$30 off During Our Annual Pro Sale. View Details »

[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

Davey Shafik
September 17, 2013

[PHP 5.5 Summit] PHP 5.5: The New Bits (php[architect])

Besides the specifically object-oriented features that have been added, lots of other new functions and extensions have been added as well. In this session, we will cover the new password hashing methods, new uses of empty, updates to how foreach works, password hashing, and more.

Davey Shafik

September 17, 2013
Tweet

More Decks by Davey Shafik

Other Decks in Programming

Transcript

  1. PHP 5.5
    The New Bits
    1
    Tuesday, September 17, 13

    View Slide

  2. •Community Engineer at Engine Yard
    •Author of Zend PHP 5 Certification
    Study Guide, Sitepoints PHP
    Anthology: 101 Essential Tips, Tricks
    & Hacks & PHP Master: Write
    Cutting Edge Code
    •A contributor to Zend Framework,
    phpdoc, FRAPI and PHP internals
    •@dshafik
    Davey Shafik
    2
    Tuesday, September 17, 13

    View Slide

  3. About These Slides
    3
    Tuesday, September 17, 13

    View Slide

  4. About These Slides
    • Two slides per “slide”
    • Title Slide (for when I’m talking)
    • Details slide (for later)
    • Nobody likes it when you can read the slide just as
    well as the speaker can
    • I like slides that are useful
    4
    4
    Tuesday, September 17, 13

    View Slide

  5. The Small Stuff
    5
    Tuesday, September 17, 13

    View Slide

  6. The Small Stuff
    • PCRE (Perl Compatible Regular Expression) /e (eval) pattern modifier
    deprecated
    • ext/mysql is now officially deprecated
    • mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb() and mcrypt_ofb()
    deprecated
    • Drop Windows XP and 2003 support
    • Remove php_logo_guid(), php_egg_logo_guid(),
    php_real_logo_guid(), zend_logo_guid()
    • Return previous handler when passing NULL to set_error_handler()
    and set_exception_handler()
    • Added optional second argument for assert() to specify custom
    message
    • Added boolval() 6
    6
    Tuesday, September 17, 13

    View Slide

  7. The Small Stuff (Cont.)
    • Added support for PBKDF2: hash_pbkdf2()
    • json_encode() now supports a depth parameter (third argument)
    • Enhancements to GD extension: imageflip(), support for WebP format
    and easy cropping using imagecrop() and imagecropauto()
    • foreach now supports non-scalar keys (as possibly returned by
    Iterators)
    • Zend OpCache now included. Recommended over APC
    • PECL ext/APCu released to provide 100% backwards compatible APC
    User Storage
    7
    7
    Tuesday, September 17, 13

    View Slide

  8. The Small Stuff (Cont.)
    intlcal_get_keyword_values_for_locale()
    intlcal_get_now()
    intlcal_get_available_locales()
    intlcal_get()
    intlcal_get_time()
    intlcal_set_time()
    intlcal_add()
    intlcal_set_time_zone()
    intlcal_after()
    intlcal_before()
    intlcal_set()
    intlcal_roll()
    intlcal_clear()
    intlcal_field_difference()
    intlcal_get_actual_maximum()
    intlcal_get_actual_minimum()
    intlcal_get_day_of_week_type()
    intlcal_get_first_day_of_week()
    intlcal_get_greatest_minimum()
    intlcal_get_least_maximum()
    intlcal_get_locale()
    intlcal_get_maximum()
    intlcal_get_minimal_days_in_first_week()
    intlcal_get_minimum()
    intlcal_get_time_zone()
    intlcal_get_type()
    intlcal_get_weekend_transition()
    intlcal_in_daylight_time()
    intlcal_is_equivalent_to()
    intlcal_is_lenient()
    intlcal_is_set()
    intlcal_is_weekend()
    intlcal_set_first_day_of_week()
    intlcal_set_lenient()
    intlcal_equals()
    intlcal_get_repeated_wall_time_option()
    intlcal_get_skipped_wall_time_option()
    intlcal_set_repeated_wall_time_option()
    intlcal_set_skipped_wall_time_option()
    intlcal_from_date_time()
    intlcal_to_date_time()
    intlcal_get_error_code()
    intlcal_get_error_message()
    intlgregcal_create_instance()
    intlgregcal_set_gregorian_change()
    intlgregcal_get_gregorian_change()
    intlgregcal_is_leap_year()
    intltz_create_time_zone()
    intltz_create_default()
    intltz_get_id()
    intltz_get_gmt()
    intltz_get_unknown()
    intltz_create_enumeration()
    intltz_count_equivalent_ids()
    intltz_create_time_zone_id_enumeration()
    intltz_get_canonical_id()
    intltz_get_region()
    intltz_get_tz_data_version()
    intltz_get_equivalent_id()
    intltz_use_daylight_time()
    intltz_get_offset()
    intltz_get_raw_offset()
    intltz_has_same_rules()
    intltz_get_display_name()
    intltz_get_dst_savings()
    intltz_from_date_time_zone()
    intltz_to_date_time_zone()
    intltz_get_error_code()
    intltz_get_error_message()
    datefmt_format_object()
    datefmt_get_calendar_object()
    datefmt_get_timezone()
    datefmt_set_timezone()
    datefmt_get_calendar_object()
    intlcal_create_instance()
    Tons of new ext/intl changes (75 new functions!)
    8
    Tuesday, September 17, 13

    View Slide

  9. boolval()
    9
    Tuesday, September 17, 13

    View Slide

  10. More on boolval()
    • Identical to: (bool) $var
    • Returns false for empty arrays and strings, and
    zero.
    • Everything else returns true (except false!)
    10
    var_dump(boolval([]));
    bool(false)
    var_dump(boolval(""));
    bool(false)
    var_dump(boolval(new stdClass()));
    bool(true)
    var_dump(boolval(["foo", "bar"]);
    bool(true)
    10
    Tuesday, September 17, 13

    View Slide

  11. NULL with
    set_(error|exception)_handler
    11
    Tuesday, September 17, 13

    View Slide

  12. More on set_(error|exception)_handler
    12
    • Passing NULL sets the handler to default
    var_dump(set_error_handler(function()  {  }));
       NULL
     
    var_dump(set_error_handler(null));
       object(Closure)#1  (0)  {
       }
     
    var_dump(set_error_handler(null));
       NULL
    12
    Tuesday, September 17, 13

    View Slide

  13. assert() Descriptions
    13
    Tuesday, September 17, 13

    View Slide

  14. More on assert()
    • New argument to provide a description of failure
    14
    assert_options(ASSERT_ACTIVE, IS_ASSERT_ACTIVE);
    function foo($bar, $bat) {
    assert(
    $bar < $bat,
    "Second arg is more than first"
    );'
    }
    foo(2, 1);
    Warning: assert(): Second arg is less than first
    failed in on line <#>
    14
    Tuesday, September 17, 13

    View Slide

  15. list() support in foreach
    15
    Tuesday, September 17, 13

    View Slide

  16. list() support in foreach
    16
    • Allows assignment of nested array values (1st level)
    to multiple variables, within the foreach declaration
    $result = [
    [
    'name' => 'Davey Shafik',
    'email' => '[email protected]',
    ],
    [
    'name' => 'Helgi Þormar Þorbjörnsson',
    'email' => '[email protected]',
    ]
    ];
    foreach ($result as list($name, $email)) {
    echo $name, ': ', $email . PHP_EOL;
    }
    16
    Tuesday, September 17, 13

    View Slide

  17. empty() supports any expression
    17
    Tuesday, September 17, 13

    View Slide

  18. empty() supports any expression
    18
    • Prior to 5.5, empty() only allowed variables as input.
    Now it can be called on any expression, e.g. function
    calls
    if (empty(some_function()) {
    // Do something
    }
    18
    Tuesday, September 17, 13

    View Slide

  19. String/Array Dereferencing
    19
    Tuesday, September 17, 13

    View Slide

  20. String/Array Dereferencing
    20
    • PHP 5.4 added support for function dereferencing,
    5.5 adds the same feature to constant strings and
    arrays
    // Added in PHP 5.4:
    someFunction()[$key];
    // Now available in PHP 5.5
    "somestring"[$key];
    // And:
    ["foo", "bar", "baz"][$key];
    // Note: $key can be any valid expression!
    20
    Tuesday, September 17, 13

    View Slide

  21. String/Array Dereferencing
    21
    • Possible use case: randomizing data
    // Random(-ish) Greeting:
    $hi = ["Hi", "Hello", "Hola"][rand(0,2)];
    21
    Tuesday, September 17, 13

    View Slide

  22. Simple Password Hashing
    22
    Tuesday, September 17, 13

    View Slide

  23. Simple Password Hashing
    • Makes password hashing super easy
    • Purpose: to make sure everyone uses safe password
    storage
    • Uses the excellent bcrypt (currently)
    • Salting is automatic, but can be supplied
    • The resulting hash itself identifies the algorithm, salt
    and options options when passed to
    password_verify()
    • You may pass an array with salt and cost as third
    argument to password_hash()
    23
    23
    Tuesday, September 17, 13

    View Slide

  24. Simple Password Hashing (cont.)
    24
    $options = [
    'cost' => 20,
    'salt' => 'bcryptuses22characters'
    ];
    $hash = password_hash("testing", PASSWORD_DEFAULT, $options);
    $hash = password_hash("testing", PASSWORD_DEFAULT);
    if (password_verify("testing", $hash)) {
    // valid
    }
    Specify Options:
    24
    Tuesday, September 17, 13

    View Slide

  25. PASSWORD_DEFAULT
    • Default hashing algorithm
    • Currently bcrypt
    • Will change over time to whatever is newer, stronger
    • Recommend that DB columns are 255 chars, as the length may
    change from the current 60 chars with bcrypt
    • Combine with password_needs_rehash() for
    better security
    25
    25
    Tuesday, September 17, 13

    View Slide

  26. Simple Password Hashing (cont.)
    • Also provides two helper functions:
    • password_needs_rehash() will determine if the hash uses
    the current algorithm, cost and salt, returning true if it doesn’t
    match.
    • password_get_info() returns an array providing information
    about a hash such as algorithm, cost and salt.
    26
    26
    Tuesday, September 17, 13

    View Slide

  27. password_needs_rehash()
    if (password_verify("testing", $hash)) {
    // valid
    if (password_needs_rehash("testing", PASSWORD_DEFAULT)) {
    // re-hash with password_hash() and store
    }
    }
    27
    Tuesday, September 17, 13

    View Slide

  28. More on password security
    28
    Tuesday, September 17, 13

    View Slide

  29. More on password security
    • A strong salt makes a dictionary attack much more
    difficult
    • A high cost means it takes a long time (say, 1/10th
    second) to generate a single password, making brute
    force attacks too slow to be effective
    • The cost is what makes SHA-1 and MD5 poor
    options because they are designed to be fast, this is
    the enemy of security.
    • Additionally, MD5 suffers from too many easy
    collisions (e.g. two different strings that create the
    same hash)
    29
    Goal: Make both dictionary and brute force attacks difficult.
    29
    Tuesday, September 17, 13

    View Slide

  30. Hashing Rates
    30
    Algorithm
    Hashes/
    second
    MD5 SHA-1 SHA-512 bcrypt
    MD5
    180 Billion/
    second
    65% Faster
    99.9997%
    Faster
    99.9999996%
    Faster
    SHA-1
    63 Billion/
    second
    185% Slower
    99.9994%
    Faster
    99.999887%
    Faster
    SHA-512
    364,000/
    second
    49.5M%
    Slower
    17.3M%
    Slower
    80.49%
    Faster
    bcrypt
    71,000/
    second
    253.5M%
    Slower
    88.7M%
    Slower
    412% Slower
    Data Source: http://passwords12.at.ifi.uio.no/
    30
    Tuesday, September 17, 13

    View Slide

  31. Thank You
    Feedback:
    http://joind.in/9288
    Twitter: @dshafik
    Email: [email protected]
    Slides:
    http://daveyshafik.com/slides
    31
    Tuesday, September 17, 13

    View Slide