Probably because I'm a heavy user of Laravel I read a lot of Laravel focused blogs and follow a lot people on Twitter who also are heavy users of the framework. But more than a Laravel developer, I consider myself a PHP developer first. One of the ways I try to stay in touch with what is happening in the larger PHP community is following this excellent link blog maintained by Chris Cornutt.
Scott Arciszewski debunks the commonly given advice on securing your PHP installation by setting some php.ini values.
There have been countless examples posted in various places (Reddit, Hacker News, Twitter, Facebook, Slashdot, and even LinkedIn group discussions), and while a handful occasionally contain one or two tips that might be beneficial towards securing your PHP applications, almost all of the advice they contain is either wrong, a huge waste of time, downright silly, or all of above.As part of a team that specializes in application security (in particular: securing PHP applications), I feel it's high time someone cleared the air about this advice.
https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful
Join 9,500+ smart developers
Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.
No spam. Unsubscribe anytime. You can also follow me on X.
"Always fresh, useful tips and articles. Carefully selected community content. My favorite newsletter, which I look forward to every time."
Bram Van Damme explains the origin of the word "patch" in context of software.
A common misconception is that a software bug is called a bug because of an actual bug – a moth – that got stuck in Harvard University’s Mark II calculator in 1947, and Grace Hopper finding it + taping it inside a logbook. ... What seems to be legit however is the history of the term software patch.
https://www.bram.us/2017/01/24/why-a-software-patch-is-called-a-patch/
In a new post on his blog Adam Wathan explains his thinking on the meaning of having a method on an object.
The fundamental misunderstanding here is thinking that methods are things an object can do.If you believe that the methods on an object represent the abilities of that object, then of course an Announcement having a broadcast() method sounds silly.
But what if methods weren't the things an object could do? What if they were the things you could do with that object?
If methods were the actions an object afforded us, then it would make perfect sense to be able to broadcast() an Announcement, wouldn't it?
https://adamwathan.me/2017/01/24/methods-are-affordances-not-abilities/
Most of the Laravel apps we create at Spatie will send mails. This can be a password reset mail, a welcome mail after registration, an order confirmation mail, ... One of the things we do is styling such mails so it has the same look and feel as the site it was sent from. When testing such mails our designers had to request a password reset or go through the entire checkout flow just to receive such an order confirmation mail. To make that testing process a lot easier we've created a package called laravel-mailable-test. This package provides an artisan command that can send a mailable to an mail-address.
To send any mailable issue this artisan command:
php artisan mail:send-test "App\Mail\MyMailable" recipient@mail.com
This will send the given mailable to the given email address. The to-, cc- and bcc-addresses that may be set in the given mailable will be cleared. The mail will only be sent to the email address given in the artisan command.
The package will provide a value for any typehinted argument of the constructor of the mailable. If an argument is a int, string or bool the package will generated a value using Faker. Any argument that typehints an Eloquent model will receive the first record of that model.
Image the constructor of your mailable looks like this:
public function __construct(string $title, Order $order)
{
...
}
That constructor will receive a string generated by the sentence method of Faker and the first Order in your database.
The values that are passed to the constructor of the mailable can be customized using the values option of the command.
php artisan mail:send-test "App\Mail\MyMailable" recipient@mail.com --values="title:My title,order:5"
Using this command My title will be passed to $title and an Order with id 5 will be passed to $order.
To learn more about the package head over to the readme on GitHub. Be sure take also take a look at this list of Laravel packages our team has previously made.
Michael Dyrynda, one of the two new hosts of the Laravel Podcast, share a nice tip on how to quickly switch PHP versions when using Laravel Valet.
At the time of writing, Laravel Valet ships with PHP 7.1 but if you're like me, you have some legacy projects around the place that haven't quite lifted their dependencies to PHP 7 just yet.A lot of folks might have previously used a VirtualBox Virtual Machine, or more recently considered Docker but a lot of the time and especially when dealing with simpler situations, Valet may be all that you need.
https://dyrynda.com.au/blog/switching-php-versions-with-laravel-valet
Matthieu Napoli, author of PHP-DI and externals.io, wrote a post on how you can use anonymous classes to quickly create mocks, spies and fixtures.
Anonymous classes were added to PHP 7. This article intends to show how useful they can be for writing tests.
Apart from our open source work, we do client work at Spatie as well. Over the years we've learned that one of the most critical moments of a project is when it is going live. No matter how you confident you are about the correctness of the code base there are so many big and little things that…
In a mail sent to all subscribers on the testdrivenlaravel.com-mailinglist Adam Wathan mentioned a talk Sandi Metz gave a couple of years ago at Rails Conf. It's a really good talk that explains in a clear way when and what you should test.
Tests are supposed to save us money. How is it, then, that many times they become millstones around our necks, gradually morphing into fragile, breakable things that raise the cost of change? We write too many tests and we test the wrong kinds of things. This talk strips away the veil and offers simple, practical guidelines for choosing what to test and how to test it. Finding the right testing balance isn't magic, it's a magic trick; come and learn the secret of writing stable tests that protect your application at the lowest possible cost.
Freek Lijten, a developer at Schiphol, makes the case for just setting a sane default value instead of throwing an exception when invalid input entered the application.
I didn't think much of this, but I've seen a major drawback lately while working on a site that is a bit bigger than I was used to. With over half a million visitors a week and lots of scrapers, bots and other stuff visiting, these exceptions and fatal errors clog up logging quite a bit. Not to the point that we can't handle the volume, but it generates false positives in monitoring channels and it is something we do not want to act upon anyway.
http://www.freeklijten.nl/2017/01/04/Sane-defaults-over-Exceptions
Mohamed Said explains the not so well known sometimes validation rule in Laravel.
Laravel's validation library is very powerful and easy to use, using a few keystrokes you can build a strong defence around your application, preventing invalid user input from corrupting the application flow and potentially introducing bugs....
In this post I'd like to highlight a trick related to conditionally adding validation rules.
http://themsaid.com/laravel-advanced-validation-conditionally-adding-rules-20170110/
To learn more read the relevant section in the Laravel docs.
Jeff Geerling, currently working as a technical architect at Aquina, wrote a good post on when and why he closes PRs to the packages he's maintaining. This paragraph resonated with me.
I don't cater to everyone. I usually cater to myself. And for 98% of my OSS projects, I'm actually using them, live, in production (often for dozens or hundreds of projects). So I'm generally happy with them as they are. I will not add something that increases my maintenance burden unless it's very compelling functionality or an obvious bugfix. I can't maintain a system I don't fully understand, so I like keeping things lighter and cutting off edge cases rather than adding technical debt I don't have time to pay off.
http://www.jeffgeerling.com/blog/2016/why-i-close-prs-oss-project-maintainer-notes
Twitter provides a streaming API with which you can do interesting things such as listen for tweets that contain specific strings or actions a user might take (e.g. liking a tweet, following someone,...). In this post you'll learn an easy way to work with that API. Phirehose When researching on how…
Serial blogger Matt Stauffer wrote a good tutorial on how use forked repos.
I just recently joined a new open source project, and there were a few folks on the team who weren't familiar with how to contribute to an open source project by forking your own copy, so I wrote this up for the docs of that project. I figured I'd also share it here.If you join a new open source project, it's very likely that you won't get direct access to push commits or branches up to the repository itself. So, instead, you'll fork the repo, make the changes on your version of the repo, and then "pull request" your changes back to the original.
Here are the steps to take.
https://mattstauffer.co/blog/how-to-contribute-to-an-open-source-github-project-using-your-own-fork
Out of the box Laravel comes with a few commands to migrate the database. One of them is migrate:refresh. That one will first run the down-steps for all your migrations and then run all the up steps. After that process your database should have the same structure as specified in your migrations. But…
On his new blog on Medium, Taylor Otwell, creator of Laravel, published some statistics on the code complexity of various popular PHP frameworks. Draw your own conclusion.
Last week as I was refactoring and cleaning Laravel for the 5.4 release, Graham Campbell showed me some code complexity statistics for the framework. I decided to compare this against some other PHP frameworks to see how Laravel stacks up.
https://medium.com/@taylorotwell/measuring-code-complexity-64356da605f9
Recently Taylor sat down with the folks at Larachat. Watch the recording to learn some other nice interesting tidbits about Laravel and it's ecosystem.
Sometimes you might allow a function to accept multiple data types. I don't know for certain if it's the correct term but for the remainder of this post I'm going to call such a function overloaded. In this post I'd like to show you a little trick to make overloaded functions more readable.
Let's first take a look at a function in Laravel that accepts multiple data types. To store something in a session you can pass a key and value to the session helper:
session($key, $value);
But you can also give it an array:
session(['key' => 'value']);
Now behind the scenes Laravel is calling a put function. It could have been implemented like this:
public function put($key, $value = null)
{
if (is_array($key)) {
foreach ($key as $arrayKey => $arrayValue) {
$this->set($arrayKey, $arrayValue);
}
}
else {
$this->set($key, $value);
}
}
In the function above there's a path for doing the work if an array was passed and another path for when (hopefully) a string was passed.
The actual implementation is a bit different (and much better):
public function put($key, $value = null)
{
if (! is_array($key)) {
$key = [$key => $value];
}
foreach ($key as $arrayKey => $arrayValue) {
$this->set($arrayKey, $arrayValue);
}
}
The cool thing to note is that what the function first converts the passed arguments to a certain format (in this case an array) and then perform the work on the format. The actual work, the call to $this->set is only coded up once. When reading the source code of Laravel you'll often come across this pattern.
Let's take a look at another real life example to make the benefit of this pattern more clear. This next snippet is taken from a recent PR to the laravel-permission package. It aims to a add a query scope to a User model to perform the query only on users that have the given role(s). Roles can be passed through as an array, a string or an instance of Role.
/**
* Scope the user query to certain roles only.
*
* @param string|array|Role|\Illuminate\Support\Collection $roles
*
* @return bool
*/
public function scopeRole($query, $roles)
{
if (is_string($roles)) {
return $query->whereHas('roles', function ($query) use ($roles) {
$query->where('name', $roles);
});
}
if ($roles instanceof Role) {
return $query->whereHas('roles', function ($query) use ($roles) {
$query->where('id', $roles->id);
});
}
if (is_array($roles)) {
return $query->whereHas('roles', function ($query) use ($roles) {
$query->where(function ($query) use ($roles) {
foreach ($roles as $role) {
if (is_string($role)) {
$query->orWhere('name', $role);
}
if ($role instanceof Role) {
$query->orWhere('id', $role->id);
}
}
});
});
}
return $query;
}
The query is being build up in a few different ways depending on the type of the argument being passed through. The readability of this code can vastly be improved by:
public function scopeRole($query, $roles)
{
if ($roles instanceof Collection) {
$roles = $roles->toArray();
}
if (! is_array($roles)) {
$roles = [$roles];
}
$roles = array_map(function ($role) {
if ($role instanceof Role) {
return $role;
}
return app(Role::class)->findByName($role);
}, $roles);
return $query->whereHas('roles', function ($query) use ($roles) {
$query->where(function ($query) use ($roles) {
foreach ($roles as $role) {
$query->orWhere('id', $role->id);
}
});
});
}
In the snippet above all input, no matter what type is being passed through, is first converted to an array with Role objects. U sing that array the query is only being build up once. I should mention that the author of the PR did provide a good set of tests so it was very easy to refactor the code.
Let's do one more example. This one's taken from our laravel-fractal package which aims to make working with Fractal more developer friendly.
To return a response with json data you can to this in a Laravel app.
$books = fractal($books, new BookTransformer())->toArray();
return response()->json($books);
In the last version of our package a respond() method was added. Here's the equivalent code using the respond method.
return fractal($books, new BookTransformer())->respond();
You can pass a response code as the first parameter and optionally some headers as the second
return fractal($books, new BookTransformer())->respond(403, [
'a-header' => 'a value',
'another-header' => 'another value',
]);
You can also set the status code and the headers using a callback:
use Illuminate\Http\JsonResponse;
return fractal($books, new BookTransformer())->respond(function(JsonResponse $response) {
$response
->setStatusCode(403)
->header('a-header', 'a value')
->withHeaders([
'another-header' => 'another value',
'yet-another-header' => 'yet another value',
]);
});
This is original code for the function that was submitted through a PR (slightly redacted):
public function respond($callbackOrStatusCode = 200, $callbackOrHeaders = [])
{
$response = new JsonResponse();
$response->setData($this->createData()->toArray());
if (is_callable($callbackOrStatusCode)) {
$callbackOrStatusCode($response);
} else {
$response->code($callbackOrStatusCode);
if (is_callable($callbackOrHeaders)) {
$callbackOrHeaders($response);
} else {
$response->withHeaders($callbackOrHeaders);
}
}
return $response;
}
Sure, that code does the job. Unfortunately the real work (in this case: modifying $response) is done all over the place. Let's refactor! In the code below we're going to convert all input to callables first and then use them to modify $response.
public function respond($statusCode = 200, $headers = [])
{
$response = new JsonResponse();
$response->setData($this->createData()->toArray());
if (is_int($statusCode)) {
$statusCode = function (JsonResponse $response) use ($statusCode) {
return $response->setStatusCode($statusCode);
};
}
if (is_array($headers)) {
$headers = function (JsonResponse $response) use ($headers) {
return $response->withHeaders($headers);
};
}
if (is_callable($statusCode)) {
$statusCode($response);
}
if (is_callable($headers)) {
$headers($response);
}
return $response;
}
Hopefully you can use this neat little trick to improve the readability of your code as well.
Stefan Koopmanschap argues that, besides writing beautiful code and using kickass frameworks and libraries, we should be able to do some quick and dirty coding as well.
Can you write me a simple script that fetches some information from an RSS feed and displays the titles? Like, just write me that script in a couple of minutes. I don't care about tests, quality, etc. Just get me the information, quickly.
On the excellent PHP section of Sitepoint Thomas Punt has written a good high ievel overview of how PHP code is executed.
There’s a lot going on under the hood when we execute a piece of PHP code. Broadly speaking, the PHP interpreter goes through four stages when executing code:
- Lexing
- Parsing
- Compilation
- Interpretation
This article will skim through these stages and show how we can view the output from each stage to really see what is going on. Note that while some of the extensions used should already be a part of your PHP installation (such as tokenizer and OPcache), others will need to be manually installed and enabled (such as php-ast and VLD).
https://www.sitepoint.com/how-php-executes-from-source-code-to-render/
At Spatie we use GitHub for both our client projects as our open source code. So in our day to day work we often have to open the browser to view issues of a repo or review pull requests.
Paul Irish, a well known developer and part of the Google Chrome team at Google, made a nice bash script to quickly open up a GitHub page from your terminal. If you're on a path inside a git repo and type "git open" that'll open up the corresponding page on GitHub.
The command also supports, amongst others, repos hosted on GitLab.com and Bitbucket.
