems to be related with security matters as in certain cases is to be a secure solution cannot have identifiers colliding.

The idea seems to be interesting but probably many of the PHP developers will not realize its importance in terms of security. Cesar, have you looked into this proposal? What do you think about it?

Cesar Rodas: I think that... I'm not a security expert but the way that you generate a... I was reading the uniqid() if you call it, that it returns a shorter, I don't know what to call it, but I think 9 bytes or so, random things. And if you pass the prompt to TRUE, it sends you something longer but it takes more time.

That is why he is proposing this function and he specifically says that he wants to use this on devices, on proper operating systems or the Open SSL for a Windows, which that function is available already in PHP.

If you really want to have like cryptographically safe rather than bytes, but nobody uses it. So I think this is important specifically to generate those tokens to avoid the... There was an attack, I don't what was its name, that to prevent it you put a random bytes into your form so you make sure that the current user sent it and not somebody else on his behalf. I don't remember that attack.

Manuel Lemos: I'm not sure either. Is it the one related with the request parameters?

Cesar Rodas: No, no, no. I mean that many people use the uniqid() to generate a CSRF token which is to send form.

Manuel Lemos: Oh, I see.

Cesar Rodas: I forgot that name. I think it's CSRF, I am not sure.

Manuel Lemos: Yes. Cross Site Request Forgery.

Cesar Rodas: Yeah, exactly.

Manuel Lemos: But to be honest, it's sometimes to actually having in mind all possible scenarios of attack. And I think this happens to most... I will not say all... but to most PHP developers because they are not that experienced with the security matters and sometimes they do not realize what happens if you use certain functions the other away.

Well, it's almost impossible to imagine certain attacks that most developers are not aware and they get surprised that their sites are being, so on.

So, I think that this proposal has its value although probably not many PHP developers will recommend it upfront. But it's good that they have come up with this proposal, because it's always the PHP reputation that is at stake when you... Because those that prefer other languages, it's easy for them, Oh, PHP is not secure. Probably it's not the problem of the language, it's more of the practices of the developers.

Proposal: Escaping / for HTML (21:24)

Manuel Lemos: Well, talking about security proposal. There is another also from Yasuo Ohgaki. Let me share the screen here. And this one is for a different purpose. For me, it has been, if I'm not mistaken, it has been voted already and it has been rejected right?

Cesar Rodas: Right.

Manuel Lemos: Like four to ten votes. And basically what it proposes is that those functions that are usually used to escape text to be present in HTML pages, like HTMLSpecialChars and HTMLEntities, that they also escape the slash character. And the example here shows... Let me try to increase the font here. It shows a situation on which it would be interesting to escape because the slash character is also used as the start comment and then comment for JavaScript code.

And well, this example is probably very unlikely that somebody will do some brute force. Maybe not brute force, maybe very simple type of parsing HTML to extract attributes like here. And it supposed that if the slashes are not escaped, it would assume this here would be a comment and it will go out in here ignoring that there is a close tag and open tag here, and some evil code could be parsed, could be taken...

And well, I have never seen a situation like this but almost never sometimes means that sometimes there is a vulnerability if we do not take care that things may happen.

Well, anyway, this proposal was rejected. I did not follow the discussions so I don't know why it was rejected. But only a few people proposed it. I do not see also what would be the disadvantages of this proposal, but well, OK.

This is mostly an estimation that there is yet another proposal for a security improvement. OK, there is a threaded discussion here. So I don't know if you want to add anything else regarding this proposal, Cesar.

Cesar Rodas: No. I ...

Manuel Lemos: Did you mute yourself?

Cesar Rodas: I'm sorry. I was saying that I don't know why it was rejected but I don't see that this is a potential threat. Like, your browser, it needs to be broken, first; and second, you will need two statement in the same line so they can be treated as a JavaScript line. So it seems likely.

Manuel Lemos: Right. Well, I don't know about the justification for it. And against it did not seem very solid. At the same time, I agree with you. Probably, this feature is not that important.

Declare Minimum PHP Version and Modules (25:24)

Manuel Lemos: So, we are going to move on with yet another proposal here. And this time, again, by Yasuo Ohgaki. I'm not sure if you can call... I don't think this is related to security which should be to have a new parameter for declaring statement here on which you declare that you require certain version of PHP code to execute this PHP script.

Well, I don't know if this would be really necessary. I think it's one of those cases on which you could do, put some code, test the PHP version. Probably a little more complicated but it's still would be possible to do in the current PHP version. Well, that's my take.

What do you think? Do you see this proposal adding anything new to PHP or maybe not?

Cesar Rodas: I think it's not. Like, again, why change the language to do something that it already can do in this source code? And I follow that discussion in particular and what people say is that if you are so worried about that, you should use Composer or something similar.

So, you should check that before installing something, which makes sense. I guess that if you are worried about it, you can always add an 'if' version something and if something goes wrong you may throw one exception.

Manuel Lemos: Right. So I guess that's another closed case.

Proposal: No <?PHP tags in source (27:30)

Manuel Lemos: Now, moving on the next proposal, again, by Yasuo Ohgaki but along with Moriyoshi Koizumi. I hope I'm not spelling their names so wrong.

[Laughter]

Manuel Lemos: Anyway, this proposal here is optional PHP tags by php.ini. Actually, I think I've read this proposal, but I thought it would be something different. Well, I don't know.

Cesar Rodas: Basically, what they want to say is that they want the PHP tag at the beginning of your script. They say that if you don't write Web applications, that if you have an application that is not going to be mixed with HTML, that there is no means for having so. That might be right but, again, breaking backwards compatibility and gaining nothing in return. I guess that's not going to be accepted.

Manuel Lemos: Yeah. That's one pattern that I'm noticing. As PHP becomes more mature, there are less and less feature that are really necessary to the newer versions. And it seems that people's imagination for new features is going too far ahead. Well, I don't know but...

Cesar Rodas: Yeah. The cool thing about some proposals is that they already have some working code and they attach a patch. So if you want to test it yourself, you go build it. This one apparently, it doesn't have, but it doesn't look like a very complicated change. However someone has to do it.

Manuel Lemos: Yeah, it seems it was not yet voted. But I don't know, the discussions here do not seem to be very much in favor of this feature. I wrote this because I've been looking at so many proposals that were presented this last month that probably I'm confusing things.

Proposal: Combined Comparison Operator (29:59)

Manuel Lemos: Anyway, let's move on to the next proposal. This is interesting. It is a proposal for a new operator which they call  Combined Comparison or the spaceship operator, which is basically a less and an equal then followed by a more operator. And it looks like a spaceship used in a game for text terminal. That's why they call it the Spaceship Operator.

And this proposal's yet another one of those features that probably people do not need so much because they can now do it already. Basically, it's an operator that it takes two expressions and this expression A is larger than expression B, it will return 1, if it's smaller, it will return -1; if it is equal, it will return 0.

And this basically used for a sorting callback functions. For instance, used by usort() when you need to specify some customer sorting rules for an array.

This is very typical of being used by binary search algorithms that are used in certain sorting implementation. And well, you can actually do this with some functional operators. So, this is probably just a syntactic sugar feature. I don't see it being very important but OK, people probably just...

Cesar Rodas: I don't see that as important at all because it's only useful for binary search which is uncommon. But it will be used like 90% of the cases just for sorting callbacks either by sorting vectors and ending that up.

And why break the language? If I have the latest PHP now and if use that statements, it says like tokenizer errors, so there is something wrong. So why break, to just gain nothing? So you are gaining like instead of doing... Because if you are sorting numbers, you could just subtract them and that gives a much better feedback to the color. So that makes no sense, to be honest.

Manuel Lemos: Right. It is yet another feature that is not important. It does not add anything new to the language. Instead, I think it's more of syntactic sugar.

Cesar Rodas: And you would break backwards compatibility and that's something wrong.

Manuel Lemos: Well, right, but if you look at many of the newer versions features, many of them are... Well, they are incompatible with the old versions but it doesn't mean that old code would not run.

Anyway, I'm impressed with the amount of feature proposal that were submitted this month that probably are not going very far, because they all seem to fit that proposal of, that format of implementing features that you can do away without.

Type Hinting for Array elements with ArrayOf (34:27)

Manuel Lemos: Talking about that, now there is another proposal, this time by Joe Watkins and Phil Sturgeon, to implement... It's a sort of extension of the type-hinting support that PHP already provides.

This time, they call it ArrayOf, meaning from what I understood, they would check the types of an array element, an array parameter that has passed to a function. I'm not sure if this is going to pass because if you won't have to check the types of all array of elements.

Cesar Rodas: It's unlikely.

Manuel Lemos: Right.

Cesar Rodas: I don't  know why people have the obsession of turning PHP into a static typed language.

Manuel Lemos: Yeah.

Cesar Rodas: And it has been vote. And there is nothing wrong with actually being a static type but PHP is a scripted language, which means that if you have some dynamic, it's way easier for the developer.

Manuel Lemos: Right.

Cesar Rodas: And what is going to happen, say I am giving you a a terrible object. So it looks like a vector but it isn't. So you would just pull everything and put them into memory which is expensive just to check what type they are. So that makes no sense.

Manuel Lemos: Right.

Cesar Rodas: Yeah. We shouldn't even worry because it didn't' pass. They have time to vote until tomorrow, I guess.

Manuel Lemos: I don't think it will pass, either. But anyway, type-hinting is something that if you want to use it, you use it. If you don't want to use it, you don't. I don't think that features like this will hurt the performance when you don't use them.

Maybe I'm wrong, I'm not sure exactly how the Internals work on this case. But in this case, it will check if the parameters in array. And if it is in array, it will check the types of the elements. PHP doesn't have to be used in high scalability environments all the time. You can use them, but things like this seem to be probably more useful when you are in development environment.

And probably, it's more useful to catch bugs as early as possible rather than implement some functionality that you need that in production debugged.

Cesar Rodas: Why penalized your production with things that you are supposed to just pass the correct data type?

Manuel Lemos: Yeah.

Cesar Rodas: Why penalize your production checking over and over in every request the same thing?

Manuel Lemos: Yeah, well, the way I see this proposal, the type-hinting and similar things, I think they come from people that probably appreciate Java worl. We were taught in college about Java and what they used to. And they appreciate the value of checking types to detect the eventual bugs that you may have in your code, which otherwise would go unnoticed. And that's the only situation that I imagine. Maybe motivated to propose features like this.

I'm not saying they do not have a value but there is now lots of other developers that usually vote against these features that are concerned with PHP being hurt in terms of performance. And, you know, there is plenty of people that want PHP's head out. As in, they would rather have their preferred language to prevail rather than PHP so they would pick on anything that could hurt the performance to make PHP slow.

And in the case of this proposal, it is trying to emulate the feature of the type strict languages, but it would do it to run extra time. So it would be expensive for applications that want to implement, want to run code as fast as possible. So that's why I doubt that this feature will pass anyway.

Ideas for PHP 6 (39:48)

Manuel Lemos: Well, OK, now moving on another topic here which is more related with the plan for PHP 6. Let me increase the font here. I don't know if this is enough. Now there are plenty of proposals for PHP 6. We would not go through all of them because some of them we have already talked about, things like JIT compiler, Unicode support built in the language.

Cesar, which of these ideas do you think are probably new or more worth noting?

Cesar Rodas: The worth noting is the JIT Compiler. But I've heard Rasmus saying that's going to change things towards a better PHP faster. But he doesn't see that feasible for next year or for the next couple of years. That's a very, very hard change. The pole underneath the Zend Engine will probably change, so that's something which is going to take years. But after all that, that will be eventually worth it.

And one thing that I see, the first thing, the Opcode Cache integration. It seems that they want to make it even better. So that's something worth noticing.

The second one is also important which is the 64-bit support. I guess they're talking about bit numbers. That's always important.

And then, the Annotation Support, that might be good, the way they implement it in terms of syntax. That should matter because many frameworks libraries that I wrote myself, we are already using annotations. So we would like to take advantage of whatever PHP can actually offer us.

Manuel Lemos: But is it something that you need at production time or it's more to develop tools like code generators and stuff that you don't need exactly at production time?

Cesar Rodas: How I use annotation is I use it to describe things. Say this property, it behaves like this and you have to validate like that. That's my use case. So, ahead of time, before deploying, I read those annotations, I generate codes. So the final result is as if I write the code myself. So there is little performance lost but I don't do any annotation reading, parsing, at production time. I never do that. I guess...

Manuel Lemos: So, it's probably something that you may not need to be built in the language.

Cesar Rodas: Right. I don't need it but...

Manuel Lemos: Because you're already using it, right?

Cesar Rodas: Right. But I would like to take advantage of their syntax. Say, I would like to parse their same syntax so my annotation, even though I do with them something different, I could take advantage of. So that's important.

And the other thing was some matters, which is the RNG I believe, the Random Number Generator. So that is going to be an invisible change for most people but that's also important for the same reason that we discussed in the first proposal, which is to have a safer random generator. And that's pretty much it, as far as I looked.

Another thing that I read that they want to add UTF support but gradually. The problem that was with PHP 6, a killed trunk in Subversion a few years ago was that they... I had conversation with Rasmus in person and he explained to us that the problem was that with PHP 6, they wanted to take a very long leap. So they wanted to change many things. So, they kill it and they were doing that eventually with the PHP version, with the 5.3, 5.4 and 5.5.

And the problem that was specific with the UTF support was that the library, which I think is LibICU... I don't know how to pronounce that... is actually bigger than PHP itself. So it has like massive code base. So, that was slowing down everything into unacceptable performance.

I have read into the article that you shared, into the Wiki, that they are willing to give it a try but with a smaller UTF-8 or internals, I don't know how to pronounce that. But UTF native support. So that is also good to keep an eye on.

The problem is that there is no difference in terms of PHP between a binary string, which can contain anything, and something which is UTF. So you might end up having troubles when are working with encoding, like what the user sends you, you cannot trust it. I use a library which is a fixed UTF-8 or something like that, so that was useful.

But in other languages, specifically in Python, they have strings which are binary safe and they have like UTF-8, which if you have something which is invalid, it fails and it has a different syntax sugar. I think it was a U before your string, your port string. I don't know how they want to implement that but that is an interesting approach, like having some difference between a string and something which is UTF-8.

Manuel Lemos: Right. Well...

Cesar Rodas: Because dealing with broken encoding and things like that, it's so annoying. I've been there and it's so annoying.

Manuel Lemos: Right. This is still a topic that is pretty much open for discussion. I think the failure of past attempts to implement Unicode built-in the languages was more good to the initial choice of having UTF-16 as the base of encoding of text strings internally.

Anyway, there are too many issues regarding this eventual feature that like Rasmus said before, you probably won't make it to PHP 6. Probably, it would be something for PHP 7, but we don't know yet. So we have yet to see what the discussions will add to reaching a decision regarding this topic.

Well, for me, other than those topic that you mentioned, I also would like to mention one that is not very well commented, which is the HTTP2 support. HTTP2 is an evolution in terms of possibilities of optimizing the connections, can establish multiple parallel connections with the same stream.

And the idea that they have in mind, having things like bundling the PECL HTTP extension into PHP as built-in since it would have HTTP2 support, which is typically something that is complicated to have built in the language. I mean implemented and build PHP code, that meant the HTTP clients written in PHP. To implement the HTTP2, it would be probably very hard, it would be better to have it built in some PHP extension.

Well, anyway, the discussion about PHP 6 is much open and I think it will last for a long while. I don't know, I don't think we'll see PHP in less than three years but it's wild guess, just off the top of my mind and it's just as good as any other guess.

But I'm not expecting things to come that fast. But we'll see, maybe we have some surprises and people start deciding much faster than I imagined .

How to Use a Webcam to take Pictures in PHP Application (50:13)

Manuel Lemos: Well, anyway, moving on to the next topic. Now, just commenting about interesting tutorial that appeared in the PHP Classes site, which is about a topic that has some interest, which is how to be able to access Webcams and microphones from a Web page and capture audio and video to upload to the server.

So there's this article from Vivek Moyal. He submitted it to the PHP Classes blog. And it is very simple, the idea is just to use, in this case, he proposes to use Flash applet that is available. I think it's called JpegCam which does the capture and the actual uploading of the stream to the server. And you can capture pictures in this case but I'm not sure if it can also capture video.

And what is interesting is it may have its uses, but in general, I think nowadays, people like to stay away from Flash because it won't work in some devices, specifically Apple devices, iPhone and iPad, whatever. They do not come with built-in support to run Flash applets because Apple decided to boycott it in favor probably to the development of native applications.

This is an interesting article for those that want to use these browsers that support Flash. And it is useful. Now, if you really want to use something more modern in using browsers that already support HTML 5 specification, there is one specification called getUserMedia. You can select one camera or one microphone and capture all the audio and video from them.

And there's actually in JS Classes site, let me open it here. There is a package submitted just a few days ago, that precisely does that. OK, I don't know, it's probably too small but let me increase the font here.

And what it can do is that be able to capture audio and video as long as you are running on a browser that supports HTML 5. I think most modern browsers already support this specification. And there are now about IE, that requires IE 10, or maybe 11 already, I don't know.

But well, now you know that if you want to capture this in a built-in manner in your browser, that probably it will also work in certain device like the Apple devices probably since it has more way to go.

Cesar, I don't know if you have seen article. I don't know if you want to add in any other comment.

Cesar Rodas: Yeah, basically, I saw the article and I remembered that here in my country, the institution which issues the passport and the national ID... I've been there because I got a new passport myself... and I saw other screen and they were running an Internet Explorer application.

So I looked closer and it was PHP in the backend and they were doing absolutely everything with it. They were taking photos. They were scanning my fingerprints, they were scanning all the official documents, everything.

That  was a specialized application that was running into their internal network, so that was not something public. But it is a very good solution and I guess that's very cost-effective because they don't need to pay licenses for each machines. Say, if they built it a home-friendly version, they could even run it into Windows, so they can save money. So that was very interesting.

And I guess they were using Flash or some custom browser extension in the frontend. But however, that's a very interesting approach of sorts.

Manuel Lemos: Right. I think the fingerprint's probably something more native. I'm not sure if Flash can even handle fingerprints. Anyway, if they are just capturing this fingerprints, it's one thing.  But recognizing fingerprint, they're not the same.

Cesar Rodas: No. The fingerprint scanner, it will send in an image. So I guess the Flash that it can be images and just put it back to the server. So, but it was interesting though.

Manuel Lemos: OK, just to close this topic, I just wanted to mention something. This article was submitted by Vivek Moyal directly to the PHP Classes blog. And I would just like to mention this as a reminder that if you have written an interesting PHP article, could be a simple articles or more in-depth article, I just like to mention the PHP Classes blog is open for proposals.

You can submit any articles, as long as they are of general interest. For instance, if ever you want to write an article about this specific class that you submitted to the PHP Classes site, this does not go to the PHP Classes blog. You can use a specific blog that is associated with your package.

But if this is about for instance an Open Source project, there had been other articles, there is a category in PHP Classes blog named PHP Tutorials like this. That's where these articles go. And you can read all about many articles published here in the past and many authors got so much exposure.

Some of them were trying to get some exposure to their own projects and their projects are not exactly published in PHP Classes site. Actually, this PHP CRUD creator plus an article published like two or three years ago and it was about a tool of some developer that has it available in some other site.

JavaScript Innovation Award Winners of December 2013 (58:12)

Manuel Lemos: Well, with this, we are going to move on to the next topic on which we start commenting about the latest Innovation Award winners. I think I lost the screensharing. OK, here it is.

This is the Innovation Award winners section on which we comment about the winners that actually got their packages in December and they were voted in January. And then in February, the results came out. And we have like three packages nominated for Innovation Award at JS Classes site. It's much smaller than PHP Classes site so it doesn't have as many nominees.

There are three nominees which was fine. So from these three, which packages would you like to mention, Cesar?

Cesar Rodas: All right, I have messed up my webcam and my desktop. So I'm going to share my desktop. Can you see my screen?

Manuel Lemos: Yeah.

Cesar Rodas: OK, so the first class... So, are we going to talk first about PHP Classes or JS Classes?

Manuel Lemos: JS Classes.

Cesar Rodas: OK, about JS Classes. I have chosen this...

Manuel Lemos: You need to reduce the zoom because it's too large now.

Cesar Rodas: Is it better? Any better now?

Manuel Lemos: OK, I think it fits now.

Cesar Rodas: OK, so I'm going to talk about this Klass.js, as in K, Klass. It basically lets you create classes using some sort of annotation, because JavaScript is a language and it is a very dynamic language. There are probably dozen of ways that you can create an object. So, this is one approach and everything which change the way the JavaScript looks like, I am very interested in.

And this package, it was submitted and developed by Rafael Lucio. He's from Brazil. Let's see if I can show one example here. So, the Hello World.

Manuel Lemos: Yeah, the Hello World example.

Cesar Rodas: Yeah, and if you can see here, it can basically play with the syntax. So, it gives the illusion that the JavaScript indeed support classes but this is just a function call and you send another function, then this gets executed. And then, he has annotation parser. So, it's a very interesting project, so I would definitely keep an eye into this project.

Manuel Lemos: Yes, it seems sort of unusual. We have seen many annotation solutions for PHP, annotation parsers, but for JavaScript, well, not that I have been looking for them, but for me, this is the first time I have seen one package for that purpose.

On my behalf, I would like to mention that the other two packages that we see here. Basically, there is a package which is very interesting because it supports HTML5 Websockets to make a bidirectional communication, for instance AJAX-based chat applications.

And this is very interesting because the Websockets is a very new thing, a very new technology. I don't know if all browser versions that are in use support it, but it's certainly something that is very useful and solution like this are very interesting.

In this case, this one was developed by somebody that calls himself PLSCIS PLP. It's probably some nickname. That doesn't sound like a real name so we don't know his real name but he's from India. Anyway congratulations for this submission.

And the other package here is a jQuery plugin that is submitted by Sandro Alves Peres from Brazil. It is interesting that it can switch CSS styles of a checkbox. It would depend on the state. So, if they are checked, unchecked and disabled, they use different images for instance.

Actually, that would be possible to implement with the JS links, CSS, probably it doesn't... I'm really not that much of an expert of the CSS but it sounded a very interesting approach to solve this problem. So congratulations to Sandro.

So given this, we ended all the nominees of December for the JS Classes sites.

PHP Innovation Award Winners of December 2013 (1:04:22)

Manuel Lemos: We're moving on directly to the Innovation Award winners of also December, but this time, from the PHP Classes site. And as I mentioned, in PHP Classes site, there are much more nominees. This time, there are like eight.

Well, we don't have time to comment on all of them, so let's comment on a couple of them, each of us. Cesar, which packages would you like to mention?

Cesar Rodas: Yeah, I have chosen two. The first is the PHP Interpreter. Can you see my screen?

Manuel Lemos: Yes, it appears.

Cesar Rodas: So this project, they have implemented in PHP a PHP interpreter. So you can pass any stream and it will execute it. So that's fantastic. That's fantastic and that can be used in too many things.

For instance, if your PHP implementation doesn't support an eval to run PHP code dynamically, so this can be really useful. So, basically, this is a stream and they evaluate it and they get some result back. So that's fantastic. That's something...

Manuel Lemos: This is very unusual. Basically, they used the PHP tokenizer extension to parse PHP code, but then they actually interpret them.

Cesar Rodas: Yes.

Manuel Lemos: Cool, right?

Cesar Rodas: Right. So, that's amazing.

Manuel Lemos: Yeah, somehow, it's unusual. And that one is by Pavel Astakhov from Kazakhstan.

Cesar Rodas: Yeah. I was...

Manuel Lemos: Is this the Borat country?

Cesar Rodas: Yeah. Here, he's from Kazakhstan.

Manuel Lemos: Obviously, we mean it in a good way, because this is a pretty serious work. It's not like Borat who is a joke. Congratulations to Pavel for his submission. I hope he actually keeps sending more submissions like this because there are great quality. Actually, I would say they are above average.

Well, actually, if you didn't win this month, probably not everybody has such great use for PHP Interpreter, but it doesn't mean that it was not useful. So, other than that, which other package...

Cesar Rodas: It really is a fantastic project. It is a fantastic project. And I envy him. I wish I could have time because that should have been something really complex.

So my next package is the Site Change Detection. Basically, I don't know how it works in details, like how you execute it. But the whole idea behind this is really, really good. Basically, they scan your Web directory or any directory that you give it and it will first learn like I guess some sort of data modifications and a SHA1 sum or some other way of making a footprint of it.

And then, you run that, I don't know, at every hour of at every  day. And it can tell you, this file, this has been changed. If you haven't changed that, that means that you have some backdoors and that you need to fix that. So, that is really useful.

Manuel Lemos: Right. This is mostly for security purposes.

Cesar Rodas: Yes, for security purposes.

Manuel Lemos: Eventually, it would detect eventual attacks that have changed your packages. So if you run this solution like every five minutes or whatever is the time you find appropriate, you can detect very early attacks that may have happened. I think this is an evolution. In this case, this package was submitted by Larry Wakeman.

Cesar Rodas: Larry Wakeman from the United States of America.

Manuel Lemos: If I'm not mistaken, I think he already submitted a somewhat similar solution but it used to do some directory comparison. And you need to have a copy of the directory you want to compare.

Well, I'm not a 100% sure. It was also a solution by him. But it's great, it's good to know that these solutions are appearing because they showed that PHP developers are really concerned with security and attacks that may happen.

Given that, on my behalf, I would like to also mention a couple of packages. I wish we had more time to talk about the other four that we virtually have to leave out, because they are more and more interesting. Every month, we see more interesting packages that are being submitted.

Let me start first here by talking about this package in PHP MySQL Undo Query which basically, in this case, it was a package submitted by Ovunc Tukenmez. Well, I'm sure I'm butchering his name, I hope he can excuse me. But he's from Turkey and he submitted this package.

It sort creates a log of changes that your application has done on records of data tables. In this case, specifically for MySQL. And given that, it can revert those changes that has worked across transactions.

So if you have multiple transactions and you have made those changes, it is able to track all the changes and if you have done the changes in different transactions. The way this works is by using triggers to detect records and values were used to alter your database tables.

This is not a trivial solution but...

Cesar Rodas: Manuel, it seems that your audio has been lost in the last 10 seconds, at least at my end.

Manuel Lemos: Yeah, I don't know. But anyway, what I'm saying is that this package by Ovunc Tukenmez from Turkey uses MySQL to detect which records were changed in the database. And basically, it keeps track of those changes, so all that can be reverted.

So, given this, I'm going to move to another package which is the last one I wanted to mention because we don't have time for more. But this is still an interesting solution, also unusual. This one is called PHP Register Globals Logger by Matthew Daniel from the United States.

What it does is to detect eventual code that you may still have, probably legacy code that's still using register_globals. And as you may know, register_globals is finally removed from the latest PHP versions.

So, if you have legacy code that still rely on register_globals, this package maybe useful because it somehow emulates register_globals but not with the purpose to keep in your application, but rather to detect which code you still have in your application that probably needs to be fixed to no longer rely on register_globals. That's why it's called PHP Register Globals Logger.

This is quite interesting. So congratulations to Matthew Daniel. I'm sure by now, most developers after many years of having it deprecated and finally removed in PHP, most developers are no longer using register_globals. But if you still have some legacy code that you probably need to fix or else it won't work in the recent PHP versions, this package may be useful to how to fix your code.

Conclusion (1:14:06)

Manuel Lemos: With this, we practically ended this Hangout. It was great, actually. We covered  good bunch of interesting topics. Many of them related with security and some of them related with newer PHP versions' features, PHP 5.6, PHP 6. So, it's always interesting to see what is going on. So I hope that we've been useful.

So, now it's time for me to thank Cesar once again for coming. It was always great to have your insights to share about the discussed topics.

Cesar Rodas: My pleasure.

Manuel Lemos: So, in my behalf, that is all for now. Bye.

Cesar Rodas: All right, bye-bye.

[Music]


You need to be a registered user or login to post a comment

Login Immediately with your account on:

Facebook ConnectGmail or other Google Account
Hotmail or Microsoft Windows LiveStackOverflow
GitHubYahoo


Comments:

No comments were submitted yet.


<< Previous: How to Use a Webcam t...>> Next: Hack Language is All ...

  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog The Security of Futur...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)