PHP

Introduction

This is a blog about running two PHP versions on one webserver and using multiple php.ini files, this combination can be a tricky one to tackle. But luckily one we can tackle quite easily as long as one of the PHP versions is >= 5.2.7. For this example I'll be using Apache, but the webserver flavor doesn't really matter. The most important part is the "PHP_INI_SCAN_DIR" environment variable.

The why

There could be a number of reasons to want what I'm about to talk about. In my case I have a project where I have a legacy code-base, running on a specific PHP version, and a new code-base which will be run on 5.3. Because the new code-base will be a ongoing progress of replacing the old, it first has to run side by side with the legacy code-base. So I wanted my development image to run two PHP versions.

The old code-base used php.ini settings such as a include-path, error reporting, etc.  Which will be different from the new code-bas, and those can no-longer be set with the 'php_value' feature of Apaches since the PHP version we'll be using for that runs as (f)CGI rather then as module.

Recently I got asked if I knew about a system that supports multiple session back-ends at once. I didn't know about one and since it's not rocket-science I decided to spent a few hours and whoop something up.

For the impatient, checkout: http://github.com/Dynom/SessionHandler

What does it do?

It is a drop-in high-availability storage back-end for PHP sessions by offering a redundant session storage system. It's as easy as including the lib, define the drivers you want to use (e.g. Memcache and MySQL) prepare their configuration/installation and done. If you already have a MySQL server and a Memcache instance running you can set it up in about 5 minutes. It's also easy to extend and write new drivers, just extend the template class and fill in the blanks.

I like solving puzzles, probably one of the reason why I like programming as much as I do. I also like finding challenges and experimenting, as such I came to the idea to start the PHP Quiz series. They contain typical combination of PHP quirks and lesser known features of PHP.

The reason behind the quizzes is not to advocate bad or good coding practices, but it's intended to let you find out the why in all of it. I believe that by understanding what happens it can make you a better programmer and you might spot bugs easier then without knowing what happens.

The series are not ordered in level of difficulty but merely in the order that I found out about them, thought about them or where simply sent in. But in general I think it's safe to say that your knowledge of PHP should be quite a leap forward from novice before you can answer most questions. This however doesn't mean that, once you can do the quizzes flawlessly, that you are a superior programmer. There is a big different between knowing how to design an application and knowing why $array = array(1,1) + array(2,2) only results in an array with two elements.

An overview of all the PHP Quizzes: http://blog.dynom.nl/categories/PHPQuiz_12

A special thanks to the people who sent in code samples, happy quizzing!

-D

Welcome to another part of the PHP Quiz series, again some interesting questions to crack your brain about. If you have some nice additions or questions, be sure to leave a comment. Enjoy part three!

As always, think of the answer before you execute the code or look it up. You can find round two here.

Unset cast

What is the type of $a and what is the type of $b

Form fun

What will the output be?

Fun with strings

Strings in PHP are versatile, but how versatile are they... What will the output be?

In these blog series I'd like to talk a bit about some "Did you knows". These series contain information I came across along the way and I mention them here to give you insight or just to make you aware of it's existence. The information is by no means in chronological order and mostly not even covering "state of the art" or "brand new" items for that matter. Some are directly code related, others are just brief descriptions. Basically it's just a pile of PHP and web related information. You can find part one here.

A short quiz this time, but that doesn't make it less fun. Do you know the answer to all of them? Get a cup of coffee and kill 10 minutes with round two...

As always, think of the answer before you execute the code or look it up. You can find round one here.

Array pointer

What will the output be ?

ArrayAccess and isset fun

isset or not isset, thats the question.

Typo?

The output might be confusing..

References

How many notices will be thrown?

Here a few of those "how did that work again" things, in Zend framework. Mostly for myself but hey, I'm not greedy. If you know some new/nifty ones, feel free to leave a comment!

Loading a view from a different directory

In this blog post I'd like to talk a bit about some "Did you know's". With these "Did you know" blog posts I want to tell you a few things that I came across along the way and hopefully you know some I don't know yet! Some DYK's are directly code related, others are just here to give you insight and some are just to let you know of it's existence (Afteral you don't search for what you don't know about.)

So here they come in random/chaotic order:

Writable directories

Not so PHP specific, but often miss-used is checking for writable directories/paths. Directories don't have to be readable to be used for writing, but they do have to be writable and executable.

So a check like this, is simply incomplete:

Form name attribute character conversions

Due to legacy PHP versions and to my understanding mostly due the register_globals feature, some HTML form name attribute characters are translated. The idea behind it makes sense, however it's applied in a strange way.

For example <input type="text" name="fu.bar" value="" > in a form with post method, get's translated (even in the current PHP 6 roadmap) into: $_POST['fu_bar']. This happens with the "." and " " characters. But not with '-'  which seems weird, because $fu-bar isn't a valid variable, but '-' is a valid HTML input name attribute character. You probably never need it, but I had situation recently where I was flabbergasted of why array key's where different from their HTML counterparts and I completely forgot about this behavior.

Best practices are ways of solving problems in a good way, these practices change over time and can depend on versions. A lot of people who have their roots in PHP4 have habits that are no longer best practices. But not just them, a lot of developers don't apply best-practices rules. In this blog post I'd like to point out a few reminders or refreshing points for you to take in. Most you will probably know but some you might not know or didn't look for. If you know some nice additions, make a comment and I'll add it.

Enjoy!

Since I'm on a 'finish blog drafts' spree, I might as well publish this one also. I actually had it in draft for about 5 months now anyway.

In most upload tools files are checked on extensions only, while it might seem pretty solid it's actually not as safe as you might think. Especially in combination with Apache and mod_mime.

When you do:
rename image.jpg image.txt and you request it: domain.com/image.txt you get garbled text.

However when you try something like this:
rename file.php file.php.bogus and you request it: domain.com/file.php.bogus PHP code within the file is handled by the handler set for that extension.

Before you get all excited, the scenario when this happens is not likely to happen, because it only works for unknown file extensions. So basically, this can only happen when you work with black-listing rather then white-listing. And when checking files, you shouldn't be black-listing in the first place. Let's go into detail about the why.