PHP & Web Development Blogs

In today's digital age, where data breaches and cyber attacks are increasingly prevalent, safeguarding sensitive information is paramount. Cryptography, the art of secure communication, plays a crucial role in ensuring data confidentiality, integrity, and authenticity. Implementing cryptography in PHP, one of the most widely used server-side scripting languages, offers a robust means to protect your data. In this guide, we'll explore how to utilize cryptography effectively in PHP to enhance the security of your applications.

Understanding Cryptography Basics

Before diving into PHP implementations, it's essential to grasp the fundamental concepts of cryptography. At its core, cryptography involves techniques for encrypting plaintext data into ciphertext to conceal its meaning from unauthorized parties. Key aspects of cryptography include:
   
. Encryption: The process of converting plaintext data into ciphertext using an algorithm and a secret key. This ciphertext can only be decrypted back to its original form using the appropriate decryption key.
   
. Decryption: The reverse process of encryption, where ciphertext is transformed back into plaintext using the decryption algorithm and the correct key.
   
. Symmetric Encryption: A type of encryption where the same key is used for both encryption and decryption. Examples include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
   
. Asymmetric Encryption: Also known as public-key cryptography, it involves a pair of keys: a public key for encryption and a private key for decryption. RSA and ECC (Elliptic Curve Cryptography) are common asymmetric encryption algorithms.

Implementing Cryptography in PHP

PHP provides robust cryptographic functions through its OpenSSL and Mcrypt extensions, allowing developers to implement various encryption techniques easily. Here's a step-by-step guide on how to perform common cryptographic operations in PHP:

1. Symmetric Encryption

<?php
$encryptionKey = openssl_random_pseudo_bytes(32);

$plaintext = "Sensitive data to encrypt";
$ciphertext = openssl_encrypt($plaintext, 'aes-256-cbc', $encryptionKey, 0, $iv);

$decryptedText = openssl_decrypt($ciphertext, 'aes-256-cbc', $encryptionKey, 0, $iv);

echo $decryptedText;
?>

2. Asymmetric Encryption

<?php
$config = array(
 "digest_alg" => "sha512",
 "private_key_bits" => 4096,
 "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$keyPair = openssl_pkey_new($config);

openssl_pkey_export($keyPair, $privateKey);
$publicKey = openssl_pkey_get_details($keyPair)["key"];

$plaintext = "Confidential message";
openssl_public_encrypt($plaintext, $encrypted, $publicKey);

openssl_private_decrypt($encrypted, $decrypted, $privateKey);

echo $decrypted;
?>

Best Practices for Cryptography in PHP

While implementing cryptography in PHP, it's essential to adhere to best practices to ensure maximum security:
   
. Use Strong Algorithms: Always use widely recognized cryptographic algorithms like AES for symmetric encryption and RSA for asymmetric encryption.
   
. Key Management: Safeguard encryption keys carefully. Utilize secure key management practices, such as storing keys in secure vaults and rotating them regularly.
   
. Data Integrity: Implement mechanisms to verify data integrity, such as HMAC (Hash-based Message Authentication Code), to detect tampering attempts.
   
. Secure Communication: When transmitting encrypted data over networks, use secure protocols like HTTPS to prevent eavesdropping and man-in-the-middle attacks.
   
. Stay Updated: Keep PHP and cryptographic libraries up to date to patch any security vulnerabilities and ensure compatibility with the latest cryptographic standards.

By following these guidelines and leveraging the cryptographic capabilities of PHP, developers can strengthen the security posture of their applications and protect sensitive data from unauthorized access. Remember, effective cryptography is not just about encryption but also encompasses key management, integrity verification, and secure communication practices. With diligence and proper implementation, PHP can be a powerful tool for building secure and resilient systems in today's digital landscape.

Unit testing is a crucial aspect of modern software development, ensuring that individual units of code function correctly in isolation. In PHP, unit testing helps developers identify bugs early in the development cycle, improve code quality, and facilitate code maintenance. In this comprehensive guide, we'll walk you through the process of creating unit tests in PHP, using popular testing frameworks like PHPUnit.

Why Unit Testing?

Unit testing involves testing individual components or units of code in isolation from the rest of the application. Here are some reasons why unit testing is essential:
   
. Bug Detection: Unit tests help identify bugs and regressions early in the development process, making them easier and cheaper to fix.
   
. Code Quality: Writing unit tests encourages developers to write modular, well-structured, and maintainable code.
   
. Improved Documentation: Unit tests serve as executable documentation, providing clear examples of how individual components of your code should behave.

Getting Started with PHPUnit:

PHPUnit is the most widely used testing framework for PHP. It provides a robust set of features for writing and executing unit tests. Let's dive into how you can get started with PHPUnit:

Installation:

You can install PHPUnit using Composer, the PHP package manager. Simply navigate to your project directory and run the following command:

composer require --dev phpunit/phpunit

This command installs PHPUnit as a development dependency in your project.

Writing Your First Test:

Now that PHPUnit is installed, let's create a simple test case. Create a new directory named tests in your project root, and within that directory, create a file named ExampleTest.php. Here's an example of what your test file might look like:

<?php

use PHPUnit\Framework\TestCase;

class ExampleTest extends TestCase
{
 public function testTrueAssertsToTrue()
 {
 $this->assertTrue(true);
 }
}

This test case contains a single test method named testTrueAssertsToTrue, which asserts that true is indeed true.

Running Tests:

To run your tests, simply execute PHPUnit from the command line, pointing it to your test directory. Run the following command in your project root:

vendor/bin/phpunit tests

PHPUnit will discover and execute all test cases within the specified directory, providing detailed feedback on the results.

Writing Testable Code:

Writing testable code is essential for effective unit testing. Here are some best practices to follow:
   
. Separation of Concerns: Ensure that your code follows the principle of separation of concerns, with clear boundaries between different components.
   
. Dependency Injection: Use dependency injection to inject dependencies into your classes, making it easier to replace them with mock objects during testing.
   
. Mocking and Stubbing: Use PHPUnit's mocking and stubbing features to simulate the behavior of dependencies and isolate the code under test.

Advanced Features:

PHPUnit provides a wide range of advanced features for writing comprehensive unit tests. Some notable features include:

-Data Providers: Use data providers to run a test method with multiple sets of data.

-Annotations: PHPUnit supports annotations for marking test methods, setting up fixtures, and configuring test execution.

-Code Coverage: PHPUnit can generate code coverage reports, showing which parts of your codebase are covered by your tests.

Conclusion:

Unit testing is an indispensable practice in modern PHP development, and PHPUnit makes it easy to write and execute unit tests for your codebase. In this guide, we've covered the basics of getting started with PHPUnit, writing testable code, and leveraging advanced features to write comprehensive unit tests. By incorporating unit testing into your development workflow, you can improve code quality, reduce bugs, and build more robust and maintainable PHP applications.

You've built an amazing website, but how do you make sure people can find your site via search engines? In this article we cover 10 best practices to make sure your article not only stands out, but ranks well with search engines.

1. Take time to research keywords

To determine the best keywords for your site, you'll need to do some keyword research. This usually consists of combing through your competitors' sites for the keywords that are driving them the most traffic. There are several ways you can get started with keyword research. One recommended way is to create a spreadsheet with your competitors' sites listed and add keywords that you can copy and paste your competitors' keywords into Google's Keyword Tool and Google Webmaster Tools Keyword Analyzer tool. Analyze your competition's site's website titles to find out what keywords they are using tools such as Ahrefs, Moz, SpyFu, or SEMrush to find out what keywords others are using on your competitor's site.

2. Focus on your Title tag

This is the headline for every article. It needs to be bold and attention grabbing so it can catch the eye of potential users. Pick it somewhere around 60-90 characters to make sure it is displayed properly in search engines as well as readable in the browser tab. As you write your title, focus on the unique keywords your readers are likely to search for. Also make sure that the keywords you select are relevant to your page. Another good practice is to make the title tag and your header (h1) the same.

3. Carefully craft your H1, H2, H3 tags

Careful usage of header tags helps search engines identify keywords within your page. To get the best results from your header tags, use H1, H2, and H3 in order with keywords in your H2 and H3 headers that support your H1 tag. Remember, your H1 tag should mimic your title tag, whereas the H2 and H3 can expand and add additional context. You can also utilize multiple H2 and H3 tags, however be sure that these headers are supporting the H1 tag and relevant to the content on your page. Using irrelevant header keywords can actually work to your disadvantage.

4. Avoid loading content with JavaScript

Despite it's popularity, JavaScript is not yet well supported by search engines and can mask important content. Progressive Web Apps in particular can suffer as key content is loaded after the page is spidered, or in the case of many search engines that do not yet index JavaScript not loaded at all. This is also the case for many social media sites, meaning that content loaded dynamically is not evaluated or pulled in, resulting in the default skeleton of your site being what shows up in search engines and in link previews.

5. Carefully name images

In the past search engines would evaluate your images based on their alt tag, however as more and more developers loaded irrelevant keywords into this hidden image text search engines instead added more emphasis to the actual name of the image itself. This means using generic image names such as 1.jpg can actually hurt your site ranking as search engines might be looking for seokeywords.jpg. Now, just because you're carefully naming your images with relevant keywords describing the image doesn't mean you should ignore the alt tag. Be sure to continue to include alt tags for older search engines, in the case the image doesn't load, and for accessibility (ie screen readers).

6. Work to improve your page load time

It’s not a secret that faster sites rank higher in search engines. Most search engines use the PageSpeed Index from Google to determine the speed of websites. One thing Google looks at is how fast images are loading. For this reason, we recommend taking a look at how long it takes for the first image to load on your site or even take advantage of lazy loading for non-critical images. You want images to be loading within 30 seconds at the absolute latest, before the user can actually click on the page. You also need to make sure that if you're using multiple images that they load as one group. Next, take a look at how long it takes to load a webpage. Are pages taking longer than three seconds to load on your site? You want to have pages that load fast for users, but your code and templates can easily be causing this to happen.

7. Optimize text throughout your page

Beyond your title tag, headers, and images it's important to work keywords into your standard content, while also working to avoid overloading keywords. To help prevent overloading and increase search engine rankings across multiple keywords you can use alternative phrases. In the case of "PHP training" an alternative phrase might be "PHP tutorials" or "PHP course." This both helps support the primary keyword, while also allowing the page to rank for these keywords as well. Remember to use the tools referenced above to find the keywords that are right for your site, and then work them in to natural sentences without forcing keywords or becoming overly repetitive. Also keep in mind, just as important as the content and keywords on the page are to search engines, how users engage with that content is also critical. If your page experience's high bounce rates or low engagement with the content, it is likely to be deprioritized by search engines, meaning a page highly optimized for search engines but not humans may enjoy a higher ranking, but only for a short time before it is heavily penalized.

8. Build your Domain and Page Authority

Domain and Page Authority are determined not just by the number of back-links (or sites linking to your domain or page), but also the quality of the sites and pages linking to you. One practice that has made obtaining a better DA or PA harder has been purchasing or acquiring bulk back-links. Note this practice is actually against Google's TOS and may result in your entire site being banned from their search results! Because of this practice, it's important to focus on high quality sites and work to get back-links naturally either through partnerships or syndicated content (such as blog posts). You can also check your DA here or using one of the many tools referenced above.

9. Take advantage of social media

Speaking of back-links, social media can be a powerful tool for increasing page visibility while also improving your search engine rankings! Remember, most social sites do not support or read JavaScript, so ensure your content is available on the page. If you do have a progressive web app with JavaScript loading your content, look into using Headless Chrome to render a JavaScript free version of your site for specific bots (note - the content MUST be the same content a user would see or your site may be blocked). There are also numerous tools to allow you to build the content via JavaScript on the server backend before passing it to your readers. To help get even more exposure, consider adding social share links or tools like AddThis.

10. Good SEO takes time

The truth is that there really aren't any special secrets or ingredients to ranking well in search engines (well not that Google has publicly shared). Instead it's about properly formatting your page, making sure it's readable to search engines, and providing content that your readers will engage with. As you provide more valuable content, and more people like and link to your content - your site's Domain Authority will gradually increase, giving your site and pages more powerful - resulting in a higher ranking.

In his talk Websockets in PHP, John Fransler walks us through the use of WebSockets in PHP.

While discussing bi-directional real-time application development, John notes that PHP is often not invited to the table due to its lack of native support. Of all the possible attempts to bring in PHP on this stage of real-time development, Ratchet, a PHP WebSocket library, comes closest. "Ratchet is a loosely coupled PHP library providing developers with tools to create real-time, bi-directional applications between clients and servers over WebSockets."* Ahem!

Today's dynamic world

In today's dynamic content world of the internet, it is required to serve real-time bi-directional messages between clients and servers. WebSockets are simple, full-duplex, and persistent. They work over Http and are a standard today.

WebSockets have compatibility with 96.5% of clients globally

There's a very high chance your client has the necessary plumbing to access your content via WebSockets. WebSockets gives the ability to have real-time data on to your clients without the need for polling.

To understand WebSockets, John takes an example of a Javascript client and Ratchet Server. Javascript has everything built in to allow access to a socket. For example, you can use the send method on a WebSocket variable to send a message to the server, or if you want to respond to a message from the server, you use the OnConnection method.

While on the Server, John uses Ratchet, which is built on React PHP. A server script is then configured and set up to run and listen on a port for incoming HTTP requests. For messages, JSON is used, and to find public methods, a router is set up. He then goes on to instantiate the server-side script in Ratchet.

There are four functions of a Ratchets message component interface that are used in this example:

OnOpen gets called when a new connection is made.

OnClose gets called when a client quits. It's essential to keep an eye on memory management, and essential to keep tidying up as you move through the code.

OnError gets called when there is an exception faced by the user.

OnMessage gives the text of the JSON message, which is being exchanged with the client.

For Initialization, Jason continues to walk through the example. He shows how one can loop through the clients, both inside the server and outside the server. Outside the server, it’s a feature of React PHP. On database access, and with traditional standard synchronous MySQL in PHP, what usually happens is that it forces the code to wait for the query to return a result and do nothing — Fortunately, with Asynchronous MySQLi, that is not the case.

John gets into the details explaining Variables, References & Pointers. He also gives a demo where a central site has updated information on the Bitcoin and ether prices. A client terminal reflects the last values. Now the client doesn't have to poll the server for new values. When there is a change in the Bitcoin or ether values, the server pushes down the client's update. No polling helps with a lot of overheads and gets closer to real-time.

Using Supervisord

For Long-running applications - Jason recommends running a supervisord, use proxy to expose the port, and add a site certificate. Supervisord keeps an eye out for the server running the service; it can be used to restart the service and log any service issues. Recommended proxies are AWS load balancer, Nginx, and HA Proxy. For scalability, use multiple smaller WebSocket servers and a smaller number of clients per server used and load balancing. If one has to support a chat feature to allow clients to talk to each other in near real-time, it is recommended to use Redis. The Redis server proxies the messages between the server nodes.

The talk concludes with John summarizing best practices on error handling and takes QnA on various aspects of WebSockets such as handling load balancers and asynchronous calls to MSQLi.

The presentation for this video, along with the code, is hosted at John Curt's GitHub. More info about John's current areas of interest can be found on John's Blog.

Watch the video now

Related videos

Your biggest asset is also your biggest risk... your developers

Your business thrives because of the incredible work and innovation of your developers. With simple keystrokes your developers can completely transform your business, add new features, and drive new sales.

But those same keystrokes can take down production, create security back doors, and put your business at risk. That's why it's more important than ever for your team members to be up to speed with the latest technology, especially around performance and security.

Of course, some things are easier said than done - after all everyone is super busy these days. So how can you help keep your team members learning, and putting your business first in the process?

Conference Parties

There's nothing better than attending a PHP or programming conference in person - the chance to meet speakers face to face, to network, the knowledge, and the hallway track. However, many companies aren't able to afford multiple (or even one) conference for their developers - especially ones that require airfare and hotel.

However, that doesn't mean you shouldn't still participate in these conferences. The good news is that roughly once a quarter Nomad PHP streams talks from a conference right to your computer. This means that your team members can all participate in a multi-day conference from the comfort of your office (or their home) - and you can provide this for your team for less than the cost of a single conference ticket!

Make the conference party even more special by providing lunch during the lunch break, bringing in party gifts, having give-aways during the conference, and planning activities during longer breaks for your team.

Since many conferences take place on Friday, not only are you providing invaluable training and an incredible work benefit, but ending the week on a super positive note that your team members will appreciate (and your risk assessment teams will greatly appreciate as new security practices and compliance practices are put into place).

Monthly Lunch and Learns

Every month Nomad PHP offers live virtual talks by the industry's top experts. With talks at 11am Pacific, and 6pm Pacific it's a perfect time to grab a conference room and order a couple pizzas for lunch (or if Eastern, grab some snacks and maybe a beer) and play the monthly meeting on the large screen.

Your team members will have the opportunity to take notes, discuss with each other, and perhaps most importantly ask the speaker real-world questions that directly impact your business, providing tangible solutions to the problems they are facing.

And since every Nomad PHP Pro meeting is recorded, your team members can refer back to the video at any time, watching sections relevant to them or digging in for more information.

Developer Book Club

Encourage your team members to share what they're learning with others, and help build each other up. Not only are you helping grow skills and ensure your team is following the latest best practices, but you're also fostering a mentor-mentality within your team - where each team member feels invested in the growth of other members.

With Nomad PHP you receive a new issue of [php[architect]](/books) each month and have several additional books available to read on demand - providing the latest updates and an invaluable resource to help your book club get started.

Developer Movie Nights

Sometimes we all just want to get away, grab some popcorn, and watch a movie. Similar to lunch and learns, give your developers a night or two where they can get together and watch one of the 250+ training videos available on Nomad PHP. You can even make it a movie marathon!

Whether it's pizza, popcorn, sodas, beers - your team members will have the chance to kick back, relax a bit, build team camaraderie, and learn valuable skills to help your business succeed. Essentially, turning a training day into a fun team-bonding activity.

Learning Path Challenges

Every company has challenges, and areas they need their team members to master. Whether it's DevOps and containerization, security, performance, management, modernization, or soft skills - work with your team to determine what skills will help them succeed and work with your team members to put together video learning paths.

Your team members can watch through these videos on-demand, go back and replay to refresh their knowledge, and work their way towards mastery in the subjects that will help your company succeed.

Certification

Show that you are invested in your developers by helping them earn Professional Certification. These certifications demonstrate that your team members have a fundamental grasp of the technology they are working with and understand when and how to use this technology.

With free certification exams included with Nomad PHP - you no longer have to worry about failed exams or expensive test credits. Your team members can take the exams at their own pace, discover the areas they need to improve, and take the exam again when they are ready. After all, shouldn't the goal of certification be to help your developers learn these skills and prove their expertise?

You can go even further with certifications by having a special company award, framing their certificate, or calling out newly certified developers at team meetings or all-hands.

Learning Incentives/ Rewards

Of course there are even more ways you can help your developers learn new skills, grow their careers, and build loyalty within your company. With Nomad PHP there are numerous ways for your team members to grow their skills, and numerous ways you can reward/ incentivize them - from rewards for the most active learner, to setting goals for learning new skills, to obtaining certifications, to attending streams, to watching videos on-demand. All of these are included with our Professional Nomad PHP Team subscriptions.

Want to learn more about getting a Nomad Team Subscription for your developers? Give us a call (844) CODE-PHP

Have more ideas on how to help your developers grow their skills or help employers make education more accessible? Please leave your ideas in the comments below!