Skip to content

Instantly share code, notes, and snippets.

@rdlowrey
rdlowrey / keybase.md
Created April 12, 2018 13:21
keybase.md

Keybase proof

I hereby claim:

  • I am rdlowrey on github.
  • I am rdlowrey (https://keybase.io/rdlowrey) on keybase.
  • I have a public key ASBeQKDHmLVbYmkyKlQ5gtlC1y41gcvv-rSB4tYjNJBqago

To claim this, I am signing this object:

Keybase proof

I hereby claim:

  • I am rdlowrey on github.
  • I am dlowrey (https://keybase.io/dlowrey) on keybase.
  • I have a public key whose fingerprint is BA24 A9CC 19EE 0EBA 2078 1F9F AEE1 B63D FC9D 0D88

To claim this, I am signing this object:

<?php
function myHttpHandler(Request $request, Response $response) {
// async function that returns a promise
// we use yield to wait for that promise to resolve then resume here
// if there's some kind of error it will be thrown into our generator
$session = yield loadSessionFromRequest($request);
if ($session->hasValue('isLoggedIn')) {
// pass the individual promises from generateHttpBody() through using `yield from`
@rdlowrey
rdlowrey / cpu-core-count.php
Created February 20, 2015 14:50
OS-generalized CPU counting
<?php
function countCpuCores() {
$os = (stripos(PHP_OS, "WIN") === 0) ? "win" : strtolower(trim(shell_exec("uname")));
switch ($os) {
case "win":
$cmd = "wmic cpu get NumberOfCores";
break;
case "linux":
$cmd = "cat /proc/cpuinfo | grep processor | wc -l";
break;
@rdlowrey
rdlowrey / strict-scalars.php
Last active August 29, 2015 14:15
Are you *sure* you don't need strict scalar typehints?
<?php
$ch = curl_init();
// 1: only verify that the peer cert HAS a name field
// 2: verify that the name ACTUALLY matches the domain you connected to
// true: cast to 1
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
// Mercifully the newest versions of libcurl now disable 1 for this setting.
// This is a prime example of undetectable scalar conversion catastrophe.
@rdlowrey
rdlowrey / bench.js
Last active December 3, 2022 15:07
PHP vs Node.js scraping
/*
$ npm install request
$ node bench.js
*/
var request = require('request');
var url = 'http://www.google.com';
var total_requests = 100;
var i;
@rdlowrey
rdlowrey / uri-dot-segment-removal.php
Last active July 14, 2023 12:51
Remove dot segments from a URI path according to RFC3986 Section 5.2.4
<?php
/**
* Remove dot segments from a URI path according to RFC3986 Section 5.2.4
*
* @param $path
* @return string
* @link http://www.ietf.org/rfc/rfc3986.txt
*/
function removeDotPathSegments($path) {
@rdlowrey
rdlowrey / php56-ssl-tls-improvements.md
Created February 16, 2014 17:07
SSL/TLS improvements in PHP 5.6

[RFC] TLS Peer Verification

  • Verify peer certificates in client streams by default
  • Use operating system managed default cert stores if not otherwise specified
  • Windows is still an issue as it uses different cert format (I'm working on it)

[RFC] Improved TLS Defaults

  • Makes everything SSL/TLS more secure without any user knowledge required
  • Vastly improved support for encrypted stream servers (a-la node.js)
@rdlowrey
rdlowrey / pgsql-async.php
Last active January 16, 2020 17:14
Example usage of new non-blocking pgsql behavior
<?php
// Connect asynchronously (new constant for bitwise arg 2: PGSQL_CONNECT_ASYNC)
if (!$db = pg_connect($conn_str, PGSQL_CONNECT_ASYNC)) {
echo "pg_connect() error\n";
} elseif (pg_connection_status($db) === PGSQL_CONNECTION_BAD) {
echo "pg_connect() error\n";
} elseif (!$stream = pg_socket($db)) {
echo "pg_socket() error\n";
}
@rdlowrey
rdlowrey / secure-http.md
Last active December 23, 2015 09:59
Secure stream encryption with native PHP.

PHP disables SSL/TLS peer verification by default. While this design decision significantly simplifies encrypted HTTP retrieval, it also means your transfers are totally vulnerable to Man-in-the-Middle attacks. To fully secure our transfers we need to verify that the party at the other end of our transfer is actually who they say they are.

To accomplish this we need two things:

  1. A CA file (in .PEM format) so we can tell openssl which certificate authorities we trust
  2. A stream context that specifies this CA file and instructs openssl to verify the other party

We can easily obtain the same CA file (direct link to .pem file) used by the Mozilla Foundation (the exact one cURL uses, BTW). This file is usually updated a handful of times each year and it's important to keep your CA file up-to-date or you risk trusting certificate authorities that are known to be insecure/unsafe. This kind of thing doesn't happen often, but it's important to upd