Monday, November 7, 2011

Becoming A Better Developer

One of the most frequent questions that I get asked is “How can I become a better developer?” I think that it’s a very good question to ask that deserves a good response. But how can you respond to something like that? Becoming a better developer depends so heavily on past experience (where to grow), interests and rationale (why do you want to grow), that it’s really hard to answer without a fair bit of discussion. This post reflects my experiences from both my own growth and the growth that I’ve seen in others.

Thursday, November 3, 2011

On PSR-0 Being Included In PHP's Core

Note: The voting phase has begun on If you have an svn account somewhere on, vote and share your opinion: SPLClassLoader Vote

Recently there has been a rather heated and intense discussion on whether the PSR-0 autoloader "standard" should be included as part of the PHP core (in ext/spl to be exact). I've tried to stay out of the discussion and have successfully done so. Until today. I feel that there's something that's been missing to the discussion. So rather then posting this to the internals list, I feel it's better served by a blog post on the subject. So here's my take on it.

TL;DR: I don't think it should be included in the core.

Monday, October 31, 2011

IteratorIterator - PHP Inconsistencies And WTFs

Last night I was discussing the SPL Iterators with @go_oh in the PHP StackOverflow chat room when I came across something very interesting.  We were talking about why some of the SPL Iterators accept only an Iterator as the constructor argument (Such as LimitIterator), and others accept either an Iterator or an IteratorAggregate as the argument (Such as IteratorIterator).  Feeling that this would be a useful feature to add (having all of them accept an IteratorAggregate), I opened up the PHP source and started looking at how hard of a change this would be.  What I found was... Interesting...

Wednesday, August 24, 2011

A Failure Of Process (Tools Are Not To Blame)

A tool is only as good as how it's used. It seems like such a simple concept, yet it's amazing to see how many people get caught into the trap of thinking that because a tool is there, they are safe. We see it all the time in almost any industry. Company X pays untold millions of dollars for a product, just to find out later that it didn't do what they needed. It's such common sense that it's hard to think of someone logically arguing against it. Yet the same mistake is made over and over and over and over again. And on August 18th, we saw a really blatant example of this with PHP's 5.3.7 release.

Tuesday, August 16, 2011

The Rainbow Table Is Dead

Well ok, not really.  But you should not be securing hashes against rainbow tables anymore, you need to secure them against brute forcing.  Rainbow tables are still very effective for simple hashes (md5($password)), but just because an algorithm is hard to use for a rainbow table doesn't mean that it is safe, because the rainbow table is dead...

Tuesday, August 9, 2011

On Optimization in PHP

When it comes to optimization, there are two competing viewpoints in the PHP community. Some say that optimization should only ever be an after thought and to avoid premature optimization at all costs. Others will say that this is impractical, and you should make your application fast as you write it, since then you won’t have to go back and clean it up to make it faster. While I can understand the viewpoints of both sides, I am firmly in the former category. Given the number of discussions that I’ve had as of late on the topic, I’ve decided to write a post as to why I believe my viewpoint is better and more sustainable in the long run.

Thursday, August 4, 2011

Error Handling in PHP

Let’s face it: error handling in PHP is crap. Actually it’s worse than crap, it’s craptastic. The core has almost no support at all for handling errors. Sure, PHP has a robust error reporting and logging system, but it has no real way of handling those errors. If you want to write robust code, you need to be able to actually handle errors. So how can we handle errors in PHP?

Monday, August 1, 2011

Security Review: Creating a Secure PHP Login Script

The other day, an article popped up in my feed reader that had a very interesting title (to me at least), Simple and Secure Login Script. As usual, I decided to click the link and give the article a read. Not overly shocking was the fact that I didn’t find the content of the article to be, how shall I say this…, overly factual. It’s not really a “tutorial”, but more of a “here’s some code that’s secure”. A quick review of the code found more than one vulnerability, and some significant things that I would change about it (as well as a few “really bad practices”).

So, rather than write a “rant post” about the code, I’ve decided to take another tactic. In this article, I’m going to walk you through my process for performing a security code review. Inline with the review, we’ll take note of any issues that we do find, and number them. Then at the end of the review, we’ll go over each one and look at potential mediation that we can apply and how to fix the issues.

Thursday, July 28, 2011

How Not To Hire Me

So I got a rather interesting email today.  Ever since I put my resume public a few months ago (even though it was taken off just 2 weeks later when I accepted a position), I've been getting emails quite often from recruiters looking for help. Most are mildly interesting and the majority I just glance over. But every once in a while I get one that takes me aback and makes me look deeper. Some of those turn out to be really good. And some of those are shockingly bad. This one is the latter...

Tuesday, July 26, 2011

Why I Don’t Use Autocomplete

Today’s IDEs (Integrated Development Environments) provide a lot of features that make development significantly easier. From error checking and debugging to intelligent syntax highlighting and refactoring, there are a significant amount of time saving features available. One of these commonly loved features I have disabled, and found it has made my life easier as well as the code I write better. The feature I am speaking of is autocompletion…

Friday, July 22, 2011

Are Traits The New Eval?

The upcoming release of PHP 5.4.0 includes a plethora of new features, including Traits. While I do believe this is a great feature with great possibilities, I also fear that it may fall into the category of often-abused-features such as eval(), goto, constants, the @ operator, class inheritance and regular expressions.

Monday, July 18, 2011

Random Number Generation In PHP

What is “random”?

When we talk about “random” numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.

Friday, July 1, 2011

Slides From "Cross Site Scripting and PHP Security" at NYPHP on 6-30-2011

As promised, I'm going to post the slides from last night's talk on XSS prevention with PHP here.  There was a fair turnout, with a few following the live stream of the talk.  I must thank those who came, as there was definitely some good interaction and questions.

Friday, June 24, 2011

In Response To: Building Secured Web Applications Using PHP - The Basics

Today an article popped into my feed reader that raise my eyebrows.  The article's title is "Building Secured Web Applications Using PHP - The Basics".  The summary of the item looked interesting, so I decided to open it up...

What I found blew me away.  It was filled with loads of bad information including some down-right wrong suggestions.  Let me go through point by point and shed some light on the subject...

Tuesday, June 21, 2011

A Talk On XSS - NYPHP in collaboration with OWASP

Well, my next talk is scheduled!  It will be June 30th, 2011 at NYPHP.  It's the first of a series of talks in collaboration with OWASP, going over each of the top 10 vulnerabilities.  This talk will be on Cross Site Scripting (XSS).

I'm going to go over what XSS is, and why it matters.  We will go into detail on the different facets and types of XSS that exist today.  Then, we will examine a real-world application that has known vulnerabilities (both looking for vulnerabilities and exploiting them).  Finally, we will talk about how to prevent XSS with PHP using a variety of techniques.

I am going to try to have the presentation recorded and either streamed live or posted as a YouTube video later.

If you are in the New York area, come on it!  But reserve your seat early, space is limited.

RSVP Required:
June 30th, 2011 at 6:30PM (sharp)
Suspenders Restaurant, 111 Broadway, New York, NY
Online (all attendees MUST RSVP)
Networking/drinks location to be announced at the meeting.

Sunday, June 19, 2011

Slides From Recent Presentations on SQL Injection

Hello all.  It's been a little while since my last post, but I haven't disappeared.  In fact, I've been quite busy...

Tuesday, April 5, 2011

Musings On PHP.JS (And Similar Libraries)

I have always been intrigued by projects such as PHP.JS. To be completely honest, it's not because I though they were "neat" or "innovative", but because they have always made me ask myself "Why would someone seriously want to do something like that?!?!?"...  Let me try to explain my standpoint.

Friday, April 1, 2011

XSS - Web Application Security - Post 2

In the first post of this series, we looked at some fundamental concepts of Web Application Security, and introduced the concept of Filter In, Escape Out.  In today's post, we will be examining the single most prolific vulnerability plaguing web applications today: Cross-Site Scripting (otherwise known as XSS).  Not only is it prolific, it's also commonly under-estimated and is often just a low priority after-thought.  In reality, XSS is a formidable threat and needs to be treated as such.

Tuesday, March 29, 2011

Unit Testing When You Have File-System Interaction

While working on testing out my new Cryptography library (appropriately called PHP-CryptLib), I ran into a rather interesting problem.  How do you unit test a method that interacts with the file-system?  Traditionally, this problem has been solved by either not testing the method or creating temporary directory structures, testing, and then deleting the temporary directories.  There has to be a better way.  And as it turns out there is!

Friday, March 25, 2011

What Is Security - Web Application Security - Post 1

This is the first post in a multiple part series on Web Application Security.  Throughout this series, we will take a look at some of the different aspects of security as it relates to web applications and some techniques on how to mitigate them.  Before we can dive into the finer details of Security, we must define what it is and what it is not.  After that, we'll talk about some foundational pieces that will drive and support the rest of the series.

Tuesday, March 22, 2011

Follow-Up: Dependency Injection: An Analogy

I recently read a post entitled Dependency Injection: An Analogy, and I think it does a pretty good job explaining two of the types of Dependency Injection.  I really like the theme, and feel it really brings down the topic of DI to easy to understand language.  The only problem with it that I can see is that there are actually 4 flavors of DI available to us.  The other two flavors aren't even touched in that post.  So let me expand on that theme a bit here (Borrowing the same core analogy base from that post):

Friday, March 18, 2011

The Difference Between Good And Good Enough

Quite often we see people talking about the best way to approach a problem.  Usually this involves taking a relatively simple concept and making it fairly complicated to make it as flexible and maintainable as possible.  While I'm all for maintainability, I think that sometimes we miss the point that it all depends on context.  It seems like most people don't understand the difference between good and good enough.

Part of being a developer is making design decisions based on conflicting goals. Our job is to choose the line that's appropriate based upon our experience and the needs of what we're doing. But there-in lies the problem: How do we know where that line really is? How do we know when we've actually reached the point of good enough?

Tuesday, March 15, 2011

All about hashing and security

Here's a quick link to a StackOverflow answer that I wrote explaining password hashing.
A key feature of cryptographic hash functions is that they should be very fast to create, and very difficult/slow to reverse (so much so that it's practically impossible). This poses a problem with passwords. If you store sha512(password), you're not doing a thing to guard against rainbow tables or brute force attacks. Remember, the hash function was designed for speed. So it's trivial for an attacker to just run a dictionary through the hash function and test each result.
 I think it does a pretty good job explaining hashing and encryption, and is worth sharing