Freek.dev

Jens Segers explains how to use PHP League's shiny new version of Container. The usage of ContainerInterface seems interesting:

League's container now implements the `ContainerInterface`, which is defined by the Container Interoperability group. This is really great as there are a few projects and frameworks which support this interface. For example, the Slim 3 micro framework already allows you to choose your own container flavour, as long as it implements the interface.

The League's Container seems like a nice alternative to PHP DI that I have been using.

Read more

The project I'm currently working on will have to send out mails to all its users on a regular basis. It's not a newsletter: the contents of each mail will be very specific to each user. The mail also should contain a link to unsubscribe the user from simular future mails.

The link could look like this: https://myapp.com/unsubscribe. Clicking on the link would direct the user to a login page. After the user has logged in the unsubscribe can be automatically performed. In my mind requiring the user to login first in order to unsubscribe from something isn't very user friendly.

This can be improved by adding the id of the user to the link. Here's what that could look like: https://myapp.com/user/1/unsubscribe. With this link you the app can unsubscribe the user with id 1 in one go. That'll work, but it's not very secure. Unsubscribe links for all other users can be easily guessed. Such links can be made more secure by adding a signature and an expiry date on them.

My colleague Sebastian coded up a Laravel package to create signed url's with a limited lifetime. Here's example where the url gets signed and made valid for only one day:

echo UrlSigner::sign('https://myapp.com/user/1/unsubscribe', 1);

This outputs an url that looks like: https://myapp.com/user/1/unsubscribe?expires=1123690544&signature=93e02326d75

The validate-method can be used the determine if a signed url is (still) valid:

$isValidUrl = UrlSigner::validate($theSignedUrlInTheExampleAbove);

The signature is calculated using the original url itself, the expiration date and a secret string that's specific to your project. When a malicious user tries to change any part of the url the signature won't match up.

I'm assuming that the most common use case of signing url's is to protect routes. The package supplies a middleware that protects routes from invalid signed url's. In the following example only requests with a valid signed url will hit the controller:

Route::get('unsubscribe', ['middleware' => 'signedurl', 'uses => 'UserController@unsubscribe']);

If you're interested in using the package, take a look at it on GitHub: https://github.com/spatie/laravel-url-signer

There's also a framework agnostic version: https://github.com/spatie/url-signer

E-mails can be intercepted and are never 100% secure. Bearing that fact in mind you should never use this kind of link for any destructive action.

EDIT: Some fellow developers pointed out that I could also obfuscate the id in the url. Here are two good libraries to do that:

• http://hashids.org/
• https://github.com/jenssegers/optimus

And sure enough, the unsubscribe links of other users cannot be easily guessed. A small downside however is that the url becomes less readable. The big disadvantage is that the url will remain valid forever. As these links through an unsafe medium I think it's a good idea to give them a limited lifetime. Signing an url will do that.

Read more

I've been enums lately instead of relying on class constants. The myclabs/php-enum package provides a nice implementation. The readme lists the benefits of doing so:

Using an enum instead of class constants provides the following advantages:

• You can type-hint: `function setAction(Action $action) {`
• You can enrich the enum with methods (e.g. `format`, `parse`, …)
• You can extend the enum to add new values (make your enum `final` to prevent it)
• You can get a list of all the possible values (see below)

This Enum class is not intended to replace class constants, but only to be used when it makes sense.

Read more

A typical request on an dynamic PHP site can do a lot of things. It's highly likely that a bunch database queries are performed. On complex pages executing those queries and hydrating them can slow a site down.

The response time can be improved by caching the entire response. The idea is that when a user visits a certain page the app stores the rendered page. When a second request to the page is made, the app shouldn't bother with rendering the page from scratch but just serve the saved response.

I've made a Laravel package named "laravel-responsecache" that does just that. Installing it is very easy: just add the service provider and facade to the app's configuration. And step two is... there is no step two. In most cases you're done. All successful responses (that is a response with a statuscode in the 200 or 300 range) to a GET-requests will now be cached for a week. If the response of a specific route or controller should never be cached middleware can be added that prevents caching. Furthermore each logged in user will have have it's own separate cache. Cached responses can be stored in any configured repository in Laravel. You could easily share a cache between servers by using memcached.

I think that behaviour will suit a lot of use cases. If you need some other caching behaviour (eg. cache error responses, exempting redirects, using a common cache for users with the same role, changing the expiration time of the cache) you can easily write a custom caching profile.

The package isn't supposed to sweep performance troubles under the rug. All apps should be optimized so that they'll respond in an acceptable timeframe without using response caching. My rule of thumb is that typical pages in a cms should be able to render within a second (and preferably much less). Anything above that is unacceptable. That number is by no means scientific. Make up your own mind what an acceptable responsetime should be. Of course all of this depends on the type of site and the amount of visitors it has to handle. Also keep in mind that that there are a lot of other aspects that need to be considered when trying to deliver a speedy experience.

There are some great alternatives to cache responses. Two well known solutions are Varnish and Nginx caching. They take response caching one step further by not even invoking php when serving a cached request. Both options are very robust and can work on any scale. The benefits the Laravel package has over Varnish-like solutions is that it is easier to set up and that application logic can be used to determine what needs to be cached.

If you're interested in speeding up your Laravel app using the package, go take a look at it on GitHub:

https://github.com/spatie/laravel-responsecache

Read more

Alan Klein created a Laravel 5.1 package that leverages Nginx HTTP Pushstream module to broadcast events. The commenting platform Disqus uses that Nginx module to handle comments in realtime.

You can find Alan's package on GitHub: https://github.com/cmosguy/laravel-http-pushstream-broadcaster

Read more

When working on projects I found myself, over time, needing the same string functions over and over again. Things like how to shorten a string but still let it end on entire word, replace the last occurrence of string in a string, ...

Instead of keeping these functions in a helper file locally in the project, I made a package out of it. It was a good opportunity to spice it up with bit of OO to make them chainable. An example:

[code] // outputs "MIDDLE" echo string('StartMiddleEnd')->between('Start', 'End')->toUpper();

In addition to it's own methods, the package provides <a href="https://github.com/spatie/string#integration-with-underscorephp">an integration</a> with <a href="https://github.com/Anahkiasen/underscore-php">Maxime Fabre's underscore package</a>.

You are very welcome to submit pull requests to add functions that you feel are missing. Be sure to include some unit tests to ensure everything working as intended.

Granted,  it isn't the most sexy package in the world, but it sure is handy.

<a href="https://github.com/spatie/string">https://github.com/spatie/string</a>

Read more

Satis allows you to require private php packages in your projects. One of it's authors is Jordi Boggiano of composer/packagist fame. Over at the excellent Laravelista blog Mario Bašić explains how to install and use it.

I was working on three projects at the same time and I've found myself copying code from one project to another and then making small changes. And then I recognized a pattern. ...

I created a package and as soon as it was ready for GitHub I remembered: "I can't open source this...". The package contained few paid html templates, company logo's, slogans, specific company text etc. ...

This post will explain what Satis is, when to use it and how to set it up on your server.

Read more

While doing some research about other obfuscation techniques I stumbled upon an implementation based on Donald Knuth's integer hash. This unbelievable small and fast algorithm will generate random-like integers with the ability to convert them back to the original value. This technique was so cool that I decided to create a PHP package for it called Optimus.

Read more