PHP-CRUD-API now supports authorization and validation

Another milestone is reached for the PHP-CRUD-API project. A project that aims to provide a high performance, consistent data API over REST that is easy to deploy (it is a single PHP file!) and requires minimal configuration. By popular demand we have added four important new features:

  1. Tables and the actions on them can be restricted with custom rules.
  2. Access to specific columns can be restricted using your own algorithm.
  3. You can specify “sanitizers” to, for example, strip HTML tags from input.
  4. You can specify “validators” functions to show errors on invalid input.

These features are built by allowing you to define callback functions in your configuration. These functions can then contain your application specific logic. How these function work and how you can load them is explained below.

Table authorizer

The following function can be used to authorize access to specific tables:

/**
 * @param action    'create','read','update','delete','list'
 * @param database  name of your database (e.g. 'northwind')
 * @param table     name of the table (e.g. 'customers')
 * @returns bool    indicates that access is granted  
 **/
  
$f1=function($action,$database,$table){
  return true; 
};

Column authorizer

The following function can be used to authorize access to specific columns:

/**
 * @param action    'create','read','update','delete','list'
 * @param database  name of your database (e.g. 'northwind')
 * @param table     name of the table (e.g. 'customers')
 * @param column    name of the column (e.g. 'password')
 * @returns bool    indicates that access is granted  
 **/
  
$f2=function($action,$database,$table,$column){
  return true; 
};

Input sanitizer

The following function can be used to sanitize input for specific columns:

/**
 * @param action    'create','read','update','delete','list'
 * @param database  name of your database (e.g. 'northwind')
 * @param table     name of the table (e.g. 'customers')
 * @param column    name of the column (e.g. 'username')
 * @param type      type of the column (depends on engine)
 * @param value     input from the user (e.g. 'johndoe88')
 * @returns string  sanitized value
 **/
  
$f3=function($action,$database,$table,$column,$type,$value){
  return $value; 
};

Input validator

The following function can be used to validate input for specific columns:

/**
 * @param action    'create','read','update','delete','list'
 * @param database  name of your database (e.g. 'northwind')
 * @param table     name of the table (e.g. 'customers')
 * @param column    name of the column (e.g. 'username')
 * @param type      type of the column (depends on engine)
 * @param value     input from the user (e.g. 'johndoe88')
 * @param context   all input fields in this action
 * @returns string  validation error (if any) or null
 **/
  
$f4=function($action,$database,$table,$column,$type,$value,$context){
  return null;
};

Configuration

This is an example configuration that requires the above snippets to be defined.

$api = new MySQL_CRUD_API(array(
  'hostname'=>'localhost',
  'username'=>'xxx',
  'password'=>'xxx',
  'database'=>'xxx',
  'charset'=>'utf8',
  'table_authorizer'=>$f1,
  'column_authorizer'=>$f2,
  'input_sanitizer'=>$f3,
  'input_validator'=>$f4
));
$api->executeCommand();

You can find the project on Github.

PHP script to tail a log file using telnet

tail

Why would you need a PHP script to tail a log file using telnet? You don’t! But it the script is cool anyway. It allows you to connect to your web server over telnet, talk some HTTP to your web server, and run a PHP script that shows a tail of a log file. It uses ANSI sequences (colors!) to provide a nice user interface specifically to tail a log file with the “follow” option (like “tail -f”). Below you find the PHP script that you have to put on the web server:

<?php
// configuration
$file = '/var/log/apache2/access.log';
$ip = '127.';
// start of script
$title = "\033[H\033[2K$file";
if (strpos($_SERVER['REMOTE_ADDR'],$ip)!==0) die('Access Denied');
$stream = fopen($file, 'r');
if (!$stream) die("Could not open file: $file\n");
echo "\033[m\033[2J";
fseek($stream, 0, SEEK_END);
echo str_repeat("\n",4500)."\033[s$title";
flush();
while(true){
  $data = stream_get_contents($stream);
  if ($data) {
    echo "\033[32m\033[u".$data."\033[s".str_repeat("\033[m",1500)."$title";
    flush();
  }
  usleep(100000);
}
fclose($stream);

To tail (and follow) a remote file you need to talk HTTP to the web server using telnet and request to load the PHP tail script. First you connect using telnet:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

After connecting you have to “speak” some HTTP (just type this):

GET /tail.php HTTP/1.1
Host: localhost

NB: Make sure you end the above telnet commands with an empty line! After this the screen should be empty showing any new log lines in real-time in green on the telnet window.

You can use Ctrl + ‘]’ to get to the telnet prompt and type “quit” to exit.

If you don’t want to copy the code above, then you can also find the latest version of tail.php on Github.

Static code analysis for PHP templates

Templating is cool. Everybody is using Twig today. Other popular choices are: Smarty, Mustache and Latte. You may also want to read what Fabien Potencier has written about PHP templates languages. It makes sense.

Still I can think of two reasons why we don’t want a templating language and we rather use PHP itself for templating. First reason: PHP templating is easier to learn than a PHP templating language.  Second reason: it executes faster.

PHP templating languages improve security

I tried to understand what the primary reason is that people are using a templating language. It seems to be ease of use, while keeping the application secure. The following example shows how easily you can write unsafe code:

Hello <?php echo $POST['name']; ?>!

It would only be safe to print a POST variable when using:

<?php echo htmlspecialchars($POST['name'],ENT_QUOTES,'UTF-8'); ?>

A templating language typically allows you to write something like:

Hello {{ name }}!

I agree that security is improved by using a templating language. The templating language escapes the output strings in order to prevent XSS vulnerabilities. But still I wonder: Can’t we get the same security benefits when we use native PHP for templating?

Helper function

As you have seen the PHP way of escaping is rather long. Fortunately, you can easily define a function that allows an alternative syntax, for instance:

Hello <?php e($POST['name']); ?>!

Yup, that is the “e” for “echo” :-). Now we can report all native (unescaped) echo function calls as being potentially unsafe. This can be achieved by doing static code analysis. While analyzing the code the analyzer could complain like this:

PHP Warning:  In "template.php" you should not use "echo" on line 1. Error raised  in analyzer.php on line 11

This could be limited to debug mode as static code analysis actually takes some time and may harm the performance of your application.

Static code analysis in PHP

I worked out the idea of secure PHP templating using static code analysis. In development (debug) mode it should warn the programmer when he uses a potentially non-safe construct.

The following analyzer script shows how this works:

<?php
$tokens    = array('T_ECHO', 'T_PRINT', 'T_EXIT', 'T_STRING', 'T_EVAL', 'T_OPEN_TAG_WITH_ECHO');
$functions = array('echo', 'print', 'die', 'exit', 'var_dump', 'eval', '<?=');
$filename  = 'template.php';

$all_tokens = token_get_all(file_get_contents($filename));
foreach ($all_tokens as $token) {
  if (is_array($token)) {
    if (in_array(token_name($token[0]),$tokens)) {
      if (in_array($token[1],$functions)) {
        trigger_error('In "'.$filename.'" you should not use "'.htmlentities($token[1]).'" on line '.$token[2].'. Error raised ', E_USER_WARNING);
      }
    }
  }
}

It will analyze the “template.php” file and report potentially insecure or erroneous language constructs.

This form of templating and static code analysis is fully implemented in the MindaPHP framework that you can find on my Github account. You can find the source code of the PHP static code analyzer class here.

Jeff Atwood: Learning to code is NOT overrated

Jeff Atwood, author of the Coding Horror blog and creator of the Q&A site StackOverflow, wrote an article with the provocative title:

 Learning to code is overrated

He argues that we should not teach our children software development, because there are better, greater skills that we should teach our children. He seems not to realize how much of his own perspective is involved in this opinion.

One of the great achievements of modern computing is that we no longer need to be programmers to create, build and get things done

Oh, and let’s just pretend he did not write that and we did not read that.

Language vs. Mathematics

So the main reasoning in the article is this:

There’s nothing wrong with basic exposure to computer science. But it should not come at the expense of fundamental skills such as reading, writing and mathematics.

Sounds reasonable, but wait, what?! We should not teach our children (computer) science, because they might get behind on reading, writing and math? I would argue the opposite about this fantastic applied science: We should learn children to create software in order to make them want to learn English (reading and writing) and master mathematics.

I know that I was totally unmotivated at primary school for reading, writing and mathematics. On the other hand I was highly motivated to learn whatever was needed to understand IBM-Basic programming language. This challenge showed me why it was important to pay attention at school.

When Jeff Atwood says that reading and writing are more important he may also be referring to “Literature vs. Computer Science” or more generally “Language vs. Mathematics”. I do not see how you could argue that one is more important than the other. I do on the other hand recognize that people tend to lean more towards one than the other.

Programmers can’t communicate

Jeff Atwood seems to imply that the world solely consists of “Mathematical” people, when he writes:

Learning to talk to the computer is the easiest part. […] The people — well . . . you’ll spend the rest of your life figuring that out.

I think this is where Jeff is blinded by his own perspective. Children on a primary school are not guaranteed to think talking to the computer is easy and talking to people is hard. Only the people that do not need encouragement to go into computer science are like that. For most of the people the opposite is true. These people are discouraged to enter the profession, due to the lack of diversity.

… typing in pedantic command words in a programming environment

This is how Jeff Atwood describes programming. I guess somebody convinced him that programming is an inferior activity and not the creative and intellectually challenging craft that it actually is. It makes me wonder who in Jeff Atwood’s life is responsible for destroying the ability to enjoy the magic of creating software that I cherish so much. I promise that I won’t let this happen to me.

TL;DR

Jeff Atwood wrote an article to criticize the mayor de Blasio plan to teach programming to kids. His main argument seems to be that he values language skills over applied mathematics. But he seems to forget that we are not all mathematical minds that can easily learn programming. Learning kids to code may improve the popularity of the profession and hopefully also the diversity.

AmsterdamPHP meetup on state machines

global_117820162.jpeg

Summer is drawing to a close, join us tomorrow (Thursday, September 17, 2015) at LeaseWeb HQ for the AmsterdamPHP meetup on state machines!

Schedule  

19:00: Welcome Drinks
19:30 – 20:30: Talk
20:30 – 20:45: Raffle
20:45: Social, drinks and Pizza

Talk: State Machines at Telfort

Telfort, a major Dutch ISP, uses php driven statemachines for the automation of their business processes and delivery streets.

In this presentation we will dive into the following topics:
– the use cases for statemachines
– the problems they solve(d) for Telfort
– the design challenges for a php statemachine
– the way they are used by the organization in the broad sense
– tooling for support and visualization
– how it supports unittesting and QA
– process automation using statemachines and message queues
– how it facilitates the complex interactions within the system itself and when interfacing with 3d party operational support systems

Examples will be supported by the opensource php ‘izzum’ statemachine package (https://github.com/rolfvreijdenberger/izzum-statemachine) which is functionally equivalent to the Telfort inhouse statemachine system.

Speaker: Rolf Vreijdenberger

Rolf Vreijdenberger is currently working as the software architect for the Telfort delivery street for the copper and fiber business support systems. He has been working in IT since 2001 when he co-founded creative online agency “De Pannekoek en De Kale”.

Raffle

We got some awesome stuff to give away this month, so make sure you attend another awesome meetup!

Location

LeaseWeb Netherlands B.V.
Luttenbergweg 8
1101 EC Amsterdam
View Panorama

Sign up

Click here to go to the meetup page to sign-up for this event!