blog.phpdeveloper.org

I’ll be speaking at two upcoming PHP-related events – all of the talks will be discussing PHP and general development security topics.

First up is ConFoo (Feb 25th-March 1st in Montreal, Canada) where I’ll be presenting two sessions:

• Beyond the Basics: Security with PHP
  
  You’ve seen some of the basics of securing your application – validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

• Writing Secure PHP Applications
  
  Being secure on the web is getting harder and harder – the attacks are happening more and more and we, as web app developers, have to respond. The session will share tips you can follow in your code to ensure that your app stays safe and some tips to help improve investigation and preventing your app from becoming the next statistic.

The next is php|tek 13 (Chicago, May 14th-17th) with, again, two sessions:

• Beyond the Basics: Security with PHP
  
  You’ve seen some of the basics of securing your application – validating input, filtering output and the like. Let me take you a step further into more advanced security in PHP. Protecting your application from things like XML injection, insecure sessions & upload issues can be tricky. This session is a how-to on keeping your app safe.

• Top 10 Developer Security Misconceptions
  
  When it comes to security in development, there’s a lot of things developers have the wrong idea about – things like “I don’t have enough time” or “I don’t know enough to be effective.” Join me as a I run through the “top ten” of the list and help dispel them and make your life as a developer easier.

If you’re interested in the topics and want to drop in, be sure to stop off and say “hi”. I’m happy to talk your ear off about PHP and security…

As anyone that’s been around the PHP community recently (within the last six to nine months) knows, Chris Hartjes has taken up the lead in an effort to increase awareness about unit testing – really testing in general – of PHP applications. He favors things like test-driven development and having good tests to back up and reinforce a good resulting product. I admire him for his efforts (including his book) and I wonder if this same movement could be used to help kickstart a security testing “revolution” in the PHP community too.

For a long time, PHP has had an unfortunate reputation as being an insecure language to develop web-based applications in. The language itself has very few built-in security features and favors offering the ability to plug in techniques and tools of their own to make things secure. Unfortunately, this leaves a lot of the beginner level applications wide open to potential attacks. Developers aren’t immediately given options to do things like filter their data or secure the data they’re storing in their sessions. Most developers that I know that are just starting out with PHP don’t even know these sorts of things need to be done. They blindly accept user data and expect that nothing other than what they’re wanting will come through. Sadly, this sort of thing has lead to this insecure reputation – bad code written by inexperienced users. One of PHP’s best attributes is its low learning curve…and also its worst.

Many developers don’t even realize the need for security in the code they write until it’s too late. One day they wake up and – either because something they’ve written has been hacked or they read an article that talks about it – realize that they’ve been blind about protecting themselves and their data from Those People out on the web. This usually seems to happen about the time that most of them discover frameworks and how useful they can be. They start poking around what the framework has to offer and come across things like access control, user authentication and yes, maybe even secure session handling. A switch is flipped and the developer reacts in one of two ways – they take it as a charge to get better about their secure coding practices or they freak out and start going crazy with filtering, encryption and escaping.

Back to my original point – I wonder if it’s possible to take this momentum that Chris has gotten going and use it to encourage more testing for the security of applications up front. I’ve been doing what I can over on websec.io to try to help educate developers about things like secure coding practices, common infosec terms and information about securing their applications from would-be attackers, but it’s not enough. It’s not even a blip on the radar in what is a very serious matter that should be a consideration for all PHP developers.

Testing application security early, whether it be through the use of something like skipfish or a static code scanning tool, can save you time in the long run, just as unit testing your code helps track down and eliminate bugs faster. I want to promote early testing for security issues in applications and the mitigation of them, but I’m not sure how to reach developers in a way that they’ll listen.

Pádraic Brady has started up an effort to create a guide to some of the most common issues PHP developers might face and it’s off to a good start. I wonder if there’s more that can be done to help improve the security awareness in the PHP ecosystem, though. It seems like there’s a lot of content floating around out there that’s from the “stone age” of PHP security practices (filter input, escape output, blah blah blah) and not much about real-world, advanced threats that relate to PHP applications and current web technologies.

What would you like to see in a security resource that could help you, as a developer, make your code more secure? Do things like articles/tutorials encourage you to take a good long look at your code and try to “think like an attacker” or would more real-time interaction (screencasts or webinars) do more to help? I’m interested to see what the community thinks is a good approach to this.

Security is an important topic, no matter the language you’re working with. PHP just has more of an uphill battle than some other languages – help me make it a little bit easier.

Fans of PHPDeveloper.org (@phpdeveloper) or the PHPQuickFix (@phpquickfix) news feeds to keep up with some of the latest things in the PHP community, but looking for something a bit more on the Javascript side are in luck.

To compliment the PHPQuickFix site/twitter account, I’ve started up a Javascript-centric feed of hand-picked items I find in my reading that look useful/interesting/are more than just fluff – JsQuickFix (and @jsquickfix on Twitter).

This uses the same setup I have for the PHPQuickFix feed:

• using GimmeBar as a data source
• a simple PHP script to generate an RSS feed of the latest assets
• Twitterfeed to pull the latest from this feed and post to Twitter

I use the Chrome extension that adds a GimmeBar icon to my toolbar and makes adding new links to these services a few simple clicks away.

To accomplish this, though, I had to shift over to using Collections instead of just pointing it at my main GimmeBar Public feed. Here’s the two collections that will grow in the future:

• JsQuickFix
• PHPQuickFix

Enjoy!

After reading through his “Confessions of a Public Speaker” (as a beginning speaker, I learned some good things from this one – I’d suggest it if you do any kind of speaking) I was anxious to check out some of Scott Berkun’s other books. The topics of some of the others didn’t really appeal to me, but the one that’s caught my attention recently is his “Myths of Innovation” book. I’m maybe a third of the way through it right now, and there’s one thing that keeps resonating in my mind as I go through it. In a previous chapter, he makes the point that innovation, despite what the history books and popular culture would have us assume – it’s less of an “Ah-hah!” and more of a “Finally!”.

See, most of the common stories of innovators out there leave out something that’s very important – the reference frame of their lives. They don’t provide a larger picture of who someone is (like Einstein or Newton) and how all of their work, everything they’ve done in their career led up to the discoveries that they’re known for.

I think this is important to remember as software developers, too. All of us start projects and never finish them, it’s just a fact of life in the world of a coder. We find something that we either think is the “Next Big Idea” or something that we’ll find amazingly useful and latch onto it, giving it our all for a week, maybe a month. Nine times out of ten, though, that project falls by the wayside. Now, don’t get me wrong, there’s some folks out there that do a great job with anything they touch, but for the average developer, it’s all about hacking away at the latest “shiny”.

Sometimes it’s about the technology (“everyone’s learning Backbone.js, why shouldn’t I?”) and other times there’s a bit of pride that kicks in (“I could do this so much better if…”) but there’s always one thing to remember. It doesn’t matter if the project you’re working on goes anywhere. Remember this. Just like some of the great innovators of the past, it takes a lot of dedication and work to get to be the “Ah-hah Guy” that wows the world with something new and amazing. Don’t forget that the code of the Next Great App isn’t just going to fly from your fingertips.

Work hard at your craft and it will pay off. Maybe not in fame and glory, maybe in making real, useful contributions to the culture and technology around you. Don’t stop trying to innovate, don’t focus on the failures and, above all, keep learning and keep doing.

It’s March 15th and you know what that means….only a month left for the procrastinators to do their taxes in the US. Well, actually, that’s not what I’m really talking about here. Last year a whole host of people write up posts titled “Ideas of March” and this year’s no different. Several members of the PHP community are jumping in with there thoughts on blogging – here’s some of mine.

Blogging is great, don’t get me wrong…I love it when I can Google for something and find that someone, somewhere has done exactly what I need. This historical record of shared knowledge is one of the things that makes the web great. Of course, it can also sometimes do more harm than good. “But I thought you were going to write about how blogging is a good thing,” you ask. Well, I believe it inherently is, but with a few caveats:

• Blogs are only as good as their authors:
  Not everyone out there is a clear, excellent writer (I know I’m not) and, as a result, sometimes the message of a post can get lost in poor wording. What’s a solution to this? Blog more often! That’s right, it’s just like anything else – the more you do something, the better at it you get. You start getting into a certain frame of mind when you’re fingers to the keys and you learn little “mind tricks” (no Jedi here) on how to best get your message across. You don’t have to be an amazing writer to be a clear one.

• Dates, Versions & Code:
  This one’s a tough one, especially for us tech bloggers. I can’t tell you the number of times that I’ve found what I thought I needed in my Google results only to go over to a post and discover that I have no idea when it was written. The URL gives no clue and there’s not a date to be found. This drives me nuts and if your blog dosen’t have dates on the post, go change that. Right now. I’ll wait here.

  Additionally, something that can make for a lot less frustration for people coming to your posts later are two things – somehow tagging or mentioning what version of a language the post relates to (“this post was written against PHP 5.2.5″) and trying to keep the code up to date. Yes, I know this second request requires a bit more commitment on your part, but people would sing your praises if you took the time to do it. Even if it’s just an update to a post that say, “I found a better way to do this…” in a more recent version of the language/tool.

• More than just a “brain dump”:
  I’ve seen several people use their blogs as a sort of “brain dump” – a place for them to post things that they just want to remember later on. This is all well and good, but don’t forget that blogs aren’t just about code snippets and tutorials. Sometimes you need to share a bit about you and what you’re passionate about too. Take some time to sit and reflect on what you do on a daily basis and think about how knowing that process could help others. I’d encourage you to write not only code-related posts, but also keep the rest of the world up to date on the interesting things you’re doing. Nothing builds communities like people sharing more than just code.

Finally, I’d like to end this post jammed full of suggestions with one final challenge – get out there and share. My recommendations aside, if all you do is write up one or two posts this month (and keep going) with a few paragraphs each, I think the web would be a better place. Sharing knowledge is what it’s all about and if you discover something, no matter how small, you could be sharing exactly what someone needs. Remember, just because you think it’s simple, doesn’t mean someone new to the tech does….get out there and share!

Well, I’ve been a little lazy around here and haven’t posted since the beginning of the year. I figured I’d fix that by posting an update about a few things going on around here.

First off, since the schedule was just released, I’ll mention that I’ll be presenting at this year’s Dutch PHP Conference with three different sessions (well, kind of just two):

• Agile Applications with ExtJS and Zend Framework
  ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Tutorial)
• The API Dilema
  Creating a good, useful and functional API for your application can be one of the most difficult parts of a project. With more and more things becoming API-powered, it’s important to plan well and provide what the user expects. I’ll look at some principles you can follow to make sure the API you write is the right one, both from the developer perspective and what you, as a user, should expect of a quality web service API. (Session)
• Agile Applications with ExtJS and Zend Framework
  ExtJS is an enterprise-level Javascript framework, the Zend Framework is one of the most powerful and flexible PHP frameworks to date – its a match made in heaven. I’ll introduce you to these two technologies and how to combine them into an easy to maintain, agile application that can move as fast as your project needs. I’ll show you how to build a sample application including a frontend MVC, REST backend and unit testing the result. (Session)

No, I didn’t repeat myself – the first session and the last session are on the same topics – they’re just different lengths. The tutorial on the first day will get more into coding and examples of ExtJS+ZF and the second shorter session will just give a high level overview of each tool and how they hook together. If you’re interested in the “guts” of an Ext-based app, you’d do better in the Tutorial.

Also, for those that don’t know me, I’m a co-organizer of the Dallas PHP User Group. Last year we decided to put on a local PHP-centric event and it was a great success. So, we’re back this year with the Lone Star PHP Conference 2012. We’ve just wrapped up our Call for Papers and are in the process of selecting the best fits for our schedule.

We’ll be announcing the schedule and opening the registration soon, so keep an eye out on the Lone Star PHP conference site for more updates!

With a nod to this post from Cal Evans, I’m presenting my own “Top Three” posts from 2011, in order of descending popularity:

• I don’t understand the 9-to-5:
  This one is easily the tops of the popularity list…thanks to another PHP community member, this one made the front page of Hacker News for a little while and received almost five thousand hits in a day. My poor little slice didn’t know what hit it. I scrambled to put up something – anything – to be able to keep the site alive. Ultimately I ended up rendering a static version of the page to a buffer and manually refreshing it as new comments came in and were approved (39 of them!)

  The post was basically my views on developers who are genuinely interested in the work that they do and the ones that are more of the clock-in/clock-out coders that just “do the job”. There were tons of comments that both agreed and disagreed…and several that basically told me I needed to get a life or must not have kids (I have both, thankyouverymuch).

• Process Oriented versus Product Driven:
  This post was actually a quote from an interesting book on architecture and some of the things the author had learned during his time in school. This particular nugget of wisdom shows the difference between letting your work drive you and, instead, learning how to drive and shape what you do into something even better.

• How long is too long (for unit test names)?:
  This fun little post was a log of some tweets after I asked “how long is too long for a method name in a unit test”? It’s common to see things like “testValueIsValidInternalUrl” or “testUserCanExecuteTransaction” kinds of names so I wondered what other people’s experience with it was. One interesting point that came up was the use of “testdox” to translate out the name into something more readable.

These were just the most popular ones added in 2011…there’s a few others that were popular but were posted previously (like pdo+oracle and php+mq).

Hope your holidays were/are good and here’s to another great year of blogging and PHP community!

UPDATE: Besides Cal, other PHP community members are getting into the spirit – Matthew Turland, Joe Devon, Bradley Holt

I’ll admit it – I love to geek out as much as the next guy at the latest features of the PHP frameworks out there. I read the articles and tutorials every day about something awesome some framework can do (that maybe another can’t) and wish I had a place to apply it. I even find myself trying to think of new little projects so I can say I work with the latest tech. It’s an easy trap to fall into. I came to a realization earlier about frameworks, though – it’s less about the new hotness that the frameworks offer and more about what you do with them that matters.

Tech is great, don’t get me wrong – I love digging into some good code and getting my hands dirty. I love being close to the action and watching my work evolve with each reload. It’s easy to get lost in line after line of curly braces and colons and not look at the bigger picture, though. Remember as you’re doing your development – pick the right tool for the job and don’t be pulled in by the latest and greatest “just because”. Remember that the future of this language we love isn’t in the tech, but it’s in what you do with it.

If you haven’t gotten to check them out yet, be sure you listen to the webcasts from EngineYard about the future of PHP. So far they’ve covered a few of the more popular frameworks and where they’re headed, but I have it on good authority that upcoming episodes will be talking less about the “what powers it” and more about the “why it’s there” kind of topics.

By now I’m sure a lot of the folks reading the posts from this blog know of the site I’ve helped shape over the past few years, Joind.in. It’s become most successful in PHP circles, but has branched out into other communities, both tech and non-tech. Not too long after the project started up, it was decided to open source the code and pull in contributions from whoever offered their time. I personally feel that, for a first out of the box open source project for me, it’s turned out well and has a great, active community around it. I’ve learned a lot working on not only the code but in management of the project as well.

I’m taking a break from all of this for now though. I know, Joind.in has been my baby for the last few years, but I’ve been feeling a little burnt out on it the last few months and I’m starting to feel like it’s having a negative impact on the project. My plan is to take a few months to regroup myself and pull my head out of the code and maybe even get a better, broader picture of what the project could become. My priorities are shifting towards another project I’ve been putting in some time on (no hints yet) that I hope can be a good tool for a similar community.

The management of the project is being put in capable hands, though – no worries there. Lorna will be the gatekeeper for all things Joind.in. She’ll be handling both the site and the open source project in their day to day needs. I’ll still be lurking around in the same places, but I won’t be as active in the project as I have been.

Thank you to the community that has made the site everything it is and I know it will grow even more in the months to come. Thanks for your contributions, both in code and even just in kind words. Please keep them coming and if you’re a fan or contributor of the project, ask Lorna if there’s a helpful hand you can lend. I know she’d appreciate it.

UPDATE: You can also see Lorna’s post here.

Originally, I was going to present these thoughts at the PHP Community Conference (in a session titled “It’s not Just About the News”) but it didn’t work out for me to be there. I still wanted to share some of my thoughts and experience in running PHPDeveloper.org for the last 11 years.

In its very first form, PHPDeveloper.org was just a page of links. It was hosted on a local server I had at the college I attended and was aliased to the outside world under the hostname “bender.ods.org”. I started gathering links on that page to some of my favorite PHP resources of the time – things like PHPBuilder.com and, of course, the PHP.net manual. I was new to the language – this was back in 1999-2000 range – and was constantly devouring everything I could about it. Not many of the free hosting services supported PHP back then so running it on my own server was clearly the answer. I compiled my own installations from scratch complete with some of the earlier versions of Apache, PHP3 (fresh off of PHP/FI) and MySQL. All of my code was procedural and I had no clue about application design. All I knew was that I loved the language. I left my Perl books to gather dust and marched on to a bright PHP-based future.

To be honest, I’m not entirely sure when I made the leap from a set of links to the sort of blog style PHPDev is in today. I was a huge fan of Slashdot back then (weren’t we all?) and I think I thought to myself one day, “I could totally do that”. So I hacked together a custom sort of content management system and started to work. Things weren’t as consistent then as they were now. Back then I might have posted once a week, two or three times if I was feeling ambitious. If you want a good laugh, go back and take a look at some of my earliest posts on the Internet Archive.

I was a big IRC user back then – still am on Freenode – and I spread the word about the site mostly through there. There was no such thing as Twitter and getting sites like Yahoo to notice you wasn’t as easy as it is now. I had one thing going for me though…back then there just wasn’t another PHP news site out there, at least not one that was consistently updated. I was determined that PHPDev would become one of the best resources out there for PHP-related news and community happenings that it could be.

Some folks have called me a human aggregator in the past, and I think that’s what really sets the site apart from some of the other PHP news/community sites out there. I’ve never, ever pulled in posts automatically from other sources. Yep, that’s right – I hand-write every post you read on the site. I spend about an hour or so each day trolling through my Google Reader feeds (I’m up to 434 of them currently) to find some of the most interesting content out there. I actually spend some time reading the posts and writing up a good summary of what it has to offer. Plus, I can do some fun things the other automatic readers can’t like:

• Pulling announcements from Twitter
• Listening to podcasts and summarizing their content
• Filtering out posts that are related to a product or general commentary
• Making community announcements about conferences
• Taking specific article submissions

One of the best things, though, is subscribing to things like DZone or PHPCamp and discovering new articles that aren’t even on other aggregator’s radar. I gather things from the four corners of the web and try to make the best sense I can out them to share with the world. In recent years, I’ve realized that the “stuff I find interesting” approach is good, but I had to widen the scope to make it really work. I now read through my feeds and think more “is there a group that would find this interesting” instead. As a result there’s been posts on things outside of PHP touching on software like Drupal/WordPress/Joomla as well as Open Source projects that might be related to PHP, but not always directly.

I’m sure you’re curious about the technology behind the site. Well, let me say off the bat, you’re probably going to be disappointed. Remember when I said I had a hacked together CMSish kind of thing to manage the content – it’s not much different these days. I started with it back in PHP3 and it was all procedural. It wasn’t pretty but I was proud of it and it worked. Then PHP4 came along and these magical things called objects and OOP came along with it. Of course, I just had to do a rewrite. PHPDev v2 was born. Things changed again when Zend announced that they were making a framework (framework? what’s a framework?) and released some of their earliest versions. So, being the curious developer I was, I did what any good developer would do – another rewrite (PHPDev v3). If you’re wondering, I think it was ZF 0.7 or 0.8 – not sure which. Keep in mind that most of these rewrites came with a design update, but they all took the same basic news site/blog format. Finally, and this is the current form, I wanted to learn something different so I branched out to the Solar framework in yet another rewrite (yep, PHPDev v4).

So, what does all of that mean? It shows that the tools don’t matter. I could probably rewrite the site a million different ways, but that’s not what it’s about. Most of my current posting is just done on a simple form with subject, content and date/time. I write them in the morning and queue them to go out during the day. Sure, there’s been a few hiccups now and then when the technology changed, but what matters to most of my visitors is the content.

I checked in my logs a little while back just to see how many people were hitting the feeds on my site and found an interesting statistic – there’s now more people following the @phpdeveloper account on Twitter than there are pulling the feeds. Now, that’s not taking into consideration any re-blogging folks do of my content (that’s a whole other topic), but it’s still interesting to me.

So, how far have things come since the site’s birth back in 2000? Well, without trying to sound too boastful about it, I think PHPDev has become one of the most respected PHP news sites out there and provides a valuable service to the community that can only come from a human behind the helm. As of my latest post, the database now hosts 16232 articles that chronicle the history of the years the PHP community has been through, both the good and the bad.

Of course, I couldn’t end this post without thanking each and every one of you out there – my readers have made the site what it is. I couldn’t have done it without you. Your contributions – either through blog posts or actual submissions – are the lifeblood of the site. I’ve stood on the shoulders of everyone in the community to reach this high, and I thank you for letting me come along.