What's happening in our world

Home / Blog

Tuesday 08th October 2013 Important Practices for Securing Your PHP Apps

For high-profile, mission-critical PHP applications, security is a paramount concern. Bad security solutions can compromise important servers and lead to the kind of privacy breaches that make news headlines. But for those of us writing more every-day PHP apps, security is still an important concern - especially for anyone who's new to the language. We'll take you through some basic considerations for securing your PHP applications, letting you rest a little bit easier once you finally put your app out into the wild.
 
One of the most important concerns for any app that accepts user input is validating said input, to ensure that it doesn't throw your app a curveball it can't handle - or worse. Frustratingly, the basic assumption should be that user input can't be trusted, as anything more lenient can leave gaping holes in your security. Many coders use Javascript to validate user input, but this is inherently flawed as users have the ability to disable Javascript, so ensure you validate in PHP.
 
When your code runs on a page that accepts and then displays user input, such as a comment thread system, bulletin board or similar, it's important to make sure that your application has screened out any possible malicious Javascript code or HTML tags present in the user input. Fortunately, PHP has two built-in functions that make this simple: strip_tags() and htmlentities(). These two can save you a great deal of hassle, so get in the habit of using them!
 
Everything, naturally, comes back to the user, but sometimes vulnerabilities can be unintentionally exposed by a user and shared with a malicious one - which makes proper error handling critical for the integrity of your security. Many developers hate dealing with this particular aspect of development when trying to get their code out the door in a hurry, but it's far better to invest the time now than to try explaining why you cut corners.
 
Finally, another important concern is the way your include files are handled. PHP code routinely references other PHP files, often for database access or regularly repeated code segments, which can be inadvertently displayed to the user as plaintext if not properly named. Any extension other than .php may not be parsed properly by a browser, leaving your code vulnerable, so always use the correct extension. To be doubly-safe, store your includes in a folder that doesn't have user access permissions.
 
This is only the tip of the iceberg when it comes to PHP security, but you can save yourself from a good many problems by following these simple practices.

Posted on October 08th 2013 at 04:25pm
0 Comments
Labels: php, security, tips

Thursday 03rd October 2013 Exploring Continuous Deployment

Following up on our recent project management tips post, today we're going to explore what some have termed the developer's holy grail, known as continuous deployment, continuous delivery or continuous integration. As the widespread adoption of the Internet accelerated, the demand for shorter and shorter turnaround times between planned featuresets and new releases also increased dramatically, and PHP development was no exception. This is what first sparked the Agile development style as a solution, and has lead to a number of successors since then, eventually culminating in the currently popular system we know as continuous deployment.

Essential what CD/CI means is that new features are rapidly and automatically integrated into your main codebase at a much higher frequency than traditional development styles, sometimes even as frequently as multiple times per day. For a PHP-based application in a highly competitive field, the advantages of constantly being on the cutting edge are obvious, but there are some basic requirements and some potentially dangerous pitfalls to be considered before diving into a CD/CI strategy.

First of all, the main idea behind continuous deployment is speed - which essentially means the automation of as much as possible. Automation is crucial, because wasting 16 dev-hours to push out a day's worth of development is hardly continuous. Proper automation begins with implementing software to handle revision control and integration of new elements, the most popular of which currently is Git (which works perfectly with Github, of course). Testing of new features should be as automated as possible, while being completely thorough - without being sure that your new code is flawless, there's no point in releasing it into the wild, as you'll just be hurting your project. This is the step that causes many developers to throw up their hands in disgust, as it optimally relies on clean, focused and disciplined coding and extensively customised test scripts. Last but not least, the final build process should be automated, allowing you to push new versions out the door with an absolute minimum of fuss. Cruise Control and Buildbot are two of the more popular examples of build software, but there are a large selection available.

While that may seem simple on screen, the successful implementation of these strategies can take months to accomplish - but if done correctly, the benefits are incredible. Your PHP application won't be ON the cutting edge, it will BE the cutting edge.

Posted on October 03rd 2013 at 09:25pm
0 Comments

Tuesday 01st October 2013 Project Management Tips for the PHP Developer

Let's face it: in most development environments outside of the traditional corporate hierarchy, the PHP developer handling the highest-level aspects of development is essentially operating as a project manager, even when still doing actual PHP coding themselves. Occasionally even in a corporate situation, developers can suddenly find themselves thrust into a management role. In order to avoid having to bear the brunt of a failed project, there are few important things to consider that can put you ahead of the project management game.
 
One of the most important things to do as a project manager is to manage the expectations of both the client and your team members. Oftentimes, frustratingly, a development project can succeed in its design specifications but still be perceived as a failure by the client simply because there were unrealistic expectations about how the features in the final product would operate. With that in mind, there are a number of things to outline at the beginning of any project: what resources will be required both during development and deployment, what the users actually require, and the full featureset that the client hopes to include. This especially applies if there are management levels above you who don't ever work as developers on the project, as they can easily lose sight of the original design specs - especially over the course of a long-term project. Take the time to be actively aware of how stakeholders feel about the project throughout each development phase, and you'll likely be able to head off most major problems before they get unmanageable.
 
One of the other incredibly useful decisions you can make is to choose to operate in an agile development framework. Traditionally-structured projects, termed 'waterfall' projects, have a clearly-defined development phase that only outputs a testable product near the end of the project development cycle, and this can seriously delay the detection of many problems that would have been easily corrected earlier on. The 'agile' development structure, however, presents a testable product every two weeks (or any other regular interval). This heads off questions of progress, as each new featureset is testable as it is developed, allowing for the identification of potential problems or misunderstandings much earlier in the development process, when they can be corrected or improved upon with relative ease.
 
The final consideration for the PHP-developer-turned-project-manager is the insidious problem of 'scope creep'. Scope creep is more or less what it says - the gradual addition of features until the original structure of the project has been lost, and you suddenly find yourself 6 weeks late and well over budget. It can come from a number of different vectors, but is often the result of a combination of agile development and upper management/client testing. It highlights the necessity of having the entirety of the featureset spelled out well in advance of the commencement of work, in the clearest possible terms.
 
Clients who like to operate in a 'hands-on' style often generate the most scope creep, but careful diplomacy can stop the situation in its tracks. While a certain amount of scope creep tends to be inevitable, and can actually be very beneficial to the client relationship, it's important to ensure that it doesn't get out of hand. With the careful application of these tips, you can prevent yourself from a managerial disaster, and focus on creating great PHP applications.

Posted on October 01st 2013 at 06:59pm
0 Comments

Friday 27th September 2013 The Importance of Protecting Your Code

Intellectual property theft is one of the largest dangers faced by digital professionals today, and programmers are no exception. Nobody wants to spend days, weeks or even months on a project only to have a competitor come along and steal their entire codebase as soon as it goes live.


One of the most popular examples of this crime in the modern era is the drama surrounding the rise of Facebook. The prototype social networking site now known as ConnectU alleged that Mark Zuckerberg, Facebook's founder and CEO, stole their entire codebase while working for them in the early 2000's. In a trial that lasted for years, ConnectU fought tooth and nail to try to get control of Facebook - and it's billion dollar assets - turned over to them. Eventually after an extensive legal battle, ConnectU and Facebook settled out-of-court for an undisclosed sum, rumoured to be somewhere in the neighbourhood of $65 million. While to most of us, a $65 million dollar payout would be cause to retire to a tropical island, imagine the billions of dollars they would have stood to make if their suit had been successful - or if their site had been the one to become the top social networking site in the world. As Facebook is written in PHP it is a fair assumption that ConnectU was also and protecting the code would have been easy with SourceGuardian!


Even if you're not working on the next Facebook, it is crucial to take the steps necessary to protect your code from unauthorised redistribution and reverse engineering. Aside from ensuring that your entire programming team is legally bound with an ironclad non-disclosure agreement, there are several other steps you can take to protect your code. One of the simplest and most effective methods is to run your code through an encrypter, also known as a code obfuscator. These programs take your normally written code, parse it, and convert it into a format that is easily machine-readable but completely incomprehensible to even the best human programmers. This ensures that nobody will be able to reverse engineer your masterpiece, no matter whether it's the next Facebook or just a small pet project you've been working on. Additionally, the better protection schemes will allow you to lock your code to only work from predetermined computers, preventing a situation such as the one between ConnectU and Facebook.


Don't take any chances when it comes to your valuable intellectual property. Take the time to protect your code, and you can be sure that you'll get everything you deserve from your hard work.

Posted on September 27th 2013 at 02:50pm
0 Comments

Monday 23rd September 2013 Benchmarking Your PHP Code Performance

When it comes to getting the most out of your PHP application, there's only so far that raw talent can take you. Most developers can benefit from a little external help when it comes to code optimisation, and even the best of the best can use a bit of help from time to time. The best way to ensure your code is executing as efficiently as possible in terms of resource usage is, naturally, by measuring the efficacy of each individual element and determining where any bottlenecks may exist.
 
The benchmarking of individual elements is also known as profiling, and there are number of tools around that can help you with the process, but today we're going to look at one of the most popular tools, called XHGui. XHGui is a fork of the XHProf tool that was originally created by Facebook, but it comes along with a much-improved GUI (as the name would suggest) as well as a number of other improvements. One of the most important improvements on XHProf are the changes in the way the final output is presented, making it handy for creating pretty deliverables for managers who are not - and have never been - developers.
 
Since you're doubtless comfortable working with Apache, we'll skip the details of how to install XHGui and focus on what it can do for you once you've got it up and running. Once you've populated it with some data (try comparing heavy site loads with more typical usage patterns), you'll see the breakdown of data for each request: the URL, timestamp, 'wall time' which represents the user's wait time, CPU time used, total memory used, and peak memory usage. You can then drill down even deeper into each request, which gives you more data than you are likely to ever need about each step in your program.
 
To start your benchmarking, put your application through its paces: run each of the functions you've coded, including all error trapping. Once you've built your initial dataset, you can begin to analyse the problem areas and begin to consider optimisation strategies. Often, the culprits behind slow execution times will be elements of the PHP framework you've chosen to develop in, but any particularly extreme offenders can often be replaced by custom code that does the specific job more effectively - this is just one of the inevitable trade-offs that come with developing using frameworks, and each will have their own specific quirks that need to be considered and corrected for.
 
If nothing immediately stands out as being the main bottleneck, look for related code elements that interact to create slowdowns and consider recoding them as a more cohesive unit. You can also reconsider any elements that may be better off handled asynchronously, or even reconsider their inclusion at all if they're non-essential. Ultimately, however, the main consideration has to be a balance between user experience, functionality, and execution time, and XHGui is your best friend when it comes to determining how to align that balance.

Posted on September 23rd 2013 at 05:24pm
0 Comments

Friday 20th September 2013 Slow Week of Freelancing? Then Stay Ahead With These Projects

The following article is for our freelancer PHP developers. Being a freelance developer can be difficult, and never more so when you finish a big project and find yourself suddenly without a follow-up to work on. Slow weeks don't have to mean no profits, however, if you think creatively about how you can spend your time. There's a good deal of optional work that can really make an impact on your take-home pay that often gets left by the wayside by busy freelancers, so let's take a look at some of the more helpful things you can do until the next client comes calling. None of it is as appealing as a nice new project to complete, but it can be just as beneficial.

One of the best things you can do is make sure that you're maintaining a proper and up-to-date list of your clients and their contact information. If you're not already, consider using a service like Mailchimp, which offers an easy way to keep track of client information, and lets you reach out them. Old clients can be one of the best ways to generate new business, and some of them may even be interested in repeat business. Reach out and inquire how their current projects are going, and share some of your own current work. Keeping your name in the forefront of their minds is one of the best ways to ensure that they'll recommend you to others or re-hire you for new projects.

Another great way to start generating some additional revenue is to look at your informational assets and think about ways to monetise them. You've probably got a fair amount of reusable code that might be worth something to others, if you were to package it carefully and sell it. Alternatively, you could distribute it under a Creative Commons or GPL license and use it as a method of developing a name for yourself in the programming world - everyone always loves free code. Just make sure to document all the various functions as clearly as possible!

If you're looking to expand your horizons, you might want to use the time to make sure that you're up-to-date about any and all developments in the world of web development. As we all know, things change at an incredibly rapid pace, and it's easy to lose track of new developments when you've been finishing up a project with some marathon coding sessions. The more up-to-date you are, the more impressive you'll be to potential clients who are looking for cutting edge solutions.

Finally - and bear with us here, we know it's not popular - there are the ever-necessary backup and bookkeeping tasks. While they're not popular, they certainly are essential for freelance coders. We've heard many stories from freelancers who have been so swamped with work that their invoicing has fallen off, and they have outstanding money owed to them. A simple followup email is usually enough to get past clients to pay their bills, and otherwise you're simply leaving money on the table that you've already earned. That prospect alone should be enticing enough to make you break out the dreaded accounting software!

Hope the above  helps. Whilst its not directly linked to our PHP encoder we thought we’d share it with you in the first of a series of more general development and business-focused articles.

Posted on September 20th 2013 at 04:37pm
0 Comments
Labels: freelancing, tips

Tuesday 17th September 2013 Selecting the Right PHP Framework for Beginners

 

 

If you spend a great deal of time working with PHP in your development process, it makes sense to consider utilising an established framework for a number of reasons - namely, writing your code faster and more cleanly. However when it comes down to actually choosing a framework, opinions are wildly varied; fans of some frameworks almost reach the point of religious zeal when it comes down to one choice over another. For those of you just starting out with frameworks, this can create an overwhelming and conflicting set of opinions, so let's take a step back and discuss a few basic considerations about what you hope to achieve with your framework.


The primary concern about selecting a framework is to ensure that it has an active community behind it, as that's what creates the strength of a framework. Frameworks let you quickly and easily reuse code for many common functions and situations, letting you focus on the areas of your application that are specific to your situation. As you can guess, this means that the more people use and contribute to a framework, the more robust and useful it will be.

 

When you build an application using a framework, your code is inherently dependent on the security and stability of the entire framework codebase, so it can be critical to stay on top of any potential exploits or vulnerabilities that are discovered, and an active community can make this much easier.


The next most important consideration is the quality of documentation within the framework. We've all spent many a wasted hours trying to understand another programmer's undocumented code, and with a framework the problem can be 10 times worse. Typically, most frameworks have decent documentation, but it's worth exploring to see which documentation you find easiest to understand and work with. What clicks for some coders won't work for others, so be sure to check this out.

 

Finally, if you're looking for a framework to help you out with a small, single project, you might want to reconsider - frameworks can often add a great deal of complexity (not to mention execution time), which can make them unwieldy for smaller one-off applications. Even still, however, they can offer you some excellent reusable code that might make things simpler, and if you plan on doing a good deal of PHP coding, then learning a framework early on can save you hours of hassle and reinventing the wheel.


Now that you've understood the basic considerations of framework selection, visit Wikipedia's comparison of the various PHP frameworks here and choose one that you're comfortable with. The best framework in the world isn't any use if it you don't enjoy making use of it!

Posted on September 17th 2013 at 03:31pm
0 Comments
Labels: frameworks, php, tips

Sunday 11th August 2013 Windows loaders updated for PHP 5.5

We have updated windows loaders for PHP 5.5 on our web site. PHP 5.5 loaders for Windows are now compiled against VC11 libs and can be used with the latest binary distributions from windows.php.net
 
For downloading updated loaders please visit our loaders page: http://sourceguardian.com/loaders.html 
 

Posted on August 11th 2013 at 10:39pm by Alexander
0 Comments
Labels: php 5.5, vc11, windows

Thursday 01st August 2013 SourceGuardian 9.5 launched with PHP 5.5 support

We are proud to present SourceGuardian 9.5 - the most advanced PHP Encoder on the market, complete with a powerful GUI and protection covering the latest versions of PHP including PHP 5.5 and PHP 5.4. You can encode your scripts using Windows, Mac OS X and Linux, all with a powerful GUI or using a command line interface.
 
Try the 14 days free trial and purchase the full version.
 
Protected files may run on Windows, Mac OS X, Linux and more. For a full list of supported platforms check our loader page

Posted on August 01st 2013 at 02:45pm
0 Comments
Labels: 9.5, php 5.5

Monday 29th April 2013 Loaders updated for Mac OS X

We have updated loaders for Mac OS X on our web site. Issues with IP/domain/mac-address locking have been fixed in the new version. The update is recommended for all users running protected scripts with locking under OS X.
 
Please visit our loaders page: http://sourceguardian.com/loaders.html 
 

Posted on April 29th 2013 at 09:44pm by Alexander
0 Comments
Labels: bugfix, locking, osx
Page << 1 2 3 4 5 6 >>

Links

TRY SOURCEGUARDIAN FREE FOR 14 DAYS
Account Login:

login Forgotten Password?
Connect with us
Bookmark
facebook linkedin twitter rss
© Copyright 2002 - 2016 SourceGuardian Limited
Privacy Policy l Terms & Conditions l Company Info l Contact us l Sitemap l PHP Weekly News