[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

Fee39f0c0ffb29d9ac21607ed188be6b?s=47 Davey Shafik
September 17, 2013

[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

Besides the specifically object-oriented features that have been added, lots of other new functions and extensions have been added as well. In this session, we will cover the new password hashing methods, new uses of empty, updates to how foreach works, password hashing, and more.

Fee39f0c0ffb29d9ac21607ed188be6b?s=128

Davey Shafik

September 17, 2013
Tweet

Transcript

  1. PHP 5.5 The New Bits 1 Tuesday, September 17, 13

  2. •Community Engineer at Engine Yard •Author of Zend PHP 5

    Certification Study Guide, Sitepoints PHP Anthology: 101 Essential Tips, Tricks & Hacks & PHP Master: Write Cutting Edge Code •A contributor to Zend Framework, phpdoc, FRAPI and PHP internals •@dshafik Davey Shafik 2 Tuesday, September 17, 13
  3. About These Slides 3 Tuesday, September 17, 13

  4. About These Slides • Two slides per “slide” • Title

    Slide (for when I’m talking) • Details slide (for later) • Nobody likes it when you can read the slide just as well as the speaker can • I like slides that are useful 4 4 Tuesday, September 17, 13
  5. The Small Stuff 5 Tuesday, September 17, 13

  6. The Small Stuff • PCRE (Perl Compatible Regular Expression) /e

    (eval) pattern modifier deprecated • ext/mysql is now officially deprecated • mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb() deprecated • Drop Windows XP and 2003 support • Remove php_logo_guid(), php_egg_logo_guid(), php_real_logo_guid(), zend_logo_guid() • Return previous handler when passing NULL to set_error_handler() and set_exception_handler() • Added optional second argument for assert() to specify custom message • Added boolval() 6 6 Tuesday, September 17, 13
  7. The Small Stuff (Cont.) • Added support for PBKDF2: hash_pbkdf2()

    • json_encode() now supports a depth parameter (third argument) • Enhancements to GD extension: imageflip(), support for WebP format and easy cropping using imagecrop() and imagecropauto() • foreach now supports non-scalar keys (as possibly returned by Iterators) • Zend OpCache now included. Recommended over APC • PECL ext/APCu released to provide 100% backwards compatible APC User Storage 7 7 Tuesday, September 17, 13
  8. The Small Stuff (Cont.) intlcal_get_keyword_values_for_locale() intlcal_get_now() intlcal_get_available_locales() intlcal_get() intlcal_get_time() intlcal_set_time()

    intlcal_add() intlcal_set_time_zone() intlcal_after() intlcal_before() intlcal_set() intlcal_roll() intlcal_clear() intlcal_field_difference() intlcal_get_actual_maximum() intlcal_get_actual_minimum() intlcal_get_day_of_week_type() intlcal_get_first_day_of_week() intlcal_get_greatest_minimum() intlcal_get_least_maximum() intlcal_get_locale() intlcal_get_maximum() intlcal_get_minimal_days_in_first_week() intlcal_get_minimum() intlcal_get_time_zone() intlcal_get_type() intlcal_get_weekend_transition() intlcal_in_daylight_time() intlcal_is_equivalent_to() intlcal_is_lenient() intlcal_is_set() intlcal_is_weekend() intlcal_set_first_day_of_week() intlcal_set_lenient() intlcal_equals() intlcal_get_repeated_wall_time_option() intlcal_get_skipped_wall_time_option() intlcal_set_repeated_wall_time_option() intlcal_set_skipped_wall_time_option() intlcal_from_date_time() intlcal_to_date_time() intlcal_get_error_code() intlcal_get_error_message() intlgregcal_create_instance() intlgregcal_set_gregorian_change() intlgregcal_get_gregorian_change() intlgregcal_is_leap_year() intltz_create_time_zone() intltz_create_default() intltz_get_id() intltz_get_gmt() intltz_get_unknown() intltz_create_enumeration() intltz_count_equivalent_ids() intltz_create_time_zone_id_enumeration() intltz_get_canonical_id() intltz_get_region() intltz_get_tz_data_version() intltz_get_equivalent_id() intltz_use_daylight_time() intltz_get_offset() intltz_get_raw_offset() intltz_has_same_rules() intltz_get_display_name() intltz_get_dst_savings() intltz_from_date_time_zone() intltz_to_date_time_zone() intltz_get_error_code() intltz_get_error_message() datefmt_format_object() datefmt_get_calendar_object() datefmt_get_timezone() datefmt_set_timezone() datefmt_get_calendar_object() intlcal_create_instance() Tons of new ext/intl changes (75 new functions!) 8 Tuesday, September 17, 13
  9. boolval() 9 Tuesday, September 17, 13

  10. More on boolval() • Identical to: (bool) $var • Returns

    false for empty arrays and strings, and zero. • Everything else returns true (except false!) 10 var_dump(boolval([])); bool(false) var_dump(boolval("")); bool(false) var_dump(boolval(new stdClass())); bool(true) var_dump(boolval(["foo", "bar"]); bool(true) 10 Tuesday, September 17, 13
  11. NULL with set_(error|exception)_handler 11 Tuesday, September 17, 13

  12. More on set_(error|exception)_handler 12 • Passing NULL sets the handler

    to default var_dump(set_error_handler(function()  {  }));    NULL   var_dump(set_error_handler(null));    object(Closure)#1  (0)  {    }   var_dump(set_error_handler(null));    NULL 12 Tuesday, September 17, 13
  13. assert() Descriptions 13 Tuesday, September 17, 13

  14. More on assert() • New argument to provide a description

    of failure 14 assert_options(ASSERT_ACTIVE, IS_ASSERT_ACTIVE); function foo($bar, $bat) { assert( $bar < $bat, "Second arg is more than first" );' } foo(2, 1); Warning: assert(): Second arg is less than first failed in <file> on line <#> 14 Tuesday, September 17, 13
  15. list() support in foreach 15 Tuesday, September 17, 13

  16. list() support in foreach 16 • Allows assignment of nested

    array values (1st level) to multiple variables, within the foreach declaration $result = [ [ 'name' => 'Davey Shafik', 'email' => 'davey@engineayrd.com', ], [ 'name' => 'Helgi Þormar Þorbjörnsson', 'email' => 'helgi@engineyard.com', ] ]; foreach ($result as list($name, $email)) { echo $name, ': ', $email . PHP_EOL; } 16 Tuesday, September 17, 13
  17. empty() supports any expression 17 Tuesday, September 17, 13

  18. empty() supports any expression 18 • Prior to 5.5, empty()

    only allowed variables as input. Now it can be called on any expression, e.g. function calls if (empty(some_function()) { // Do something } 18 Tuesday, September 17, 13
  19. String/Array Dereferencing 19 Tuesday, September 17, 13

  20. String/Array Dereferencing 20 • PHP 5.4 added support for function

    dereferencing, 5.5 adds the same feature to constant strings and arrays // Added in PHP 5.4: someFunction()[$key]; // Now available in PHP 5.5 "somestring"[$key]; // And: ["foo", "bar", "baz"][$key]; // Note: $key can be any valid expression! 20 Tuesday, September 17, 13
  21. String/Array Dereferencing 21 • Possible use case: randomizing data //

    Random(-ish) Greeting: $hi = ["Hi", "Hello", "Hola"][rand(0,2)]; 21 Tuesday, September 17, 13
  22. Simple Password Hashing 22 Tuesday, September 17, 13

  23. Simple Password Hashing • Makes password hashing super easy •

    Purpose: to make sure everyone uses safe password storage • Uses the excellent bcrypt (currently) • Salting is automatic, but can be supplied • The resulting hash itself identifies the algorithm, salt and options options when passed to password_verify() • You may pass an array with salt and cost as third argument to password_hash() 23 23 Tuesday, September 17, 13
  24. Simple Password Hashing (cont.) 24 $options = [ 'cost' =>

    20, 'salt' => 'bcryptuses22characters' ]; $hash = password_hash("testing", PASSWORD_DEFAULT, $options); $hash = password_hash("testing", PASSWORD_DEFAULT); if (password_verify("testing", $hash)) { // valid } Specify Options: 24 Tuesday, September 17, 13
  25. PASSWORD_DEFAULT • Default hashing algorithm • Currently bcrypt • Will

    change over time to whatever is newer, stronger • Recommend that DB columns are 255 chars, as the length may change from the current 60 chars with bcrypt • Combine with password_needs_rehash() for better security 25 25 Tuesday, September 17, 13
  26. Simple Password Hashing (cont.) • Also provides two helper functions:

    • password_needs_rehash() will determine if the hash uses the current algorithm, cost and salt, returning true if it doesn’t match. • password_get_info() returns an array providing information about a hash such as algorithm, cost and salt. 26 26 Tuesday, September 17, 13
  27. password_needs_rehash() if (password_verify("testing", $hash)) { // valid if (password_needs_rehash("testing", PASSWORD_DEFAULT))

    { // re-hash with password_hash() and store } } 27 Tuesday, September 17, 13
  28. More on password security 28 Tuesday, September 17, 13

  29. More on password security • A strong salt makes a

    dictionary attack much more difficult • A high cost means it takes a long time (say, 1/10th second) to generate a single password, making brute force attacks too slow to be effective • The cost is what makes SHA-1 and MD5 poor options because they are designed to be fast, this is the enemy of security. • Additionally, MD5 suffers from too many easy collisions (e.g. two different strings that create the same hash) 29 Goal: Make both dictionary and brute force attacks difficult. 29 Tuesday, September 17, 13
  30. Hashing Rates 30 Algorithm Hashes/ second MD5 SHA-1 SHA-512 bcrypt

    MD5 180 Billion/ second 65% Faster 99.9997% Faster 99.9999996% Faster SHA-1 63 Billion/ second 185% Slower 99.9994% Faster 99.999887% Faster SHA-512 364,000/ second 49.5M% Slower 17.3M% Slower 80.49% Faster bcrypt 71,000/ second 253.5M% Slower 88.7M% Slower 412% Slower Data Source: http://passwords12.at.ifi.uio.no/ 30 Tuesday, September 17, 13
  31. Thank You Feedback: http://joind.in/9288 Twitter: @dshafik Email: davey@engineyard.com Slides: http://daveyshafik.com/slides

    31 Tuesday, September 17, 13