I must confess that Jono Bacon actually caught me by surprise. While I was following the creation process of the book (O’Reilly invited UG leaders to send feedback) I could have never imagined I would one day have something so useful for someone who deals with communities on a day to day basis. In this universe Jono is a well known figure, with vast experience in managing and participating in online communities, which credits him as a perfect candidate to write a book like this one.

A book about how to manage and live amongst virtual communities has all the elements to be a boring book full of “do’s and don’t’s”, in summary a very repetitive and unpleasant book. However Jono proves his understanding of the communication channels (important part of any community) right off the bat in the book’s introduction. Here he showcases his writing strategy, telling personal experiences. Building on top of this premise the author goes throughout the book presenting us with new concepts or strategies and following it up with a real life example from his and others’ experience in communities. This makes the book a delightful read, easy and flowing, the kind of book you can pickup anywhere and have fun while you plow through the pages, perfect for the everyday life of lines and waiting. I recommend loading it up on your e-reader if you got one.

The book is incredibly broad and valid for numerous roles inside every community, from managers to members, volunteers, to the regular Open Source developer. Each level of the community stands to gain from this book and even people who work with or use the community, such as marketing people, and activists who need to learn how to communicate and win-over the communities. Each chapter dives into a different and fundamental aspect, like communication, building buzz, measuring, events and handling conflicts.

Anyone who has ever managed a community and looks at this table of contents will surely have a few flashbacks of various moments in their experience, I know I for one identified myself in quite a few situations, from my motivation to participate in the PHP community to the conflicts and the experience of contributing to Open Source. I usually like to give more details of each chapter when I do reviews like this one, but in this case that feels like I would be cheating the reader from the amazing experience of having Jono lead you through his experiences and concepts, so i’ll not do it.

In summary, if you have any involvement with virtual communities, be it as a manager, member or just someone who interacts with them, this book should have its place in your shelf. Buy it, read it, enjoy it an have fun while you learn to take your community to the next level.

The Art of Community

Author: Jono Bacon
ISBN: 978-0-596-15671-8
Pages: 400
Year: 2009
Publisher: O’Reilly
On O’Reilly
On Amazon

Once again php|architect hosted the php|tek, a yearly event held once again in Chicago. Tek’s reputation is that of being the most community centered conference amongst other php conferences, true to its reputation this year’s edition promoted various social activities and gatherings apart from the usual conference activities.

The massive presence of various key persons in the PHP ecosystem, like Core Developers, Community Leaders, Products leaders and various representatives and evangelists from various companies is definitively a point to be noted and celebrated. This presence leads to two key aspects of the conference, great sessions and great opportunities.

Sessions ranged from introductions to various topics to advanced and more engaging sessions, giving everyone there a chance to search their own interests, from beginners to seasoned developers. Great talks included talks on anti-gaming techniques, in depth looks at the PHP Core, scaling, new technologies like git, xmpp amongst various others.

But much more then just the great sessions tek promoted networking. From my personal experience being a veteran PHP developer for over 10 years, this aspect can be even more important then the session if you are past the 3-4 year experience mark. Why, you ask? A well seasoned developer have already accumulated much experience and most sessions do not dwell deep enough or simply do do address advanced topics, serving more as a point of study initiation then a full injection of knowledge. The opportunity to meet developers of the very technologies you employ on a day to day basis enables you to go much further in you studies over simple conversations the occur during lunch, in the hallway or even during after-event drinks. This is because during these opportunities you can actually address your problems directly, be it by talking to the creator of the tool, or by talking to the developers of renown websites.

Let’s take for example the opportunity of chatting with Sebastian Bergmann, creator of PHPUnit, and being able to discuss and resolve issues you have while implementing Tests in your application, or even understand from him how you can automate your environment and implement more QA processes. Or even sit down with Matthew Weier O’Phinney, lead of the Zend Framework project, and learn how to participate in bug hunting or even solve a bug you have found right there on the spot.

Even if you do not use projects like these, imagine how much you can learn from chatting with people like Eli White, former developer of Digg, getting scaling tips tailored to your scenario straight from someone who has had the opportunity to deal with high traffic and site availability.

Even if that is not your case, talking to people like Lorna Jane Mitchell or Michelangelo van Dam, people who have built their careers on contributing to the community and leading great masses of developers to better qualifications and consequently projected their own names into the halls of fame of the ecosystem opening doors to new opportunities and places. This career advice could prove to be a turning point in any developers life.

All of this is possible and very welcome during the week everyone is gathered at php|tek, social gaming nights, group meals, all of this leaves everyone very comfortable to have various relaxing discussions. Even before the conference I was particularly impressed by one interesting event:

Having arrived a couple days before the event started I had the opportunity to talk to other developers arriving early, and on the monday, still having work to catch up on (monday was the official release of Share My Map) I decided to head down to the lobby and get some work done. To my surprise various of the speakers were already there doing the same, I then had the opportunity of coding, surrounded by many of the creators of the tools I was using. Needless to say this was amazing because I was able to instantly get opinions on the choices I had to make from them, all experts in their own fields and all very eager to show me alternatives to the code I was writing and provide explanations to the up or downsides of the code in question.

This aspect of a coder’s career are often overlooked but they are key points and pieces of a successful professional life, your network can make a difference in different stage of you career, and events like php|tek are very important and accessible opportunities to improve on this qualities.

Just this tuesday Facebook announced a ambitious project called “HipHop for PHP”, if you missed it general opinion says you have been coding PHP in a cave. As I write this review no code has been posted yet, but Facebook has made a great move to open source the project so we can all get our hands on it, use it and contribute to it. So since the code is not out there yet, this is literally a first impression article based on the presentation made by Facebook and various posts from core PHP developers who got a first look at the technology before the release.

What is it?

To be blunt, its a PHP to C++ code transformer (compiler). But that does not make justice to it, so let’s look deeper. To those of you that know PHP intimately you understand the process behind running PHP, it is thus:

PHP Code –interpreter–> OP CODE –Zend Engine–> Machine Language

Generally caching solutions store OP Code and reuse it instead of running the interpreter for every request. What HipHop does is completely different and surprised quite a few people who decided to guess what they were doing. On a general view this is the process (simplified):

PHP Code –parser–> C++ Code –g++–> Compiled binary

Historically PHP has always been executed on the Zend Engine, heart of PHP that has been around since PHP3, but what this solution does is that the Zend Engine has been recoded into the HipHop Runtime Engine, which instead of OP Code takes in C++ code that has been generated based on the original PHP code.

Why HipHop?

Its a well known fact that running code in C is faster then running PHP code, for obvious reasons, its very common for large applications in PHP to port part of its codebase to C and package it into an extension, such as Yahoo and even PHP projects like Doctrine have done so, performance of simple operations can increase in as much as hundreds percent, depending on load and usage.

This is the premise for Facebook’s project, they have long contributed to APC and PHP to get more performance out of their code, but with the increased load of billions of pages served it was not enough, they decided then to solve the problem. One of the options on the table was move on to another language all together, but this is where PHP shines, Facebook declared that PHP is simply a great solution because they can easily and rapidly get new programers up to status and developing in PHP due to its simplicity, that and the fact that their code base consists of million+ lines of code made them decide that this was not a solution, thus HipHop started.

How does it work?

The idea is that PHP code can be divided into “mundane” and “magic” code. Being mundane code basic operations that are directly mapped to C++ functions. This code if converted to C++ can be executed with much higher performance, while the magic code, which is the really complex code to be converted would run at equal or slightly lower speeds. This is the point that determines if you application can benefit from this, is it more mundane then magic?

If your answer is yes, then you may want to look into it. The converter does a lot of processing identifying dependencies, doing static analysis and other operations to get the basic code, it then has to take care of the problematic issue, Typing. PHP is a weakly typed language, meaning variables can juggle their types to and from various types. In the backend of this Zend Engine implements the ZVAL type, which basically stores anything. For the C++ code the new variables are typed so the parser needs to do all this in its Type Interface. The project’s lead Engineer, Haiting Zhao, stated that one of the solutions was to map ZVALs to the C++ Variant type whenever its impossible to determine a specific type (failed type inference), or when typecasting occurs in the process of the script. After all this analysis code is finally generated.

Thus this code is compiled against the HipHop Runtime, which as I said works like the Zend Engine and works now with specialized types instead of the abstract types in the Zend Engine. Binary in hand this can now be run straight from the command line, or interfacing with a web server as its compatible with the libevent library. Currently Facebook also wrote a very simple web server to interface with its compiled code replacing its Apache on calls to this code (as far as information goes, they proxy PHP traffic to this server and leave resources going through Apache).

The good and the bad

Good: This leaves programmers to continue coding in PHP, no slow downs, they can still have PHP’s ease of operation, code, run, see, fix, run, see, no need to re-compile and such. Compilation only happens to production code and unfortunately is a slow process. The final result is one large binary, a true binary that can be executed and it maps out to one process with multiple threads, which is interesting in other scaling topics like this mean you have one DB connection and not multiple.

Bad: Its compatible up to PHP 5.2, existing PHP extensions need to be converted to be compatible, compilation. With the markets overwhelming move to 5.3 and the incredible features present in it, having to fall back on 5.2 (earlier 5.2 versions, not latest) can really be a downside to the whole thing. Also, PHP extensions based in C and not thread safe need to be rewritten in C++ to be compatible, Facebook has converted a few, but their are lots of extensions out there and we might need to use more then a few. Compilation process is long so fixing a bug on a live production app is not as simple as fix, test, deploy, works; code must be recompiled and deployed, which is just fine if your QA processes are spotless, but in most cases you will run into delays due to compilation.

Not Supported? Some pieces of PHP are not and probably never will be supported, like eval(), create_function() and preg_replace using the /e flag. These functions won’t be missed if you like clean and quality code, but templating systems rely on it, like Smarty, so that’s not good news for them.

Result? Well Facebook has one advantage here, this is not an “experiment” or a theoretical project, its currently being used massively on their code base, so it works. Facebook stated reduction of 50% CPU usage on their servers, which is the equivalent of doubling your pool of servers, really impressive results.

What’s coming down the pipe? Well current plans include PHP 5.2.12 support followed by PHP 5.3 and support for running this inside Apache (mod_hiphop?). Timeframes on this are still undeclared.

Is HipHop for you?

From the various articles around the web, Terry Chay does a great job of helping you define if this if something you need to look into. In general I must say if you can run your application on 2 servers or less, keep going this is not for you. If you host or code apps that will live in Hosted Services, then this is still not for you, even though some providers like Server Groove already pointed out they intend to look into supporting it, its still shaky ground. Also if you application is more magic code then “mundane” code, you are still better off with PHP.

Conclusion

HipHop is an amazing concept and the complexity of it is enough to leave you in awe of the team responsible for it. It is definitively not a solution for most of the PHP-related market, apps and developers, most reviews I have seen state its not for 99,9% of code out there. I do think it will grow and evolve quite a bit once it is open to the community, its open source nature will be a generous boost and by far this has been one of the greatest moves by Facebook and something I really respect in their work.

I was quite refreshed to see a move of total innovation when all external medias placed their bets on a JIT compiler or re-write of the language. Its a solution that holds on to one of PHP’s advantages, its simplicity, and still brings a new point of performance gains to be explored by the community, it also puts some end to the various discussions on PHP and Performance, being able to generate performatic code that can be compared to the likes of Java and C#. In short it takes a scripting language and promotes it to machine code.

I will wait for the code to hit github so our team can dwell further into the inner workings and run it up against thinks like Zend Framework and Symfony, corner-stones of most applications out there, if it can’t support them its market space is restricted.

Other interesting topics to be watched is fragmentation, how will the PHP community react to this, compatibility will surely be a issue, some PHP features will not be supported in HipHop and vice-versa. Having this split can weaken the language, but if this is done in more of a “joint operation”, PHP will rise to new levels and embrace a greater audience.

This year I was honored to be invited to participate as a member of the PHP Community in Microsoft’s Web Developer Summit, so I took it upon myself to represent the huge PHP community in Brazil and bring on our opinions and beliefs.

For those that don’t know what this event is about, let me give you a glimpse into what it tries to do and accomplish and tell you what came out of it in 2009. MSWDS is all about communication, its a yearly event that allows Microsoft to get in touch with key players of the PHP community and interact with them on various levels, that means getting to ask us questions and letting us rant and ask them questions. Looks fun and cruel at the same time, but its a really awesome and effective way of getting Microsoft and PHP to do better business together. This means getting better tools and better performing PHP Apps on MS platforms, and getting both sides to know more about how the other operates.

So this was a chance for Microsoft to ask us all the questions they have piled over the last year and us a chance to cry and scream whatever grievance we had. Over 3 days we shared our notes and went over various products and opinions and shared quite a few beers and dinners at the Redmond Commons Campus.

Microsoft has been very active in the PHP area and even tough this is always received with skepticism by the overall community their actions are generating a lot of benefits for us, and windows users in general. You cannot be right all the time, so Microsoft is still stumbling over a few items, but let’s look at some of what was shared with us. Keep in mind that the final day of the conference is under NDA so it is not included here.

One of the highlights of the event was a project lead by Garrett Serrack describing the process and plans for making PHP and associated libs easier to compile from source on Windows, a project that can surely give Windows a push as a viable platform for PHP, since custom PHP compilations are a big part of PHP sites. Also very interesting were the news of WebPI and IIS. IIS is working on being a centralized dashboard for system developers and administrators and new tools like the SEO toolkit are laying down new track for innovation. Road ahead for this is still long but MS got a lot of feedback on the kind of deploy and maintenance oriented services we developers would like to see, like work on WinCache to offer more features and make it share the spotlight with APC.

The WebPI project made life for PHP App users a breeze, its simplicity and App gallery make it very simple to install a complete web platform and get a site up and running. This, however, is not the same for Developers, we felt like we needed more, solutions were gathered and amongst them are multiple side-by-side versions of PHP and other Apps, automated testing and closed cycle solutions that can contribute back to our applications as well as make our life deploying and testing before releases much easier on this platform.

During our airing of grievances many topics came up which MS really needs to address. The long road to new projects and solutions and all the judicial red tape that needs to be cut was the starting point and showed MS they are the only ones slowing themselves down, also the areas of the world that need more attention from MS evangelists. Recurring topics like drivers for SQL Server and better developer tools for IE7 IE8 came up as well.

One matter that generated heated arguments was the Codeplex Foundation which because of ill-timed and not planned comments of a “info-mercial like” talk got the exact response we expect, angry and rebellious discussion. Unfortunately Microsoft is still a huge corporation and some of it still does not understand that the developer community does not want marketing pitches. The message hit home and some sessions reverted from that format, but the Codeplex idea was still not fully compatible with most of the people there. The topic was later brought up in a round-table discussion and disagreements were sorted out, showing that MS is willing to correct some mistakes, and making clear what the intended audience is for the Codeplex Foundation project.

Some sessions had .NET solutions in their heart and were not very effective in communication, some were interesting enough to generate in us the desire to copy them over, but in my opinion these were not really in their right place for the objective of this event. New technologies like PowerShell, Azure and Silverlight got lots of attention and their explanations showed some in the room that they could get much more from them then they though, like powershell which is much more powerful then i had known until now.

Silverlight bought on new talks with its use in Bing Maps which is now live with incredibly smooth effects, which got attention of the community outside the event because of the “extra” plugin, but in my opinion, technologies are there to be used and google also needs some competition to step up again. Microsoft’s skill for naming projects was attacked multiple times especially after we figure out the “ASP.NET Ajax Toolkit” was a ajax library that had nothing to do with ASP.NET and this was dully noted by MS for future naming.

Microsoft also had a very good opportunity to hear from main players in the PHP community about the community itself, Ramsey went over some concepts of UGs and I talked about the new organization of UGs in Brazil (simple slides) and how our community has responded to its growth, we also had sessions by Marco and Keith on uncons and community participation and a few sessions on tools and frameworks/closed apps.

One of the most important sessions showed us how we can get in touch with Microsoft and gave us some insight on the internal structure and roles of all MS related posts. This session was great and also opened the floor to questions from both sides.

The end result of this is very positive and we may only see results in a few months or even a year. The important message i got out of this is that Microsoft is working hard on matching linux as a viable deploy platform and a development platform, but more then that they are looking to go one better and innovate. Investing on professionals that develop PHP and its related libraries is also a way that MS can help PHP be even more viable on Windows, and right now, I guess it its and you should give it a try.

I look forward to some of the new tools and features of current products that were showcased in open and closed sessions, I believe MS has a chance of doing great things and clean up their game, if you still believe in that ancient image the company carried.

For the Organizational Crew of MSWDS all I have to say is that you did more then an awesome job, hotel was great, evening social events were a awesome opportunity to get into more elaborate talks about the days topics and the whole event went down without a glitch, thank you very much for all the hard work.

Day one was awesome!

Tutorial day has come and past, sorry i did not get this out earlier, but internet, youtube and quicktime are not playing nice.

So one and a half days before the conference i finally got around to setting up for a video blog about the conference, stealing the idea from Cal Evans and Eli White, let’s see how it goes!

Let her rip!

User Groups are today one of the greatest driving forces behind PHP, together they form PHP’s greatest triumph, the community. Around the world everyday we see new groups coming together and starting new activities, sharing knowledge, promoting PHP, contributing to PHP Projects, or just plain having fun and drinking. Its really a wonderful environment, especially for the members, who get to experience and benefit from various perks brought to them by the UG.

In this whole scenario we have a few unsung heroes, the UG leaders. Fearless souls that sacrifice whatever free time they have to give back to the community and make our PHP world a better place. Ok, so they are not generally unsung, most of the community knows their names by heart, great leaders and trend-setters like Ben Ramsey, Michelangelo van Dam, Stefan Koopmanschap, Lorna Jane, Er Galvão, Silvano Girardi, Adler Medrado, Sandro Souza, Bruno “Porkaria” and countless other I have no space to mention here. I’m also a community leader, working along with my colleagues Augusto Pascutti, Anderson Casimiro and Ivan Rosolen on the PHPSP UG in São Paulo, so this may very well be a biased post, but I recon its worth the writeup, not for myself but at least for all these other dedicated people who are making a difference out there.

I say unsung heroes because we are all used to see their success stories but hardly ever get in touch with the other side of UGs, the hard work and dealing with failures part of it. I have recently seen a trend of reactions to leaders which worry me in regard to the role of these leaders in the future of PHP, a flow of comments and acusations stating that leaders do it all for self-gain and self-promotion at the expense of the community at large. This seems to walk hand in hand with the fact stated above, that members rarely see the dark side of this story, due to the fact that we do not share our internal workings.

Leading a UG if often hard work and more than often leaders need to deal with failures, big and small. When you see a successful UG meeting you may fail to see other related events, like the drama to get a meeting place, find interesting speakers and topics, get the necessary gear, getting prizes to give out, finding partners and even getting food for the coffee break. All these are are pushed under the rug when the event is a success, even by us leaders.

Its not your regular pot of gold under the rainbow, and with it comes a lot of hard work, a sudden lack of free time and a not always positive raise in interest from everyone around, you will be in the spotlight, be it for good or bad. On the other hand, all efforts are worth it to get that feel-good feeling we get when we see people growing, learning and participating as a result of our efforts in whatever action we organized. That feeling is our objective, not just to feel it, but to spread it around, get more people to contribute and share that feeling with us.

This year’s testfest is an example, efforts to put it all together we enourmous from the core dev team to all UG leaders involved and everyone in the QA team. But the utter joy of seeing that percentage going up, new people filing for SVN accounts and new QA enthusiasts was worth the hassle to get it all underway.

All of these actions lay the path down for future PHP developers, new leaders will replace today’s leaders or join them in leading the groups, lack of work is definatively not a issue. And yes, UG leaders will get the spotlights but from all the leaders i have met, this spotlight is the last thing on their mind, its always about getting the next event underway, the next podcast out the door. They will benefit from their work, that’s inevitable, but I’m sure any of us can find at least one point where that leader’s work made our life easier/better, and these leaders were all in our place at some point, until they decided to act and do something. This goes further then just UGs, you can apply the same for frameworks, applications and X other initiatives, they all begun at this point.

So next time you attend a UG meeting, take a second to appreciate all the hard work put into it and ask yourself, “What can I do to help?”.

In the past i have already talked about SPL and how it makes PHP Developers’ life a breeze, since then i have felt a lack of SPL recipes around the web, if you are getting into SPL now, using some of the available classes can be a real mystery, so I decided to add more posts to google’s list of SPL articles. So this is the first in a line that i will be adding as i come by the examples.

Wouldn’t it be nice if you could go by life just applying a foreach to each year and life day by day? Ok, that was an awful joke, but using iterators does make life a lot easier and fun, and that’s without mentioning cleaner code. SPL’s iterator classes are really awesome and helpful, replacing multiple lines of code and a handful functions with a simple new this and a foreach can really help cleaning up code. Ok, i did get into an argument that this might make the code less legible to “beginner”programmers or programmers that are not familiar with iterators and such, but hey, if you can’t understand it, read this post and learn it.

In this article i want to go over some of SPL’s Directory Iteration options, following up with more details the code i posted in the original SPL article. So i will now dive into the infinity of iterators and iterate (sic) over them, showing how they “go together”and where to get them to solve things for you.

Native in SPL

Native SPL classes have been converted to C, so they perform much faster and are available in any PHP install, especially since in PHP 5.3 you cannot disable SPL anymore.

DirectoryIterator (doc)(doxygen)

This is a simple iterator, as in its not a recursive iterator but leave that for later so you don’t end up as dizzy as we endedup after the “Iteratah drinking game” in Tek’09. It basically replaces what you can do with the scandir function, but gives you a few more advantages on the way out. Basically you can pass it the directory you wish to iterate and it will return an object that you can foreach over as if it were an array. This is a simple task that can be done using scandir as well, so let’s compare advantages, first some code:

<?php

echo '- Iterate diretory using scandir' . PHP_EOL;
echo '- Avoid DOT directories' . PHP_EOL;
echo '- Show full path' . PHP_EOL;
$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
$files = scandir( $dir );
foreach($files as $file){
    if ($file != '.' || $file != '..'){
        echo $dir . DIRECTORY_SEPARATOR . $file . PHP_EOL;
    }
}
?>

And same thing with DirectoryIterator

<?php

echo '- Iterate directory using DirectoryIterator' . PHP_EOL;
echo '- Avoid DOT directories' . PHP_EOL;
echo '- Show full path' . PHP_EOL;
$files = new DirectoryIterator('samples' . DIRECTORY_SEPARATOR . 'sampledirtree');
foreach($files as $file){
    if (!$file->isDot()){
        echo $file->getRealPath() . PHP_EOL;
    }
}

?>

Output for both:

- Iterate directory using (scandir|DirectoryIterator)
- Avoid DOT directories
- Show full path
samples/sampledirtree/file1.txt
samples/sampledirtree/folder1
samples/sampledirtree/folder2

The code looks pretty much the same and we are basically performing a simple task, but one of the powerful built-in things about the DirectoryIterator is that instead of a plain string as scandir does, it returns a SplFileInfo Object, packed with a whole bunch of information goodness, thus it allows us to skip the “dot” files ( . and .. ) without testing for both and getting a file’s full real path without having to concatenate the actual directory and such, but it actually does more, check out the main methods list: (whole list)

• getFilename ()
• getOwner ()
• getPath ()
• getPathname ()
• getPerms ()
• getRealPath ()
• getSize ()
• getType ()
• isDir ()
• isExecutable ()
• isFile ()
• isLink ()
• isReadable ()
• isWritable ()
• openFile ($mode= ‘r’, $use_include_path=false, $context=NULL)

Its arguable that these are all information you can get by calling a function, hey, this is OO, its cleaner and not procedural. So it makes for much cleaner code ad ease of use, you have a fully qualified object to handle a file right there, just a method call away. Its important to notice that this does come at a performance cost, but at less then 40% and measured in much less then microseconds, this is not a major thing to worry about.

RecursiveDirectoryIterator (doc)(doxygen)

This is where the fun begins, recursive goodness. So you noticed above that the script did not follow up on the folders it found, it stayed within the first level of the directory we chose, this is where recursiveness comes in. Basically this iterator will go into directories, executing DirectoryIterator on anything that is a directory. This is done by implementing the getChildren function which allows you to get a DirectoryIterator instance of the child directory.

Using regular scandir approach we would have to use a recursive function to obtain this behavior, but using this we only need to.. “wait, even with the getChildren function we still would need a recursive function to go through it, hey! someone lied to me!” .. This is where SPL composite magic comes in, we just need to use a RecursiveIteratorIterator (see how the drinking game begins to be fun?).

The RecursiveIteratorIterator is basically an object that implements the recursive function, but without the hassle and thinking needed, just pass a Recursive<whatever>Iterator to its construct and foreach away, it will automatically call the getChildren functions and manage that, and you can even tell it how to behave.

<?php

function recursiveScanDir($dir){
    $files = scandir($dir);
    foreach($files as $file){
        if ($file != '.' && $file != '..'){
            if (is_dir($dir . DIRECTORY_SEPARATOR . $file)){
                recursiveScanDir($dir . DIRECTORY_SEPARATOR . $file);
            }else{
                echo $dir . DIRECTORY_SEPARATOR . $file . PHP_EOL;
            }
        }
    }
}

$dir = 'samples' . DIRECTORY_SEPARATOR . 'sampledirtree';
recursiveScanDir($dir);

?>

Now using SPL stuff with 3.5 less lines of code:

<?php

$files = new RecursiveIteratorIterator( new RecursiveDirectoryIterator('samples' . DIRECTORY_SEPARATOR . 'sampledirtree') );
foreach($files as $file){
    echo $file->getPathname() . PHP_EOL;
}

?>

Output:

samples/sampledirtree/file1.txt
samples/sampledirtree/folder1/file1.txt
samples/sampledirtree/folder1/file2.html
samples/sampledirtree/folder2/file1.html
samples/sampledirtree/folder2/file2.txt

We used default settings here, but in case we manipulate the $mode property of the contract (2nd parameter), we can order it to for example, show children first, or “leaves” only, this is very useful. If you are not seeing it yet, imagine you want to remove a directory structure, you can’t just rmdir it cause it will fail due to files existing inside the folder, so you need to delete one by one following hierarchy. So if you use this iterator combination and ask it to show children first, you can then delete all children and afterward remove the parents, like in this code:

<?php
//Recursively delete tree structure
$files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator('samples' . DIRECTORY_SEPARATOR . 'sampledirtree'), RecursiveIteratorIterator::CHILD_FIRST);
foreach($files as $file){
    if ($file->isDir()){
        rmdir($file->getRealPath());
    }else{
        unlink($file->getRealPath());
    }
}
?>

Obviously you might not see advantages between the SPL stuff and scandir in the basic stuff, but once you start adding operations to your iteration and begin needing specific behavior, like the delete example, you begin to realize it let’s you have much simpler and easily readable code, plus its OO! (i’m a big OO fan BTW)

Non-native in SPL

Non-native SPL clases are available currently as examples and some will be converted to C and integrated in the native part of SPL. Some are useful as examples and you can then implement them locally for your use, or you can load these examples into your code by one of two choices:

• Add ext/spl/examples/autoload.inc to you php.ini in auto_prepend_file (or add it to the file already set in auto_prepend_file)
• Include ext/spl/examples/autoload.inc in your application

The autoload.inc file is available in the folder above which should be in your PHP install or in the source code you can download from PHP.net. I would recommend downloading this and adding it into your application tree if you wish to use it.

Personal Recommendation: Use everything in the examples folder as inspiration to what you can do with SPL and implement it locally

DirectoryTreeIterator (doxygen)

The DirectoryTreeIterator is more interesting as an example of what you can do with the iterators as to actually be something you might use on a daily basis. It basically does what the RecursiveDirectoryIterator does but diplays the result as a ASCII directory tree, so using this code:

<?php
set_include_path( get_include_path() . PATH_SEPARATOR . 'spl' . DIRECTORY_SEPARATOR . 'examples' );
include('spl' . DIRECTORY_SEPARATOR . 'examples' . DIRECTORY_SEPARATOR . 'autoload.inc');

$files = new DirectoryTreeIterator('samples' . DIRECTORY_SEPARATOR . 'sampledirtree');

foreach($files as $file){
    echo $file . PHP_EOL;
}

?>

We get this result:

|-samples/sampledirtree/file1.txt
|-samples/sampledirtree/folder1
| |-samples/sampledirtree/folder1/file1.txt
| \-samples/sampledirtree/folder1/file2.html
\-samples/sampledirtree/folder2
  |-samples/sampledirtree/folder2/file1.html
  \-samples/sampledirtree/folder2/file2.txt

Since i said its more interesting as an example, let’s look at the actual source code of the class that does the printing:

	function current()
{
$tree = '';
for ($l=0; $l < $this->getDepth(); $l++) {
$tree .= $this->getSubIterator($l)->hasNext() ? '| ' : '  ';
}
return $tree . ($this->getSubIterator($l)->hasNext() ? '|-' : '\-')
. $this->getSubIterator($l)->__toString();
}

As you can see, its just a matter of working the ASCII to images and css and you can very easily have a directory tree anywhere on your site, just taking advantage of the RecursiveDirectoryIterator.

End of Part I…

This is a brief overview of what you can do with all the Directory Iterators available in SPL. Combining these directory iterators with other navigation iterators you can do a lot more, this will be the topic of another post soon, where I will talk about all the different iterators you can use to iterate over iterators (say that 3x fast!) all the way from the FilterIterator to the InfinityIterator. I hope this helps you to get an idea of how to make your code better with SPL code.

Security is a recurring topic when the talk is about Technology, or any other area for that matter. To take security for granted when you are developing an application, as simple as it may be, is a huge mistake which can take a turn for the worse. I have ran into lots of excuses for ignoring security in the past, one of them is the recurring “This is just a simple application, it has no sensitive data”,  this may be a valid point for the person repeating it like a mantra, especially because this person is generally suffering of great pressures , short timeframes and a lack of proper management ready to deal with web development. Cal Evans in his Open Teams session gives a perfect example of this when he tells us about a project with an impossible due date. Upon questioning the due date to the marketing department their reply was straight forward: “Because that’s when the brochures are done”. This is an example of the lack of perception around web development and all the issues we need to take into consideration when developing applications.

Whatever the reason is for neglecting security the consequences can escalate much higher then the “non-sensitive data” of the application. I can cite a recent example that happened to one of the biggest Brazilian mobile companies. A simple issue was found in a file called popup.php, the objective of the file fits into the excuse mentioned above, it just had to append the company logo and load a given file’s content into a popup window.

Doing a little play my part simulation we can easily imagine that the need for this page probably started in the <insert non-tech department> and got to the tech department with urgent priority, usually on a Friday EOD, when the manager is leaving and the developers are just waiting for the boss to leave in order to get to the closest bar for a happy hour. In the rush of things neglecting security and any other management process the order is “just do it”. This generally leads to the easiest way out, so that whatever purpose the fix fits will be live before the weekend. No problem you say, “leave it like that during the weekend and redo it on Monday following the proper protocols”, that’s iffy behavior none the less, but in a real world example this feature will only be revisited on one occasion: the day it does an EPIC FAIL.

Doing a post-mortem analysis on the flaw i described, we can easily find out what happened. The final URL used by the popup.php file had a “url” GET var attached to it, the value usually pointed to another html or PHP file. This was the first indication that this was a sleeping time bomb, so the first thing someone tried was to point that to a file, any file that would be “unexpected”, like so:

The result of this request exploded directly into our face 2 security issues overlooked by the developer. Can you guess which ones?

Ok, so the first mistake here was leaving display_errors on, lack of doing so now shows us the second mistake which can be one or two depending on how you think of it. The obvious on is neglecting the security karma everyone needs to know whick is: “Filter input, escape output”. Obviously since he actually executed a include on the file given we can say that he did not check in any way the value provided in the “url” parameter, in the least he should have checked if it was still in the site’s file tree.

To make this exploit something dangerous you just need to start passing it usual sensitive linux files, like /etc/passwd or try to load the apache httpd.conf file, which BTW actually worked

Analysing these files showed that the issue was really bad, the actual site really had few valuable information, but it did show that the server had much more on it then just this simple site, hence the EPIC FAIL and domino effect of compromising all systems on that machine. Another factor makes this become epic, Twitter. This flaw was only fixed 2 days after the first report and in the meantime it ra circles around twitter, giving everyone the chance to look at conf files and whatever else they could think of looking for. Only the victim can tell if any sensitive data was compromised, but giving flaw and the creativity of hackers nowadays, something was compromised for sure.

So security is not a simple “injection” or “pill” to give your application after its live, security needs to come from the ground up, leave the pills for the occasional bug which will always come up, after all its software. You development cycle needs to include security topics, be them, tests, validations or anything you can think of, OWASP is a great source for points to think about. No feature should roll out the door if it did not take this into consideration, one idea is to incorporate security into your Definition of Done, so a task can only be complete after security steps are taken to validate it, peer review and tests can also contribute to this, two heads are better then one. Managers should be as worried about this as the programmers. An example of a Definition of Done is:

• Developed
• Tested (Unit Tests written and executed)
• Documentation (proper doc file or PHPDoc blocks for code segments)
• Peer review
• Security check (for known flaws, like input filtering)
• Load Testing

Every task needs to include this, tough it may cost valuable project development time, it will save you even more valuable lawsuits if your site get hacked.This gives the developer time to plan each feature and reduces the risk of exploits going out the door. This is part of becoming a professional developer and leaving behind the code-hacker nature which just codes and does not consider the environment around the application. Needless to say this has to be embraced by management because its usually up to them to fight the battles for longer timeframes and proper development cycles, not just succumb to external pressures and risk distributing dangerous code.