rdlowrey

Name/Value Parameters in PHP's HTTP Request Modeling

For many PHP devs, their first experience with HTTP request parameters comes in the form of the $_GET and $_POST superglobals. These globally accessible arrays are an easily digestable abstraction of the HTTP spec. Indeed, for basic applications operating only in the context of common browser user-agents, these eminently accessible parameter collections work well.

But there are some significant problems with $_GET and $_POST under the surface:

rdlowrey

100k Requests -- 100 concurrent clients

ab -n 100000 -c 100 -k http://127.0.0.1:1337/

Server Software:        
Server Hostname:        127.0.0.1
Server Port:            1337

Document Path:          /

rdlowrey

<?php

class Worker extends \Worker {
    
    function run() {
        // &$this ref required to avoid segfault
        register_shutdown_function([&$this, 'onShutdown']);
    }
    
    private function onShutdown() {

rdlowrey

PHP disables SSL/TLS peer verification by default. While this design decision significantly simplifies encrypted HTTP retrieval, it also means your transfers are totally vulnerable to Man-in-the-Middle attacks. To fully secure our transfers we need to verify that the party at the other end of our transfer is actually who they say they are.

To accomplish this we need two things:

1. A CA file (in .PEM format) so we can tell openssl which certificate authorities we trust
2. A stream context that specifies this CA file and instructs openssl to verify the other party

We can easily obtain the same CA file (direct link to .pem file) used by the Mozilla Foundation (the exact one cURL uses, BTW). This file is usually updated a handful of times each year and it's important to keep your CA file up-to-date or you risk trusting certificate authorities that are known to be insecure/unsafe. This kind of thing doesn't happen often, but it's important to upd

rdlowrey

<?php

// Connect asynchronously (new constant for bitwise arg 2: PGSQL_CONNECT_ASYNC)
if (!$db = pg_connect($conn_str, PGSQL_CONNECT_ASYNC)) {
    echo "pg_connect() error\n";
} elseif (pg_connection_status($db) === PGSQL_CONNECTION_BAD) {
    echo "pg_connect() error\n";
} elseif (!$stream = pg_socket($db)) {
    echo "pg_socket() error\n";
}

rdlowrey

[RFC] TLS Peer Verification

• Verify peer certificates in client streams by default
• Use operating system managed default cert stores if not otherwise specified
• Windows is still an issue as it uses different cert format (I'm working on it)

[RFC] Improved TLS Defaults

• Makes everything SSL/TLS more secure without any user knowledge required
• Vastly improved support for encrypted stream servers (a-la node.js)

rdlowrey

<?php

/**
 * Remove dot segments from a URI path according to RFC3986 Section 5.2.4
 * 
 * @param $path
 * @return string
 * @link http://www.ietf.org/rfc/rfc3986.txt
 */
function removeDotPathSegments($path) {

rdlowrey

/*
$ npm install request
$ node bench.js
*/

var request = require('request');
var url = 'http://www.google.com';
var total_requests = 100;

var i;

rdlowrey

<?php
$ch = curl_init();

// 1: only verify that the peer cert HAS a name field
// 2: verify that the name ACTUALLY matches the domain you connected to
// true: cast to 1
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);

// Mercifully the newest versions of libcurl now disable 1 for this setting.
// This is a prime example of undetectable scalar conversion catastrophe.

rdlowrey

<?php
function countCpuCores() {
    $os = (stripos(PHP_OS, "WIN") === 0) ? "win" : strtolower(trim(shell_exec("uname")));
    switch ($os) {
        case "win":
            $cmd = "wmic cpu get NumberOfCores";
            break;
        case "linux":
            $cmd = "cat /proc/cpuinfo | grep processor | wc -l";
            break;