Larry GarfieldMastobot: For your Fediverse PHP posting needs (24.1.2023, 04:13 UTC)
Mastobot: For your Fediverse PHP posting needs

Like much of the world I've been working to migrate off of Twitter to Mastodon and the rest of the Fediverse. Along with a new network is the need for new automation tools, and I've taken this opportunity to scratch my own itch and finally build an auto-posting bot for my own needs. And it is, of course, available as Free Software.

Announcing Mastobot! Your PHP-based Mastodon auto-poster.

Continue reading this post on PeakD.

Larry 23 January 2023 - 10:13pm
Link
Evert PotKnex (with MySQL) had a very scary SQL injection (12.1.2023, 21:31 UTC)

Knex recently released a new version this week (2.4.0). Before this version, Knex had a pretty scary SQL injection. Knex currently has 1.3 million weekly downloads and is quite popular.

The security bug is probably one of the worst SQL injections I’ve seen in recent memory, especially considering the scope and popularity.

If you want to get straight to the details:

My understanding of this bug

If I understand the vulnerability correctly, I feel this can impact a very large number of sites using Knex. Even more so if you use Express.

I’ll try to explain through a simple example. Say, you have MySQL table structured like this:

CREATE TABLE `users` (
  `id` int NOT NULL AUTO_INCREMENT,
  `name` varchar(100) DEFAULT NULL,
  PRIMARY KEY (`id`)
)

And you have a query that does a SELECT using Knex:

const lookupId = 2;

const result = await knex('users')
  .select(['id', 'name'])
  .where({
    id: lookupId
  });

You’d expect the query to end up roughly like this

SELECT `id`, `name` FROM `users` WHERE `id` = 2

The issue is when the user controls the value of lookupId. If somehow they can turn this into an object like this:

const lookupId = {
  name: 'foo'
}

You might expect an error from Knex, but instead it generates the following query:

SELECT `id`, `name` FROM `users` WHERE `id` = `name` = 'foo'

This query is not invalid. I don’t fully understand fully understand MySQL’s behavior, but it causes the WHERE clause to be ignored and the result is equivalent to:

SELECT `id`

Truncated by Planet PHP, read more at the original (another 8765 bytes)

Link
Derick RethansXdebug Update: December 2022 (10.1.2023, 09:06 UTC)

Xdebug Update: December 2022

In this monthly update I explain what happened with Xdebug development in this past month. These are normally published on the first Tuesday on or after the 5th of each month.

Patreon and GitHub supporters will get it earlier, around the first of each month.

You can become a patron or support me through GitHub Sponsors. I am currently 45% towards my $2,500 per month goal. If you are leading a team or company, then it is also possible to support Xdebug through a subscription.

In the last month, I spend 25 hours on Xdebug, with 21 hours funded. Sponsorships are continuing to decline, which makes it harder for me to dedicate time for maintenance and development.

Xdebug 3.2

Xdebug 3.2.0 got released at the start of December, to coincide with the release of PHP 8.2 which it supports, after fixing a last crash with code coverage. Since then a few bugs were reported, which I have started to triage. A particularly complicated one seems to revolve on Windows with PHP loaded in Apache, where suddenly all modes are turned on without them having been activated through the xdebug.mode setting. This is a complicated issue that I hope to figure out and fix during January, resulting in the first patch release later this month.

Plans for the Year

Beyond that, I have spend some time away from the computer in the Dutch country side to recharge my battery. I hope to focus on redoing the profiler this year, as well as getting the "recorder" feature to a releasable state.

Smaller feature wise, I hope to implement file/path mappings on the Xdebug side to aide the debugging of generated files containing PHP code.

Xdebug Cloud

Xdebug Cloud is the Proxy As A Service platform to allow for debugging in more scenarios, where it is hard, or impossible, to have Xdebug make a connection to the IDE. It is continuing to operate as Beta release.

Packages start at £49/month, and I have recently introduced a package for larger companies. This has a larger initial set of tokens, and discounted extra tokens.

If you want to be kept up to date with Xdebug Cloud, please sign up to the mailinglist, which I will use to send out an update not more than once a month.

Xdebug Videos

I have published two new videos:

I have continued writing scripts for videos about Xdebug 3.2's features, and am also intending to make a video about "Running Xdebug in Production", as well as one on using the updated "xdebug.client_discovery_header" feature (from Xdebug 3.1).

You can find all previous videos on my YouTube channel.

Business Supporter Scheme and Funding

In December, no new business supporters signed up.

If you, or your company, would also like to support Xdebug, head over to the support page!

Besides business support, I also maintain a Patreon page, a profile on GitHub sponsors, as well as an OpenCollective organisation.

Become a Patron!
Link
Evert PotI wish JSON5 was more popular (9.1.2023, 21:29 UTC)

As developers we write a lot of code, but we also deal with a lot of configuration files.

The three major formats I tend to use day to day are:

  • JSON
  • YAML
  • .env

And, they all kinda suck. JSON feels like it should never have become a format that people hand-write. So many quotes, and and configuration files need comments to tell users why certain decisions were made. .env has a specific purpose (and it’s ok at that), but it’s not a great universal format, and YAML has always been difficult to read and write to me. I can somehow never retain the syntax and end up copy-pasting things from examples.

Why YAML is difficult for me

A small example from Github workflows/actions:

steps:
  - uses: actions/checkout@v2
  - uses: actions/setup-node@v2
    with:
      node-version: 14
      registry-url: https://registry.npmjs.org/
  - run: npm ci
  - run: npm publish

I couldn’t tell you why uses has a dash in front, and node-version does not. If there’s a difference in how a YAML reader outputs them, I’m not sure how I would be able to retain this while writing YAML.

I also use/love home assistant, which lets you write some pretty cool automations using YAML. I wanted to play with this but it’s been a barrier I’ve not been able to overcome. I don’t know if it’s me. I’m been working as a programmer for 22 years. I’m decent at it, but when when I chat with some of my peers (hi mhum!) they did not share my sentiment.

YAML can also have very surprising behavior, with casting types:

From the linked article, this:

- country1: ca
- country2: no

Becomes:

- country1: ca
- country2: false

It’s a bit cherry picked, and I’m sure there’s YAML linters out there that help avoid the pitfalls, but in my mind configuration files should be simple.

There’s some configuration formats I like, such as TOML and JSON5. They strike the right balance to me with being easy to read and write, unambigious, supporting comments, strictness and not being incredibly hard to write a parser for.

TOML is like ini files on steroids, and JSON5 is JSON but with fewer quotes, comments and multi-line strings.

I could write my NPM configuration file as package.json5 and automatically convert it to package.json but that feels too surprising. My projects are already kind of eclectic, so I want the ‘plumbing’ to be unsurprising. Plus there’s the whole chicken and egg thing with needing a JSON5 parser before we have dependencies.

I’d love the NPM project to adopt JSON5. It seems like a great fit. JSON and YAML can’t be the final word for human-maintained data formats. It’s so obviously sub-optimal.

If NPM adopted JSON5, I would annotate so much in my package.json. I’d document why a dependency is needed, why we are stuck using a previous major version of a dependency and what the purpose is of each script.

I wouldn’t know what format would be ideal for Github Actions. Maybe the answer is ‘nothing’ and they need a good DSL.

And while we’re at it, stop polluting my projects root directory! Can’t we all agree on a .meta directory for finding configuration files?

Link
Cees-Jan KiewietMigrating from self-hosted in Kubernetes Databases to managed hosted at Digital Ocean or the story of how I started working on Opportunistic TLS in ReactPHP (1.1.2023, 00:00 UTC)

One of the things I’ve been planning for months, is to move my self-hosted Redis, PostgreSQL, and MySQL servers from hosting it inside my Kubernetes cluster to managed hosted at DigitalOcean. At $15 each, I would have to save at least $45 on Kubernetes cluster resources (nodes and volumes) by moving them. In the end, I succeeded at that and probably will end up saving even more as I’m moving some Prometheus exporters for certain things into my home Kubernetes cluster. (Less expensive per month to run and not super important to have a high uptime/availability, to be honest.) Plus I’ve been cutting down on services. On the plus side it comes with shiny graphs to look inside how the managed databases are doing

DigitalOcean Hosted PostgreSQL Throughput graph

Link
Larry GarfieldRunning Lando on GitHub Actions (30.12.2022, 22:33 UTC)

Running Lando on GitHub Actions

Submitted by Larry on 30 December 2022 - 4:33pm

At the $dayjob, I am working to have us adopt Lando as a development tool. Lando is a docker-compose abstraction layer that simplifies building standard development environments, such as a bog-standard LAMP stack, and is way easier than raw docker-compose for those cases.

I also wanted to be able to generate test coverage information as part of our Pull Request process. To be clear, test coverage is not the end-all, be-all of good tests, but it is still a useful metric, and can be a useful gate if used properly. Of course, generating test coverage requires running tests; and while most tests should be unit tests that do not require any services, not all are or can be, and many frameworks don't make true unit tests as easy as they should. (cough) So that means building a full dev environment to run tests. There's various tools for that, but I wanted to use GitHub Actions.

Link
Larry GarfieldUpgrading PHP upgrades (9.12.2022, 21:50 UTC)

Upgrading PHP upgrades

Submitted by Larry on 9 December 2022 - 3:50pm

PHP 8.2 was released on 8 December, to much fanfare. And, as always, to much wailing and gnashing of teeth about how the PHP language is evolving too quickly and breaking everyone's code. More specifically, it was the earlier, twin announcement that PHP 7.4 reached end-of-life on 28 November, as that has, somehow, forced everyone to suddenly rewrite their entire code base in a hurry.

And... while I sympathize with some of the complaints, I am once again left wondering "how?"

Continue reading this post on PeakD.

Link
Derick RethansXdebug Update: November 2022 (6.12.2022, 09:06 UTC)

Xdebug Update: November 2022

In this monthly update I explain what happened with Xdebug development in this past month. These are normally published on the first Tuesday on or after the 5th of each month.

Patreon and GitHub supporters will get it earlier, around the first of each month.

You can become a patron or support me through GitHub Sponsors. I am currently 45% towards my $2,500 per month goal. If you are leading a team or company, then it is also possible to support Xdebug through a subscription.

In the last month, I spend 30 hours on Xdebug, with 24 hours funded. Sponsorships are declining, which makes it harder for me to dedicate time for maintenance and development.

Xdebug 3.2

I spend most of November fixing outstanding bugs for Xdebug 3.2, so that it is ready to be released when PHP 8.2.0 comes out at the start of December.

I also a fair amount of time triaging a crash bug with a segfault when code coverage in use, which is likely related to generators, but I haven't managed to fully check out yet. I did also find a use-after-free error that I have now fixed.

As part of this, I have released Xdebug 3.1.6 to address a compressed file writing bug on Windows, and Xdebug 3.2.0RC2 so that you are able to test Xdebug 3.2 with PHP 8.2 with all the outstanding bugs addressed.

Once Xdebug 3.2 gets released next week, support for PHP 7 and Xdebug 3.1 (and lower) will no longer be available. This of course does not mean that older versions of Xdebug are no longer available for download to use with legacy PHP versions.

Xdebug Cloud

Xdebug Cloud is the Proxy As A Service platform to allow for debugging in more scenarios, where it is hard, or impossible, to have Xdebug make a connection to the IDE. It is continuing to operate as Beta release.

Previously Xdebug Cloud was only supported by PhpStorm, but the PHP Debug Adaptor for Visual Studio Code now also supports it.

Packages start at £49/month, and I have recently introduced a package for larger companies. This has a larger initial set of tokens, and discounted extra tokens.

If you want to be kept up to date with Xdebug Cloud, please sign up to the mailinglist, which I will use to send out an update not more than once a month.

Xdebug Videos

I have published one new videos:

I have continued writing scripts for videos about Xdebug 3.2's features, and am also intending to make a video about "Running Xdebug in Production".

You can find all previous videos on my YouTube channel.

Business Supporter Scheme and Funding

In November, no new business supporters signed up.

If you, or your company, would also like to support Xdebug, head over to the support page!

Besides business support, I also maintain a Patreon page, a profile on GitHub sponsors, as well as an OpenCollective organisation.

Become a Patron!
Link
Matthew Weier O'PhinneyGoodbye Twitter (28.11.2022, 20:20 UTC)

This is a long, personal post.

tl;dr: I'm leaving Twitter. You can find me in the Fediverse as @matthew@mwop.net.

In the beginning

I started using Twitter because of ZendCon 2007. Cal Evans had the idea that if folks attending the conference were to tweet about it, those who were unable to attend would get an idea of what the conference was about, get links to slides if speakers posted them, and more; it would both feed FOMO, and respond to it. (It also became an unofficial way for many of us to organize non-conference events during the evenings.)

Once the conference was done, I wasn't quite sure what to do with it. There was a bit of engagement, but not a ton. Hash tags, replies, retweets, quote tweets — none of these existed yet. Hell, even direct messages were just a specially formatted tweet, and heaven forbid you get the initial character sequence wrong! We started creating conventions, many of which later became codified into Twitter itself.

Over the next year or two, I found it became my "virtual watercooler." Being somebody who worked remotely, from home, I didn't have office conversations. A few of my colleagues and collaborators were on IRC, but back then, that was about it. If I wanted to talk to a larger group, or somebody not in my regular channels... Twitter became that place.

I made friends. I got job offers. I learned about places to visit on my travels. When abroad, I could coordinate meet-ups with friends.

When I realized folks couldn't spell my handle, I reached out on Twitter to see if I knew somebody at Twitter, or if somebody had a friend at Twitter, to see if I could change my handle, as somebody was squatting on "mwop". A friend of a friend made it happen — and I made a new friend in the process.

That was the honeymoon period, it seems.

The start of the fall

Sometime in the early 2010s, I began seeing the ugly side of Twitter. You know the folks, the ones who slide into your mentions or DMs when you post an opinion, the ones who ask for receipts and links or push whatabout-isms nonstop until you give in or stop replying (which they also take as victory). The ones who treat your lived experience as invalid, because it does not match theirs. The ones who cannot even imagine a valid experience outside their own. The ones who would not even allow another person's beliefs, body, heritage, circumstances to exist if they had their way.

Before muting and blocking existed on Twitter, the service was quickly becoming somewhere I did not want to engage. Somewhere I only felt comfortable posting non-revealing content about things like my open source projects, or retweeting work-related content. (I haven't posted anything about my family in years.) When Twitter allowed you to limit DMs to people you mutually followed, that helped a bit. But even then, I'd get folks in my mentions arguing or trolling; I cannot tell you how many times I was told the projects I worked on were crap, should die in a fire, that I should be embarrassed to even share them, that I should quit and get a different job, preferably in a different field. And this is only a fraction of what I see in the replies to women, people of color, LGBTQ+, people with accessibility issues — where the very act of existing as who they are is evidently an egregious offence. It's easy to see why so many leave the service, even though it can be hugely powerful at connecting you to others in your chosen community.

With muting and blocking, the service became more bearable, but only barely. I'd still get the tweets, replies, and quote tweets, but now the first time somebody spewed vitriol at me, it would be their last.

But I still had to see them at least once.

Crumbling

And then 2016 came along.

I am a liberal. My wife and I laugh at the assertion that you become more conservative with age. If anything, we've become more liberal.

And the run-up to the 2016 US elections broke us.

On Twitter, I was seeing either tons of right-wing hate spewed by folks, or reactions from others to that hate. The few times I addressed it were horrible; the amount of vitriol in my mentions shocked me. Some people have the energy and mental reserves to fight back. I'm not one of those; I internalize the attack, and it replays in my mind over and over. It tears me apart.

So following the election, I started pulling back.

I created a couple lists that I'd check daily, mostly those of authors or artists I like and admire. This created a little oasis for me, and made things somewhat manageable.

But here's the thing: we are all political. Living in a society means we engage with politics. And this meant that, even following creators, I was still seeing politics; the po

Truncated by Planet PHP, read more at the original (another 6400 bytes)

Link
PHP: Hypertext PreprocessorPHP 8.2.0 RC7 available for testing (24.11.2022, 00:00 UTC)
The PHP team is pleased to announce the release of PHP 8.2.0, RC 7. This is the seventh release candidate, continuing the PHP 8.2 release cycle, the rough outline of which is specified in the PHP Wiki. For source downloads of PHP 8.2.0, RC 7 please visit the download page. Please carefully test this version and report any issues found in the bug reporting system. Please DO NOT use this version in production, it is an early test version. For more information on the new features and other changes, you can read the NEWS file or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. The next release will be the production-ready, general availability release, planned for December 8th 2022. The signatures for the release can be found in the manifest or on the QA site. Thank you for helping us make PHP better.
Link
LinksRSS 0.92   RDF 1.
Atom Feed   100% Popoon
PHP5 powered   PEAR
ButtonsPlanet PHP   Planet PHP
Planet PHP