I want to share one feature when setting COOKIE values, which is often overlooked by the web developers.
According to my experience as for research of the web application vulnerabilities for 2009-2011, this error occurred in 87% of the web applications that were written in PHP.
In order to reduce this rate, I have decided to write this article.

I will not even talk about httpOnly flag, though its use is very important and necessary.

Let’s look at the example of code:
<?php
setcookie('foo','bar1');
header('Set-cookie: foo1=bar11');
?>
ZimerMan 23 may 2014, 18:18

Hello, UMumble! Once, I was faced with a choice in the process of developing an authentication system for my project. Namely, what is the best way to store user passwords in the database? Many options came into my head. The most obvious were:

1. Storing the passwords as a plain text in a database.
2. Using regular hashes, such as crc32, md5, and sha1.
3. Using crypt() function.
4. Using the statical salt as type of structure md5(md5($ pass)).
5. Using the unique salt for each user.

The first and second options I had to eliminate for several reasons right away.
Pirat 4 may 2012, 20:45

imageIt was nice to find the website of this framework quite randomly in the second half of the business hours. New frameworks are rare, and even more rarely you come across mechanisms that are liked at first sight. Therefore, I would like to share my discovery with you.

First, I liked its name Nette right away. It's almost like a Latte. Only Nette as it turned out later is the Latte that has its own built-in template engine. Oh.

Second, at first view it created an impression of something new and advanced (they are almost as thoughts of the PHP team, pluging in the genius language the traits, and forgetting the boring Unicode):
  • HTML5
  • PHP 5.3
  • Built-in HTML template macros
  • Context-Aware Escaping technology
  • Configurations in the curious NEON format, on basis of which is generated PHP code
  • Own implementation of the base class for objects Nette \ Object
  • Events and subscription
  • Callbacks
  • New streaming protocol safe :/ / for an atomic access to the file system
ZimerMan 10 march 2012, 14:48

Here is a memo for novice exorcist:)

Before I begin, I know what are phpDaemon and System_Daemon. I read some articles about this subject.

So, let's assume that you've already decided that you need the daemon. What should daemon be able to do?

• It should run from the console and unbind from it.
• It should write all information to the logs, nothing output to the console.
• It should be able to create the child processes and monitor them.
• It should perform an assigned task.
• It should correctly complete a job.
Tags: daemon, Php
ZimerMan 20 february 2012, 16:34

In the Web you can find a lot of solutions to emulate multithreading in php. Most often they are based on the forks, but there are variations about using curl, proc_open and etc.

I did not like the alternatives that I found, so I had to write my own solution.
Here is the following set of requirements:

• Use of the forks
• In-sync state with the interface in the absence of the necessary extensions
• Multiple use of child processes
• A full data exchange between processes. That is, running with the arguments and getting results at the end
• The event exchange between the child process-"thread" and the basic process at work
• Handling the thread pool with the multiple use, transferring arguments and getting results
• Error handling
• Timeouts for the work performance, waiting for work thread, initialization
• Maximum performance

The result is a CThread library.

Here is a link to the sources:
github.com/amal/CThread
xially 7 february 2012, 13:10

After I have read some article about the handling of critical errors in PHP, I noticed that the error codes were customized specially for the bitwise operations in PHP, however, in the article’s examples and the comments are used regular operators for comparison in order to check the error codes.

For example, there were such variations:

if ($error['type'] == E_ERROR || $error['type'] == E_PARSE || $error['type'] == E_COMPILE_ERROR){…}
or

if(in_array($error['type'], array(E_ERROR, E_PARSE, E_COMPILE_ERROR)) {…}
Thereby, I decided to write a short article about the bitwise operations with examples of their use.
BumBum 2 february 2012, 21:20

While developing the code analyzer PVS-Studio intended for searching issues in 64-bit and concurrent software, we came to the need of collecting fresh information on the Internet on some topics. For example, it is always useful to answer the questions of programmers who may be interested in our tool on various forums and blogs. While collecting the data we found out that there is much information on the Internet and therefore manual search might be very long and tiresome. Thus the task of automating the process of searching for fresh data appeared. In this post we will tell you how we do this.
But I bet you have said right now: "Ha-ha! The guys are reinventing the wheel and are not aware of Google Alerts". Well, we are aware of Google Alerts. And it is almost the thing we need but not quite :-). We have been using Google Alerts for more than half a year and did not manage to get what we needed. And here is what we need:
Tags: Google, html, Php, script
Andrey2008 31 january 2012, 17:00

The PHP blog touts more often the examples of bad code and anti-patterns. Well, someone else is criticizing the Hindus for the code ...
The code quality is something that should not be ignored or put aside for later. Such a delay is technical debt or code debt that will backfire for sure. You have to spend more time creating quality code and application architecture.

It is highly recommend to read Uncle Bob's principles of SOLID: butunclebob.com/ArticleS.UncleBob.PrinciplesOfOod.
This text can greatly improve your ability to build scalable systems, particularly the principle of SRP.
xially 10 january 2012, 17:13

imageWhen I had been implementing a project on Yii framework, I got the task to make the registration and authorization of users through the different services (Google, Facebook, Twitter, etc).

This task has two ways of solution:
• Using an authorization service, such as Loginza;
• Implementing an authorization of functions independently for each service.

Here are benefits to use the authorization service:
1. Simplicity and speed of installation;
2. There is no need to learn the details of authorization through each provider.

However, a self-authorization has other advantages:
1. Full control over the process of authorization: what we will write in the authorization window of provider, what information we will receive and so on;
2. Ability to change appearance of the authorization widget in compliance with a design of the website;
3. Ability to invoke methods of API when we authorize over OAuth, if the service provider provides them;
4. There is less dependency from the different services and it is more reliable.

I chose the second option, because I did not have the ready extensions for yii, and I was wondering how such authorization system looks like from the inside. It was part of a module to manage the users at first, but later this functional has been extracted in a separate extension, which can be used easily in any project.
Killer 13 december 2011, 14:37

Smarty is one of the oldest template engines for the PHP development language. If you are programming in PHP, likely you have worked with it. A third version of this template was released in 2010. Smarty 3 was written from scratch with the active use of PHP5. At the same time Smarty got an updated syntax and modern features including inheritance, sandbox (computer security) and etc.
Twig is a modern template engine from developers of the Symfony. The authors have positioned it as the fast and functional template. It looks like Smarty 3 a lot in terms of features. Twig features a slightly different syntax, as well as the stated performance. Let us verify it!

Testing


We purposely is going to use quite complex templates during testing that the processing time would be noticeable. Actually, we will evaluate this time, so we will prepare the relevant scripts.

Code for Smarty turned out very simple:

$data = json_decode(file_get_contents('data.json'), true);
require('smarty/Smarty.class.php');
$smarty = new Smarty();
$smarty->compile_check = false;
$start = microtime(true);
$smarty->assign($data);
$smarty->fetch('demo.tpl');
echo microtime(true)-$start;
Tags: Php, smarty, twig
xially 30 november 2011, 12:40
1 2