Author: Manuel Lemos
Viewers: 26
Last month viewers: 9
Categories: PHP Security, Lately in PHP Podcast, PHP community
This was the main topic discussed by Manuel Lemos and Ernani Joppert in episode 40 of the Lately in PHP podcast.
Now listen to the podcast, or watch the hangout video, or read the transcript to learn what are all the new proposed features and what they think about them.
Contents
Listen or download the podcast, RSS feed and subscribe in iTunes
Watch the podcast video, subscribe to the podcast YouTube channel
Read the podcast transcript
Introduction music Harbour used with explicit permission from the author Danilo Ercole, from Curitiba, Brazil
RSS 2.0 feed compliant with iTunes:
http://www.phpclasses.org/blog/category/podcast/post/latest.rss
In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.
Watch the podcast video
Note that the timestamps below in the transcript may not match the same positions in the video because they were based on the audio timestamps and the audio was compacted to truncate silence periods.
See the Lately in PHP podcast play list on YouTube and Subscribe to this channel there.
Show notes
- PHP 5.5.4 and PHP 5.4.20 releases
- Proposal: Listen to socket connections
- RFC: Anonymous classes
- RFC: Nested classes
- Proposal: Regenerating Session IDs when IP changes
Read the podcast transcript
Contents
Introduction (0:20)
PHP 5.5.4 and PHP 5.4.20 releases (1:57)
Passing variable number of packed arguments to functions (3:56)
Syntax for Variadic Functions (6:58)
Listen to Socket Connections (8:43)
Named parameters for functions (14:00)
Supporting Keywords as Identifiers (21:46)
Anonymous Classes (29:00)
Nested Classes (33:59)
Regenerating Session IDs when IP changes (43:34)
JavaScript Innovation Award Winners of July 2013 (51:58)
PHP Innovation Award Winners of July 2013 (1:03:22)
IP2Location Sponsors the PHP Innovation Award (1:10:07)
Conclusion (1:11:25)
Introduction (0:20)
[Music]
Manuel Lemos: Hello. Welcome to the Lately In PHP podcast, Hangout. I never know what to say.
[Laughter]
Manuel Lemos: Anyway, this is episode number 40. And finally, we made time to record this hangout. This time, again, Ernani Joppert is back.
Hello, Ernani. How are you doing?
Ernani Joppert: I'm doing great. Despite that last month, we were able to do it, but in the middle of the podcast or hangout, we had a disconnection and then, we're having troubling doing it. So, I guess, Cesar attended the other event.
Manuel Lemos: Yeah, this time it was the other way around. Actually, Cesar was going to make this time again. But for some reason, his Internet connection went somewhere. I have no idea, though. He is no longer available.
Well, anyway, this month, we are recording this hangout a bit later than usual. For some reason, actually for a reason that I mentioned last month, I went to a Google event and I had to postpone recording for about one week that I've been there.
Don't worry, it was not exactly anything related with PHP. It's some other business. It was somewhat related to PHP classes but not specifically with the PHP world. So, there's not much to mention about that.
PHP 5.5.4 and PHP 5.4.20 releases (1:57)
Manuel Lemos: Anyway, let's move on and start talking about the latest things that happened in the PHP world.
I would like to start, as usual, by things that were released, specifically PHP releases, starting for the latest PHP 5.5.4... that was released on the 19th... and also, PHP 5.5.20
This time there's also not much to say about this release because they are mostly bug fixes. And practically both releases, 5.4 and 5.5 have more or less about the same bugs. So this is just a maintenance release, nothing to be really concerned in terms of what you should do.
As always, the recommendation is if you are already using this PHP 5.4, 5.5, you may want to check if any of the bugs that were fixed affect your PHP setups. If not, OK, maybe leave it for an eventual upgrade later. Because what may happens is that while these releases fix some bugs, they may also introduce new bugs that may affect your PHP setups.
So there's not really much more to say about this. So, let's move on to other PHP topics of interests.
Passing variable number of packed arguments to functions (3:56)
Manuel Lemos: We are going to review several feature proposals that have been around. This time, we have even more than last month, because PHP developers are really concerned about what will make it to the next PHP 5 version or even PHP 6. We'll never know if it is something more complicated.
But there are many, many proposals and we are starting talking about this one that talks about something they call argument packing, which is basically... let me increase the font here... the way you pass list of parameters that may vary in length.
Usually, you can pass a variable number of parameters, just passing all the parameters in the list separated with commas. But you can... the proposal for now is also to have pass arrays or some equivalent objects. And now, there is now been through this syntax of an ellipsis before the actual argument list.
I'm not sure if I have a use case that, for my purposes, this would be useful but there were great discussions about this proposal. So, I guess people have more use cases than I would probably would.
Ernani, do you have code applications that call functions with a variable number of arguments? Or you're not a frequent user of such type of functionality?
Ernani Joppert: I've used it before to basically simplify method calls. But not this one. I've used a call_user_func and I've seen the usage on some frameworks, which basically you can use for callbacks. CodeIgniter, yes, uses it for callbacks.
Manuel Lemos: No.
Ernani Joppert: I mean, arguments unpacking, the idea for passing as an array of arguments and naming the arguments, I guess there are other proposals here which seem better. You know, at least. And we'll probably look later on. So I will hold until then, so when I can explain the idea I have inside of it.
Syntax for Variadic Functions (6:58)
Manuel Lemos: Yes. So, let's move on to the next feature here. Basically, it's another proposal for a syntax for variadic functions. Actually, it's even a bit confusing because all these proposals are all talking about the same, which is passing a variable number of arguments.
You see again here the syntax of passing specifying an ellipsis 3 dots before the name of the argument.
Ernani Joppert: Right.
Manuel Lemos: So, it's sort of a mark of defining that parameter is actually a parameter list. So, all the parameters before this one are fixed and this one is a parameter list rather than a single parameter.
Ernani Joppert: Right.
Manuel Lemos: Well, this is basically, as I mentioned, things that address the same need, the passing of variable arguments.
Probably, I'm not the best person to comment about this because I don't use this much. So, what matters for now is that this is something that is being discussed a lot. As you mentioned, there are several other proposals that sort of address several aspects of the same need regarding variable number of arguments.
Listen to Socket Connections (8:43)
Manuel Lemos: So, moving on with this, let's pass to the next feature proposal. Actually, there are more feature proposals that are related with this. But I am listing all the feature proposals that I found by chronological order.
So, the next one is not related to the variable numbers of arguments but it's related with more of something that... it's also not a frequent need, but has to do with creating networking servers using sockets to listen to some port.
And you can use some PHP functions to determine how the connections to an eventual server that you have will be handled. There is this extension in PHP named "sockets", but this usually is not compiled built-in the base PHP distribution.
So the proposal here by Daniel Lowrey is to be able to not only create a socket but also listen to the port eventually, the TCP/IP port and do it in a way that works well in traditional Linux systems in which you create a process, child processes that will handle the connections.
So the proposal here, it's more to use functions that will be available in the regular PHP distribution. There is already this stream_socket_server which is to create a socket to accept the connections. And then, the new function that is being proposed is "stream_socket_listen" to listen to connections on the created socket server.
Well, this is very specific for people that know and understand networking programming and Internet connections and so. This is not something that every application has a need for.
For instance, you create a server to accept connections from an eventual chat system on which there are users connecting to that chat system, you could use that.
Ernani Joppert: Not only that, but I guess it would also benefit some socket binding when you need JavaScript situation. It could be that you could write a socket base service that would interface with JavaScript clients, as well, using socket I/O and stuff. But in the end...
Manuel Lemos: Yes, that is the case.
Ernani Joppert: If something's really specific and it's like considering the performance of the processes that are being port and some benefits of the Linux Kernel as well.
Manuel Lemos: Yeah, there are some specifics here. I think it's now worth going to much detail because this is relatively low-level programming and most of the developers do not do this.
Ernani, have you ever programming with sockets, creating sockets servers for some purpose...?
Ernani Joppert: Yes. before we used to write a socket server based in Java because we haven't had application servers in the past. So, all the processing of information was to use dedicated socket with a dedicated amount of information exchange between clients and servers. And basically...
Manuel Lemos: Right. But nothing on PHP.
Ernani Joppert: Yeah. And it's nothing related with PHP but in the end, it could be done. And the more we see these kinds of support on all languages, it's better.
Manuel Lemos: Right.
Ernani Joppert: And I would say it's a good thing to have, because of the current model, the current situation of the Internet . Yeah, there is a need of a dedicated socket server and if you build the service on top of that, like a socket I/O implementation or something on the server side would be beneficial.
Manuel Lemos: Right. Well, I think most networking connections nowadays go through HTTP.
Ernani Joppert: For sure, yes.
Manuel Lemos: You use the regular HTTP server instead of creating your own sockets in PHP. So, this must be for very specific purposes.
Anyway, you could always already do this in PHP, just use the sockets extension. So, the actually new thing in this proposal is just to move someone of the function, move, no, I mean, duplicate the functionality using the streams extension that comes built-in in PHP. So, there is not much more to say about this.
Named parameters for functions (14:00)
Manuel Lemos: Therefore, I'm going to move on and pass the next feature proposal here which this time is about named parameters.
Again, this feature is something that was already proposed in the past but there was some discussion in the past. What was proposed is to have something that would allow somewhat what is possible, I think it is Python that you can pass arguments to a function by any order as long as you specify the name of the parameters.
So in this example here, you can see for instance, you can call a function this way, passing the parameters by order. Or this way, using the names of parameters.
Ernani Joppert: Yes. And this where I would say, when we were talking about the other two specifications, if you scroll down here, it's even mentioned that the state of this RFC lists the variadics and argument unpacking RFCs as well.
And this seems to be more specific and more well-organized way of structuring this requirement. Because then, it's based off on an associative array with a key-value pair. And at least...
Manuel Lemos: Yes, but in reality, this is not...
Ernani Joppert: Just remember the order of the arguments, which you remember, which ones are the ones you need?
Manuel Lemos: Yes. But this one's not really an array. It looks like the array definition but it doesn't have the array. And also, these aparent indexes are not quoted so these are not strings.
Ernani Joppert: Right.
Manuel Lemos: These just identify, let's say, that this name correspond to the start_index parameter. The only thing here that you can say that for instance, these parameters do not need to match order, the original order, that is the function declaration.
Ernani Joppert: Right.
Manuel Lemos: So, this is good because if, for instance, you don't remember the order, usually you would look up the PHP documentation to see the right order.
But in the end, this here, it's less readable than this, because you don't know that this first argument, just looking at this code, you don't know that this argument is the start_index. So, if you have this, this is more readable. But at the same time, you have to type more code.
Ernani Joppert: Right.
Manuel Lemos: But at least, for the person that is reading it, you can make it in a way that is easier to understand.
Ernani Joppert: Yeah. And then, given this example here... And given this example below on my screen here, you will see that it's even less code in some situations.
Manuel Lemos: Yeah. Well, it can be less code because you can also omit arguments.
Ernani Joppert: Right.
Manuel Lemos: Because those arguments have default values and the default values are acceptable. So, if the default values are acceptable, you don't need to pass any values for them.
And the code also puts in a different order, can skip parameters and in the end, you can have a more readable code but you also have to type more. But for instance, if you have ten arguments, you only need to pass five, you only write five parameter value pairs here.
So, well, having this future implemented, it would be up to the developer to define how to present this code eventually in a more readable way or eventually taking less parameters because all the defaults for the remaining parameters are OK.
So, it's just been a feature that has been under great debate. It has been requested in the past. The way I think this would be implemented is that if you write it this way with parameter and value pairs, the resulting compiled PHP code would be turning to this. Because PHP at the compile time will know the right order, so there's no loss of performance.
Ernani Joppert: Right.
Manuel Lemos: Some people have been suggesting in the past that the parameters could be test in an array but in reality that is less efficient than if the PHP engine could rewrite the order of the parameters just by looking at the names.
Ernani Joppert: Right.
Manuel Lemos: So there would be no loss performance with this solution, from what I understood.
Ernani Joppert: Right.
Manuel Lemos: Well, OK, there has been a lot of debate about this. And, at least now, this addresses a need that many developers have. It's nothing so fundamental but OK, if it addresses the need of some, I guess it will be useful for those developers.
Other than that, PHP despite is an Open Source project, it's not like PHP is being sold as a product that costs money. It is important to keep the PHP, I would say, having a regular set of new features to demonstrate vitality. So people can...
Ernani Joppert: Yeah, I guess it would benefit on the verbiage side. And how can I say, it would improve the way you teach people which are not familiar with PHP. It would be better for them to understand the language and at least make it a little bit more flexible in a way. So I'd say it's a good implementation. It's a good thing to know that it would be possible.
And while we were speaking, I was looking at the changes and it doesn't seem to be a major change at all.
Manuel Lemos: Yes. One of the good thing is that the people that have been proposing these features have already prepared some patches to apply this and they have already supplied the code. So, it's more a matter of deciding whether the feature is accepted or not, then actually the effort to develop the feature because somebody already did it.
Supporting Keywords as Identifiers (21:46)
Manuel Lemos: And moving on to the next feature which still I has some relation with this, it's regarding the use of reserved names that are usual for keywords in other places. For instance, certain names cannot be used in a way that may confuse the PHP parser.
So, there is this new proposal for supporting keywords as full names of, for instance, constant. A constant is defined by a name and unlike variables, they do not have a $ sign before them.
So, what they did is to allow this syntax to be supported. Because with the use of reserved words... for instance, in this case, in this example here, there is the word named 'continue' defined as a constant for this class. But 'continue' is also a keyword for a control command that can be used inside loops to move on to the next loop iteration.
So, nowadays, in the current version, this would fail with the parse errror. So the idea is to extend this PHP engine to allow these names to be used, for instance, in constants.
This is related also to the feature that I mentioned before regarding the named parameters for functions. Because with the new syntax that I'm trying to show here as an example, you would present the parameter names this way without any dollar signs on anything.
For instance, if you have a parameter named 'continue', currently, you could not use this. So with this proposal to allow an extended use of keywords, this way you can avoid this limitation of the engine to use reserved keywords in different places.
Ernani, did you ever have a need to use certain names that are reserved words in PHP and you could not use them because it's a reserved word and the syntax would not allow it or...
Ernani Joppert: No, I haven't. But I've seen situations like at first, when the users are beginning to program PHP, they may have a collision of keywords because they are not familiarized with it yet. But I wouldn't see any conflict unless the developer's doing something really, really advanced.
Manuel Lemos: Right. And there is also the concern that, in the future, more control keywords may be added in future versions. And if you have used this named parameters syntax... let' say, for instance, in this case, on a future PHP version, you introduced a reserved keyword named 'value', it would do something. It becomes a reserved keyword, the way it is now, this structure would not be allowed and it cause backward incompatible changes.
So, this feature of providing an extended keyword support to allow this situations to have names that may cause some syntax errors, I would say that would be proposals that need to be implemented at once, at the same time, I mean. So, the next PHP version does not cause any backward incompatible changes for the current PHP versions and also for the future versions.
So, it is interesting that all of these proposals are somewhat related, as you also mentioned before.
Ernani Joppert: If you see here, the author of this proposal here which is Bob Weinand. He refers to the named parameters syntax.
Manuel Lemos: Right.
Ernani Joppert: And he also thinks of the necessary workarounds.
Yeah, so it's benefiting that specific one. So you can write a function array with a little arrow value here instead of having to write the function and the array with the sorts of an associative already, having to double quote it. Then, it would probably benefit.
I guess this is the detailed situation and this one is the other one. This one is just random thoughts on the PHP Internals. And this is the official RFC.
And I was looking to the GitHub page where he proposes the patch here. And if we dig in to that we can check out the latest commits here. And it seems that the user has had a lot of work to this specific one.
Manuel Lemos: Yeah.
Ernani Joppert: Because he's changing most of the scanner, the language scanner files to avoid the...
Manuel Lemos: Right. This is a new syntax, obviously needs to adjust the parser.
Ernani Joppert: Yeah. And he changes a lot here. So you see, the scanner has a lot of changes. But when he mentions this, he mentions that it doesn't affect or break any backwards compatibility. So, it's nice to see that it's...
Manuel Lemos: Right. It's a good step to avoid any problems in the future because...
Ernani Joppert: Yeah. And then, he mentions here, "Furthermore when backwards compatibility needs to be broken in the future for new keywords, it will have a smaller impact as most usages of the new keyword then still work." So, it's nice to see that it's...
Manuel Lemos: That was the concern that I was mentioning, if in the future new keywords are introduced and you have used that syntax for the named parameters, probably, it would start giving parser errors when you use named parameters that are future reserved keywords.
The idea is just to drop the reserved status of those keywords.
Ernani Joppert: Yeah. But I would say a first come, first serve situation would be good as well.
Manuel Lemos: Yeah, well, in practice, let's see if there are no other cases that would cause problems.
Personally, I think it's great that the language is moving on. But for me, it's not exactly something that I need. As I mentioned already in the past, PHP for me is pretty much feature-complete on that.
OK, other people prefer to implement new features. And also for marketing purposes of the PHP language, it's important to have the language renewed.
Anonymous Classes (29:00)
Manuel Lemos: So anyway, we've talked a lot about this. Let's move on to the next feature proposal. I'm going to start sharing here. It's precisely about anonymous classes. This is a feature that I think to myself, Is this really something we need? First, what are anonymous classes?
Ernani, you are more familiar with the Java world. Is this something that came from Java world or is it something different that is being proposed for future PHP versions?
Ernani Joppert: Basically in Java, you have inner classes. It avoids documentation. It avoids the need of structuring your code, bloating your code and bloating your namespace. Because, basically, it's only used inside the scope of that parent class.
So, of course, there is a need for this in some situations because the developer doesn't want to have to document everything. So, it makes sense to have this, but it's not a major thing.
Manuel Lemos: Yeah. But can you...
Ernani Joppert: Within the introduction here, the author already says here that for some time PHP has featured anonymous functions support in the shape of closures. And he's like trying to introduce the same kind of functionality for objects of anonymous classes.
So, that's the overall idea that he's trying to do. So, he basically listed the intentions of his achievement.
Manuel Lemos: Right. But...
Ernani Joppert: I would say it's a good thing.
Manuel Lemos: In your experience, can you give realistic use case for such a feature?
Ernani Joppert: Not in PHP. I've seen some real use examples in complex APIs like proper Java Swing Implementation, the Java AWT Implementation, which are graphical user interfaces library.
So, I can't come up, right off the bat, with a probable situation why it would be useful in PHP but I can see frameworks using this. Because frameworks may have inner classes, they are only relying on their specifics.
Manuel Lemos: Right.
Ernani Joppert: And there is no intention of inheriting it or anything else. It's just trying to wrap things up. And yeah, I would say it's a good thing to adopt, not necessarily major but it's a nice proposal to see come true.
Again, it also represents the ability of the language to be more well-versed, more complex and more... let's put this way... easy to use and avoid the need for externalizing files. And having everything on one file could save time from the main developer, time to explain things.
Imagine you're writing a package for PHP classes and you don't want to have document all the files. So inside of one class of yours, you have some inner classes that are doing things that pertains only to that specific current class. So, that's the idea. You wouldn't even have to commit a large amount of files.
Manuel Lemos: Right. Well, I don't know. I have yet to see a compelling use case for this, but OK. Maybe people have compelling use case for this but I have not seen any. So, I cannot say that there are none. I'm just saying that it's not the case that I know any.
Nested Classes (33:59)
Manuel Lemos: So, moving on to the next feature, it's also something that I would like you to comment because it's precisely yet another of those features that seem to have come from the Java world. In this case, it's the possibility to create nested classes.
Can you confirm if this is yet another thing that came from the Java world, or it's just my impression?
Ernani Joppert: Yeah, of course, it came from another language concept. But PHP already has implemented lots of other functionalities from other languages.
And if I say, Java in line because Java came from another language as well. So, it's recursive situation. But PHP does what it does and it does well. And it's nice to see that it's grabbing other useful resources from other languages as well.
I mean, I don't get into the battle of having to copy things because it's not a copy, it's just a better approach. And if you're benefiting from one concept of another language, why not?
At least, what we are doing here is software. So if you wouldn't have other languages and doing things the way we prefer and the way we consider best, we would be always programming assembly. And we wouldn't have any other languages to run, too.
Manuel Lemos: Yes, right. The question here is not exactly whether the language should evolve or not. But rather, first, what are these nested classes and what they are useful for?
Ernani Joppert: They would be useful to reduce the amount of code, to avoid the lack of having to document the necessary class.
Manuel Lemos: Let's start from the beginning. What are nested classes? Basically, here it shows a class declared inside another class.
Ernani Joppert: Right. Basically, you are nesting a specific object inside of another object which since you are programming object oriented, you have the ability to instantiate the inner class inside of the parent class or extend it.
Manuel Lemos: Yes. Here, you can see some examples. You can even declare classes inside classes as private and public. And from what I can see, the class declared inside sort of adopt a sub-namespace. So in this case, if the class 'foo' is under this namespace, the class bar inside will be inside the 'foo\bar' namespace.
Ernani Joppert: Right.
Manuel Lemos: So, it seems that the idea is to not have to declare the namespaces explicitly, given the namespaces are just the class names. I mean, the top namespace and the sub-namespace.
Well, again, what would be the use case for this? Why would you want to have other than just to sort the declarations of the namespaces or avoid having the trouble to declare it explicitly, what would be the use cases for this? Because the examples here are mostly to show how you would do things, not exactly what it is.
Ernani Joppert: Now, I get what you mean. Yeah.
Manuel Lemos: I'm asking you because you came from the Java world and the Java world also has these things. I'm not sure if they call it the same. Anyway, I wanted to ask you, what do you think these things can be of use of in practice?
Ernani Joppert: Yeah, in Java it's basically... Nested class and anonymous classes are basically the same thing in Java world. So, I would say that the proposal of the nested classes would be the same thing as anonymous classes. So, I would say anonymous classes would be a benefit to the language and it has already proven a specific use case.
Manuel Lemos: Right. I think you mean that the purpose is not the same. Is that they both have their purposes...
Ernani Joppert: No, no, it's basically the same thing with different names.
Manuel Lemos: Nested classes are anonymous classes? No, not the same thing, because nested classes have names.
Ernani Joppert: Yes, but you don't have to have a name.
Manuel Lemos: Right. But they are not the same thing in this case.
Ernani Joppert: No, they present the same behavior. But you don't have to name it.
Manuel Lemos: Well, the difference here is that... Let me reopen anonymous class definition here. So, for anonymous classes, the difference is that you can declare a class here. This is the class. And then, you immediately create an object of that class without naming the class something.
Ernani Joppert: Right.
Manuel Lemos: These are anonymous classes. You can have anonymous classes inside classes or not. When you have classes declared inside classes, those are nested classes. So the purpose is not the same. The purpose here is just avoiding to declare a class with a name when we're just going to use a single object of that class.
Ernani Joppert: Right.
Manuel Lemos: You class this.
Now, for nested classes, you have classes inside the classes.
Ernani Joppert: Right, but when you implement inner classes, which is the same as anonymous classes in Java, you can have both inner classes named inner classes and anonymous inner classes.
Manuel Lemos: Right. But anonymous classes may be declared outside classes at all because in PHP, unlike in Java, you can have code that is not a class.
Ernani Joppert: Right.
Manuel Lemos: This code here could be in the global namespace. So, it wouldn't nested inside the class. Now, nested classes are just class declarations here and there's a class declaration inside of it. So, one thing does not imply the other.
The question here was more what would be the purpose of each of these features and when would be a good time to use them for?
Ernani Joppert: Unfortunately, the author here, the one proposing the nested classes option, he haven't shown a practical use. And it's hard to identify the benefits of it compared to the other one which is the anonymous classes example.
Manuel Lemos: Yeah. What it says is that there's a way to... A nested class is a class declaring a virtual namespace. So, you have a namespace for this class and inside, there's a new class that defines a virtual namespace inside of it.
So, like it mentions here, the package class has the namespace 'foo' and the nested class inside named 'bar' has the namespace 'foo\bar'. But other than that, what is the purpose of this? When do you use it? It's not clear, as I mentioned. It does not present an example.
So, there might be good use cases for this. But for me, it's more and more features that probably PHP does not need at all.
[Laughter]
Manuel Lemos: Now, think about it. Where are the real world examples? The real demonstrations that this is really needed? Well, I'm afraid all this push to add more features probably to make it look like in the Java world may not be so useful, and the engine starts becoming bloated. So, well, they probably have a good explanation for this but I'm just not seeing it.
Ernani Joppert: This example of nested classes is really confusing.
Manuel Lemos: Right.
Ernani Joppert: The anonymous classes situation means more to me. I couldn't see any real situation where you will need a virtual namespace inside of a class. But in the end, who am I to say what is best and what is not, right?
Manuel Lemos: Right. Well, for me, PHP already has many, many features that we do not use. So, this would be one more.
Ernani Joppert: Right.
Manuel Lemos: Probably, you will have a more bloated PHP engine that takes more memory. But, OK, go and figure.
Regenerating Session IDs when IP changes (43:34)
Manuel Lemos: Anyway, moving on to the one last new feature. Actually, it's not exactly a feature but a discussion that appeared in the PHP Internals list regarding the generation of session IDs.
This one was started by Yasuo Ohgaki. It is talking about the regeneration of session IDs automatically when the IP address has changed. So, sessions IDs are values that are usually assigned to cookies that are passed on each request.
So, when PHP executes a script, it might implicitly retrieve the session variables associated with that ID.
But for security reasons, I mean, to prevent that some eavesdropping process that takes place and the session ID gets stolen, and that session is used by somebody that's trying to do something illicit on the site, accesses the site with the same id and takes advantage of the user account for some illegal purpose that may cause harm to the original user.
So, in this case, the proposal is to regenerate new session ID automatically every time the IP address changes. And there was a debate regarding this. So, when would the IP address of the user change?
For instance, the user starts a new Internet connection from the same computer, same browser. For some reason, he connected to a different network. The session ID that the server sees is the same. So, what this proposal seems to be requesting is that having some option then in PHP tells it to create a new session ID and replace the old one if the user change the IP address.
It may also be the case that the user changing the IP address be actually a user that has stolen the session ID and is accessing the same site from a different IP address.
I don't know if this is going to solve the security problem. Because once the session ID is stolen by somebody that is abusing... If it's stolen, the only thing is that the original user may notice it because the session stopped working because somebody else is using his session from another computer.
So, I don't know if this is a good idea. Because once stolen, it is stolen. What would users do? If they're being abused, they will not know this way.
So, there was a discussion regarding this feature. But in the end, nothing was really... people involved in this discussion were not convinced that it is really necessary. I don't know if you, Ernani, had faced any security issues regarding stolen sessions. What is your experience in this?
Ernani Joppert: I guess, there's a Ronabop here on this same discussion thread. I was looking through the discussion thread to try to understand the need of it. He explains it well, "So, say you have many front ends, with load balancing, and public IP addresses. Those front-ends talk on private IP ranges to back-end machines, so the session can come in from any public IP, be proxied, and handed off" to the back-end server.
"By the way, this is not hypothetical." So he's saying it's about his work on AppFog. "Some actual numbers to explain: Our Singapore location, for example has 29,088 websites, with six incoming IP addresses talking to 27 website nodes.
Regenerating session keys is a waste of CPU at that scale, as a given user's requests may jump around six different inbound addresses, and any number of servers."
So he has good takeaway points, "Binding session to IP doesn't work at scale. Seeing that the IP has "changed", it is totally useless to detect hijacking. Session libraries that are expecting state, on the Internet, are fundamentally broken by design."
And I would want to know a better explanation on this topic here but maybe he has a point. And then he has a reason.
Manuel Lemos: But I thought a thing.
Ernani Joppert: And then he has a real...
Manuel Lemos: There are other complicated factors like the proxies. Proxies can change the IP address that are visible to Web servers. So, it would detect something that is not even hijacking a session ID.
Ernani Joppert: Yeah. Now, I get his explanation. He said that "Session libraries that are expecting state, on the internet, are fundamentally broken by design."
I mean, session libraries wouldn't expect any state. It would provide state to the user machine. So, it's a state management situation. It's not expecting any other states. It has to provide states but not to... And to provide and maintain, but not to expect any other role. It's a negotiation between the browser and the back-end server.
And then he has a funny rant here which says, "There is no such thing as a secure http session. Ever. The protocol, by design, does not allow it. Ever. You can add layers (such as https) to make things "better", but if you want secure communication, don't use the internet."
I guess he is going a little bit off the grid, but he...
Manuel Lemos: Yeah, that last comment is totally pointless. Just because you cannot make things 100% secure, it doesn't mean that you cannot improve security somehow.
So, if you can use a HTTPS instead a HTTP, it's better. It's more secure than not using. So, I don't agree with that statement. Other than that, the rest of the justification, I think, describes exactly what I think.
This would be more of a complication and there's not great need for what it's proposing, at least as far as I could get. But, you know, it's really challenging to make a secure system on the Web, especially now that the issues of NSA's deep involvement in spying connections and having access to user private data and activities have been a greater concern than in the past. Not that it didn't exist in the past, it just became a greater concern.
So well, anyway, that discussion seem to have not gone anywhere. And probably nothing will not be done in PHP to make things more secure this way, because that's not the way it goes.
The idea of regenerating session IDs in PHP automatically on every access has some purpose but you also have to have some caution. But anyway, that's not what is being discussed here with this proposal.
JavaScript Innovation Award Winners of July 2013 (51:58)
Manuel Lemos: Well, basically with this, we practically talked about many topics of interest, things that happened in the PHP world.
Now we're going to move on to the next regular section, now that we're reaching the end of this podcast, which is basically first to talk about the winners, classes that were nominated to the Innovation Award first in the JS class site. So, it would be JavaScript objects and then we move on to the PHP ones.
So, Ernani, which ones would you like to comment this month?
Ernani Joppert: OK, so I already have my screen share here and let me just increase my font size and go through this example here.
Igor Escobar has provided a sort of a remote testing tool which can render HTML pages on the server-side and provide a diff solution.
I didn't see the generated example here, so there isn't a valid output to understand how it's doing. But basically it's reading the DOM and trying to render it on the server-side. And I would say, generating a PNG out of the DOM, it's good for visual but it would be also good to know the differences on the text as well on the HTML, on the JavaScript, on the whole object model as a gif tool.
So, maybe this could be improved as a gif tool as well to provide a diff to see if anything broke or there is any difference between version A and version B.
Manuel Lemos: Yeah.
Ernani Joppert: Let's see. But it's a nice component. It's nice to see test components coming through. Igor Escobar, he's from Brazil and it's nice to see that there are more Brazilians contributing to JS classes.
Manuel Lemos: Ah, you're just biased. Just because you are from Brazil.
Ernani Joppert: No, no. Not at all, not at all.
Manuel Lemos: I'm just kidding.
Ernani Joppert: But, yeah.
Manuel Lemos: It's a nice component. I just would like to add that... it wasn't mentioned... it can capture screenshots of a given page using CasperJS. CasperJS, if I'm not mistaken, this is a headless browser or something like that, which means it's a JavaScript library that can render pages without actually being a user-interface browser, that users can see the browser controls and such. It's just a browser that can access pages but can render the pages to files, I mean, to image files.
So, what this object from Igor does is to compare images eventually from different page screenshots. So it can detect if there were changes that were not intended, probably caused by bugs that may cause graphic images to break. So, this is interesting, that can be use specifically for testing purposes.
So, congratulations to Igor for that. So, other than that, which other JavaScript class object would you like to comment on?
Ernani Joppert: OK. The second one, my pick for this month would be the Animate 3D Carousel of Images Using HTML5 canvas. So, when he means HTML5... I haven't looked in to the real source code and we were previously talking about it... it seems to be using WebGL as well.
Manuel Lemos: Actually, implicitly, if you would use WebGL by the means of using this Three.js library, I think in this case, it requires WebGL because it's optimizing for the 3D hardware and support by the underlying machines.
Ernani Joppert: Right. And it seems to be... Oh, Mr. Do Good did it, so it's a crazy thing.
Yeah. It's a limited component but it's nice to see the power of JavaScript is carrying to that situation and I've already saved here the demo page which the user provided. And it's nice to see that they are providing examples like this and you can basically zoom things up. I'm not sure if the screencast will resonate the demo.
Manuel Lemos: We can see it very clearly.
Ernani Joppert: OK.
Manuel Lemos: You can drag the... I think it also works on touch interfaces, not just those that are rather...
Ernani Joppert: Right. And as you can see, basically you touch here, you double-click it and you can spin things up.
Manuel Lemos: Yeah. Yes, at least in a...
Ernani Joppert: You can basically touch the...
Manuel Lemos: ...modern machine with a good hardware, it can scroll... I mean, animate the pictures very quickly. So, this would be...
Ernani Joppert: So, if you click on the background picture, it will bring it to the front.
Manuel Lemos: Right.
Ernani Joppert: Nice to see you can zoom things up. It's nice, very nice to see this in JavaScript.
Manuel Lemos: Right. Well, most of the hardware, 3D interface code is, I mean, inside the Three.js library. But it's interesting though, the final effect which is to... It's similar to those carousel pictures that many sites expose but using picture scrolling horizontally. In this case, it just gives a 3D effect of putting the pictures circulating in a virtual 3D space.
So that's interesting. On my part, I also would like to comment on a couple of objects. I would like to start first here by this library named OPTICS. In this case, it was developed...
Ernani Joppert: And I would see that the tab Carousel here on my memory management parts, it's using a little bit of CPU. Yeah, it's using a little bit, really little bits but it's going OK. It's not that harming that much on my Chrome. So, it has a good performance.
Manuel Lemos: Yes. And also, let's not forget to mention that this one was developed by Nikos from Greece. He's been submitting many components. Actually, three were nominated in the Innovation Award and a couple of them have won.
Ernani, anyway, I was also already moving to the next one. In this case, it is a library that implements OPTICS algorithm, basically to find clusters of points that are related somehow.
And this component was developed by Franz Josef Brunner from Austria. And it's very interesting because it allows you to sort of make sense of a set of points that are in a 2D space and those points represent sparse data.
In this case, this algorithm allows to detect when subsets of points are part of clusters. So, probably, those are points that represent the same values but they are just affected by some rounding errors or something like that.
Ernani Joppert: Right.
Manuel Lemos: Anyway, this is very technical, very specific for whatever the purpose that this algorithm is used. But anyway, kudos to Franz Josef Brunner for this component.
Next one, there is a much simpler explanation for this other component, which is basically a template engine named Contemplate.
And actually, this is a two-part component. There is a PHP part and a HTML part. And what this component addresses is the need to avoid to have different template engines to generate page output, so that HTML output for parts of pages.
So basically, it's a template engine that has a syntax that is the same for either the PHP version or the JavaScript version. And this one is again from Nikos.
Ernani Joppert: I can't see your screen. You're not sharing it, right?
Manuel Lemos: Sorry, it stopped the... Let me restart. It stopped the screen sharing. It stopped the screen sharing for some reason, probably when I minimized screen.
Anyway, as I was showing it here but nobody was seeing. Again. But it does not have not much details, it's probably enough to show you.
As I was just saying, this is a library has two parts, one part is in JavaScript and the other part is in PHP. Well, I'm trying to show just what this looks like and there's a template here. There is some data that has passed these parameters and the results appear here.
Anyway, this package was also nominated for the Innovation Award in PHP in the same month because as I mentioned, it was library in two parts. And the PHP part was also nominated for the Innovation Award which is the... I mean, the PHP part is here and the JavaScript part is in the JS Classes site.
PHP Innovation Award Winners of July 2013 (1:03:22)
Manuel Lemos: Anyway, now that I have mentioned it, the next section would be the Innovation Award at the PHP Classes site. Ernani, which PHP classes would you like to mention?
Ernani Joppert: OK, let me switch to my screen sharing. There you go.
So, my vote, my first pick would be the Apache Log Filter. Who knows who has used Apache. Sorry?
Manuel Lemos: If you can just increase a bit the font.
Ernani Joppert: Yeah, yeah. Sorry.
So, the author is Janne from Finland. Congratulations, Janne. You provided a very useful component here which seems to be useful for reading and filtering logs from Apache.
For us mere mortals who uses PHP with Apache, sometimes we don't have the time to explore the whole log and we can't tell you, we can't provide regular expressions to filter it using grep and such things. So, it's nice to see that there are real components here that can achieve this functionality.
And my vote for him, congratulations again.
Manuel Lemos: Right. And this is interesting because nowadays, the vast majority of the access to Web sites is done by robots... could be Google, could be other search engines, could be other types.
So, using components like this will reduce a lot the size of the logs that are useful, because most of the accesses are in great part from bots. So, kudos for the author for this component because now that it's much better
Ernani Joppert: Yeah, and probably these components will go right to my usage because it's a useful solution.
Manuel Lemos: Right. Other than that, which other component would you like to mention this month?
Ernani Joppert: OK, yeah, moving on to the other one. Last but not the least, the PHP Add Apache Virtual Host which is another utility component. It's provided by Evaldo Barbosa from Brazil. Not again...
Manuel Lemos: Oh, you are really biased.
Ernani Joppert: Not again picked. I just go with the usage component. I like utility one.
Manuel Lemos: I know, I know.
[Laughter]
Ernani Joppert: And this class can use to add virtual hosts to Apache configuration. It creates a configuration file with the definition over virtual host name, even the IP address, domain and document root folder. It can also create .htaccess in mod_rewrite options.
Manuel Lemos: It's almost an application and it's more than just being a class. There's a lot of things.
Ernani Joppert: Yeah, it's a nice component. I like it. Sometimes you don't remember things and it's just using the...
Manuel Lemos: Right. It is great to automate the installation of new sites. For instance, many developers also host... take care of the hosting of the sites of their customers. So, if they need to add a new site, they can use a class like this to automate the creation of sites for their customers. So, they don't have to repeat the same task over and over again.
So, kudos to Evaldo for his idea. It's really useful and unusual, I would say.
And well, moving on my part, I also like to mention a couple of components but I already mentioned one. Let me share this screen here.
This is interesting because this month is really, really busy. There are like 12 nominees and I already mentioned one which is component named Contemplate. It processes templates using the same syntax and having library a couple of versions for PHP and another for JavaScript.
So, the other component that I would like to mention is actually the winner of this month. Because it's something that's not exactly everyday's need of Web developers, but once in a while you may have a need of.
For instance, if you are student of a college, you need to solve linear polynomial or trigonometric equations, what this component does is to provide the solution for those types of equations. It uses what they call a variation of the Newton method with the special technique called Blocking, which is basically to maximize the speed of solving the equation by reducing it into smaller problems.
And this is interesting precisely because it implements sort of a clever approach to a non-trivial problem. So, kudos to Naveed ur Rehman from Pakistan. So, Naveed,
Ernani Joppert: I like these kinds of components which teaches the user how implement mathematical functions. And using PHP to do that is nice. I like it. I really appreciate it.
Manuel Lemos: Right. It's just yet another sign that PHP is versatile and it just takes somebody with the need to actually implement it.
So, thank you again, Naveed. I hope I'm not pronouncing your name correctly. I never have hope that I'm doing it correctly for countries or languages that I'm not familiar with. But we do our best to do it with good spelling but there's not much hope.
IP2Location Sponsors the PHP Innovation Award (1:10:07)
Manuel Lemos: Anyway, we practically ended this hangout. I would just like to comment, just something very briefly, is that we have new sponsor, actually. A sponsor that used to participate in the past but they suspended it for a while. They're reconsidering their businesses about GeoIP solutions, which basically are providing means to solve... to determine geographic locations associated with the IP address, could be for uses of sites it's on.
So they are supporting both PHP class and JS classes. So, starting now, developers that are nominated for the Innovation Award, they could pick their prize once it's their turn to pick the prize.
Conclusion (1:11:25)
Manuel Lemos: Well, that was basically it. And we have already a long show, talk, about many, many PHP features that are upcoming. And I would like to thank you again, Ernani, for making this time. I know it's always a challenge, due to unexpected difficulties, but this time, you made it.
Ernani Joppert: I am glad my ISP hasn't blocked, my power source hasn't failed, my browser hasn't crashed, Google hangouts played well.
Manuel Lemos: And the global warming did not hit you.
Ernani Joppert: So it contributed to the success of this episode. I'm really glad to participate.
Manuel Lemos: So, since we already have said whatever had to be said, if it fails now, it won't be a problem.
So, thank you again for coming. And I hope next month, you can come again.
And on my behalf, that's all for now. Thank you. Bye.
Ernani Joppert: Thank you. Bye-bye, guys. Have a great month.
You need to be a registered user or login to post a comment
1,616,604 PHP developers registered to the PHP Classes site.
Be One of Us!
Login Immediately with your account on:
Comments:
No comments were submitted yet.