Skip to content

Instantly share code, notes, and snippets.

View keybase.md

Keybase proof

I hereby claim:

  • I am rdlowrey on github.
  • I am rdlowrey (https://keybase.io/rdlowrey) on keybase.
  • I have a public key ASBeQKDHmLVbYmkyKlQ5gtlC1y41gcvv-rSB4tYjNJBqago

To claim this, I am signing this object:

View keybase.md

Keybase proof

I hereby claim:

  • I am rdlowrey on github.
  • I am dlowrey (https://keybase.io/dlowrey) on keybase.
  • I have a public key whose fingerprint is BA24 A9CC 19EE 0EBA 2078 1F9F AEE1 B63D FC9D 0D88

To claim this, I am signing this object:

View yield-from-example.php
<?php
function myHttpHandler(Request $request, Response $response) {
// async function that returns a promise
// we use yield to wait for that promise to resolve then resume here
// if there's some kind of error it will be thrown into our generator
$session = yield loadSessionFromRequest($request);
if ($session->hasValue('isLoggedIn')) {
// pass the individual promises from generateHttpBody() through using `yield from`
@rdlowrey
rdlowrey / cpu-core-count.php
Created Feb 20, 2015
OS-generalized CPU counting
View cpu-core-count.php
<?php
function countCpuCores() {
$os = (stripos(PHP_OS, "WIN") === 0) ? "win" : strtolower(trim(shell_exec("uname")));
switch ($os) {
case "win":
$cmd = "wmic cpu get NumberOfCores";
break;
case "linux":
$cmd = "cat /proc/cpuinfo | grep processor | wc -l";
break;
@rdlowrey
rdlowrey / strict-scalars.php
Last active Aug 29, 2015
Are you *sure* you don't need strict scalar typehints?
View strict-scalars.php
<?php
$ch = curl_init();
// 1: only verify that the peer cert HAS a name field
// 2: verify that the name ACTUALLY matches the domain you connected to
// true: cast to 1
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
// Mercifully the newest versions of libcurl now disable 1 for this setting.
// This is a prime example of undetectable scalar conversion catastrophe.
@rdlowrey
rdlowrey / bench.js
Last active Sep 27, 2019
PHP vs Node.js scraping
View bench.js
/*
$ npm install request
$ node bench.js
*/
var request = require('request');
var url = 'http://www.google.com';
var total_requests = 100;
var i;
@rdlowrey
rdlowrey / uri-dot-segment-removal.php
Last active Oct 14, 2019
Remove dot segments from a URI path according to RFC3986 Section 5.2.4
View uri-dot-segment-removal.php
<?php
/**
* Remove dot segments from a URI path according to RFC3986 Section 5.2.4
*
* @param $path
* @return string
* @link http://www.ietf.org/rfc/rfc3986.txt
*/
function removeDotPathSegments($path) {
@rdlowrey
rdlowrey / php56-ssl-tls-improvements.md
Created Feb 16, 2014
SSL/TLS improvements in PHP 5.6
View php56-ssl-tls-improvements.md

[RFC] TLS Peer Verification

  • Verify peer certificates in client streams by default
  • Use operating system managed default cert stores if not otherwise specified
  • Windows is still an issue as it uses different cert format (I'm working on it)

[RFC] Improved TLS Defaults

  • Makes everything SSL/TLS more secure without any user knowledge required
  • Vastly improved support for encrypted stream servers (a-la node.js)
@rdlowrey
rdlowrey / pgsql-async.php
Last active Jan 16, 2020
Example usage of new non-blocking pgsql behavior
View pgsql-async.php
<?php
// Connect asynchronously (new constant for bitwise arg 2: PGSQL_CONNECT_ASYNC)
if (!$db = pg_connect($conn_str, PGSQL_CONNECT_ASYNC)) {
echo "pg_connect() error\n";
} elseif (pg_connection_status($db) === PGSQL_CONNECTION_BAD) {
echo "pg_connect() error\n";
} elseif (!$stream = pg_socket($db)) {
echo "pg_socket() error\n";
}
@rdlowrey
rdlowrey / secure-http.md
Last active Dec 23, 2015
Secure stream encryption with native PHP.
View secure-http.md

PHP disables SSL/TLS peer verification by default. While this design decision significantly simplifies encrypted HTTP retrieval, it also means your transfers are totally vulnerable to Man-in-the-Middle attacks. To fully secure our transfers we need to verify that the party at the other end of our transfer is actually who they say they are.

To accomplish this we need two things:

  1. A CA file (in .PEM format) so we can tell openssl which certificate authorities we trust
  2. A stream context that specifies this CA file and instructs openssl to verify the other party

We can easily obtain the same CA file (direct link to .pem file) used by the Mozilla Foundation (the exact one cURL uses, BTW). This file is usually updated a handful of times each year and it's important to keep your CA file up-to-date or you risk trusting certificate authorities that are known to be insecure/unsafe. This kind of thing doesn't happen often, but it's important to upd

You can’t perform that action at this time.