Writing Portable PHP

Writing Portable PHP - DREW MCLELLAN - - CONFOO 2015
-

Hello! ﬂickr.com/photos/85520404@N03/9535499657

Perch CMS PHP & MySQL content management system. ‘WordPress model’
- download and install on your own hosting.

Listen up! This session is about shipping code into uncontrolled
environments. It’s about coping with restrictive hosting, old PHP versions, lack of dependancy management and how PHP is working against us. It probably poses more problems than solutions. It may turn into a self-help group.

You can switch. This session probably won’t help if your
code is deployed with Composer. My tips are of no use to you if your answer to PHP 5.3 is to tell your user to upgrade. If your solution to a missing dependancy is to install the dependancy, I have nothing for you. You can switch rooms, we’re all friends here.

Are we good?

We love to hate PHP

60% - CMS USE - 23% - ALL WEBSITES -

This is common By numbers, the ship-and-deploy-to-bad-hosting model is the
most common way PHP code is deployed. Despite this, PHP is actively hostile to this way of working.

PHP is architecturally ill- suited for shipping code. Half-baked modularity!
Conﬁguration without detection! Oﬄoading functionality to host OS! Non-standard as standard!

PHP versions

PHP versions 13 25 38 50 5.2 5.3 5.4 5.5
5.6 2% 12% 45% 35% 7% - PERCH CMS USERS -

Hosts don’t like to update PHP Historically, PHP updates have
caused incompatibility with common software. Hosts are nervous to update a server, break sites and anger their customers. But they’re usually happy to move a customer to a newer server with newer PHP on request.

PHP has to move forward.

ext/mysql 1. Hosting company tests PHP 7, looks good. 2.
Deploys PHP 7 on new servers. 3. New customers migrate old sites to new hosting. 4. Sites don’t work. Tech support freaks out. 5. Host considers PHP 7 unsafe, rolls back to PHP 5. 6. Five more years of winter.

If you ship code, you have to deal with old
PHP - AND NEW PHP -

Safe mode Deprecated in PHP 5.3, removed in 5.4 Don’t
rely on being able to keep ﬁles outside of the web root. Don’t rely on reading a ﬁle unless you created it. cURL requests with follow_location option fail. Non-standard as standard!

Magic Quotes Deprecated in PHP 5.3, removed in 5.4 Was
a misguided security feature. Designed without considering portability. Continues to me an enormous PITA. Non-standard as standard!

Magic Quotes That’s life. That\’s life. <?php stripslashes(…); ?> That’s
life.

Magic Quotes str.replace(‘this\’n\’that’) str.replace(\’this\\\’n\\\’that\’) <?php stripslashes(…); ?> str.replace(‘this\’n\’that’) str.replace(‘this’n’that’)

Magic Quotes So we just need to ask PHP if
magic quotes have been applied to the input… … oh wait. get_magic_quotes_gpc(); get_magic_quotes_runtime(); Conﬁguration without detection!

Mixed PHP versions Your code might run on different PHP
versions between development and live environments. Web requests and CLI might use different versions. It’s not enough to configure, you have to detect.

Mixed PHP versions <?php if (modern_php_test()){ $feature = []; }
else { $feature = array(); } BEWARE!

Modularity - HALF-BAKED -

Modularity issues Common functionality is provided by optional extensions. Missing
extensions can’t be dynamically loaded. Core functionality can be disabled. No structured way to test the environment.

Using a database Let’s use a MySQL database! We may
have mysql, mysqli or PDO. So, mysqli or PDO then. mysqli is optional! PDO is enabled by default from PHP 5.1

PDO + MySQL PDO is enabled by default, but can
be disabled. PDO’s MySQL driver is optional. Sooooo…

Both? <?php if (defined('PDO::MYSQL_ATTR_LOCAL_INFILE')) { return new PerchDB_PDO; }else{ return
new PerchDB_MySQLi; }

SQLite! “PDO and the PDO_SQLITE driver is enabled by default
as of PHP 5.1.0.” SQLite DB is just a ﬁle, and needs to be kept somewhere safe. PHP provides no mechanism like it does for, e.g. session ﬁles.

Manipulating images This is something websites do. PHP is for
making websites! So PHP can manipulate images, right? Well, we need to talk about that…

GD & Imagick Two common extensions: GD and Imagick Usually
one or the other, sometimes both or sometimes none. You need code for both: use a library if you can. e.g. http://image.intervention.io

HTTP requests PHP is a web scripting language. Let’s make
an HTTP request! Yeah, about that…

HTTP requests sockets - works! Pretty low level. cURL -
optional. High level and useful. ﬁle_get_contents() - sometimes works. Basic. Libraries?

HTTP libraries Lots of choices - many are just wrappers
around cURL. Others oﬀer a transport choice, but no detection (e.g. Guzzle) ‘Requests’ looks good in this regard. http://requests.ryanmccue.info

No way to load extensions If something is missing, it’s
missing. You can’t load it, import it, require it. You just have to deal with it.

Disabling core functionality PHP gives the system admin the ability
to disable core functionality that is “always” there. Detecting what’s available is impractically cumbersome.

Disabling core functionality <?php if (function_exist(‘count’) &&   strpos(ini_get(‘disable_functions’), ‘count’)===false)
{ $number_of_items = count($my_array); }

Disabling core functionality <?php if (function_exist(‘curl_init’)) { $ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, $url);  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  $result = curl_exec($ch); } BEWARE!

Disabing other random stuﬀ Remember, sysadmins be crazy. We’ve seen
GD available, but imagecreatefrompng() simply missing. Good luck out there.

Bad hosting Conﬁguration without detection!

Bad hosting Expect the unexpected! Hosts do crazy things for
reasons you’ll never understand. Don’t try to understand. Just accept.

Sessions Many shared hosts like to give users their own
PHP sessions folder. But then leave it up to the user to conﬁgure the session_save_path. By default, sessions will start but won’t persist any data.

cURL Some hosts will disable or not install cURL, which
is their choice. Others will install and enable cURL. A very special third group install and enable cURL and then block it at their ﬁrewall.

Cross-platform Oﬄoading functionality to host OS!

PHP on Windows PHP on Windows is a real thing.
It’s used more in development environments than in production. Users will set up WAMP or similar on their Windows desktop, and then deploy to a *nix hosting environment.

Paths PHP expects you to know how to formulate ﬁle
system paths for the host. Sometimes the ﬁle system will forgive errors (e.g. slashes vs back-slashes) Sometimes it won’t.

Paths Wrap all your paths so they can be translated
for the current ﬁle system. Then write your paths consistently in one style.

Paths <?php function file_path($path) { if (DIRECTORY_SEPARATOR!='/') { $path =
str_replace('/', DIRECTORY_SEPARATOR, $path); } return $path; }

Dates Simple date formatting is fraught with danger. strftime() passes
through to the host OS. Some formatting codes will work with your host OS. Some will completely fail and return nothing, or throw a notice.

Dates I like to deﬁne some set formats that I
think should work broadly, but let the user redeﬁne them for edge-cases.

Dates <?php echo strftime(PERCH_DATE_LONG, $time);

Watch out for ‘Windows’ Get in the habit of watching
out for references to Windows in the PHP manual. It will help you spot potential Windows issues, but also is a warning of functionality that gets passed to the host OS. These will often be aﬀected by conﬁguration, not just platform.

File systems and MySQL MySQL is not immune. Don’t mix
case in object names (e.g. table names). MySQL’s case sensitivity is dependant on the host ﬁle system.

Thanks! @drewm

Writing Portable PHP

Writing Portable PHP

More Decks by Drew McLellan

Other Decks in Programming

Featured

Transcript