php[architect] logo

Want to check out an issue? Sign up to receive a special offer.

Headless Drupal, Replay Tokens, PHP 8, History and Computing, and more

In Episode 32

We’re switching our episode format this month. We’re splitting into two episodes: one a discussion of the developer topics from the latest issue and a separate episode will feature an interview with a contributor. In this episode, we talk about the articles in the May 2020 Issue, Unsupervised Learning.

Topics

  • Headless Drupal and distributed content stores.
  • Pros and cons of passwordless authentication and password security.
  • Securing your API against replay attacks with nonces.
  • HTTP Responses and status codes
  • Computing history, thinking like an experienced dev, and how the government might regulate today’s tech giants.
  • A correction about York PHP user group organizers.
  • Looking forward to PHP 8.

Listen

Transcript

[00:00:00] Eric: Hey there, this is there. One of your hosts for the PHP podcasts. If this your first time, listenting to our podcast. Welcome. We hope you enjoy it. If you’ve listened to us in the past, then you’ll notice we’re making a few formatting changes. Instead of having the interview podcast integrated with the podcast reviewing the magazine, we’re going to make those separate podcast. That means you will get to podcast from the php[architect] for the same low price free. Well, we kind of hope you’re a subscriber either way. Podcasts. Same host One podcast will be the review of the magazine for that month. In the second podcast will be an interview from somebody in the community we would love to hear back from you. Get some feedback suggestions. Criticisms in Let’s be honest, praise all life praise. Feel free to mention us on Twitter at PHP Arch. That’s P h p A R C. H. This month’s interview podcast will be with Liam Wiltshire as he does the second part of hands on machine learning with PHP. It was a very exciting interview. I enjoyed it. Great topic, great person. He’s just full of insight that podcast will come out, probably in another week. Maybe two weeks. Really? Up the Oscar. He’s the man in charge. For now, sit back. Relax. Am here our review of this month’s magazine.

[00:01:31] spk_2: Welcome to the official podcast of PHP Architect. Join us to listen to the latest news and tech talk from our conferences, the magazine and wider PHP community.

[00:01:42] Eric: Your steps of 32 of the podcast. May 2020 Volume 19 Issue five. Unsupervised Learning on the host Eric Van Johnson and with me as always, my good friends John Condon and Oscar.

[00:01:50] John: Hi there. Why is that I don’t get a last name? but Oscar doesn’t usually like

[00:01:58] Oscar: Prince known by one name and one name only. Yeah,

[00:02:10] Eric: I used to call my editor in chief, and I’ve got to be that this time. But you know, I’m slipping. What can I say? You know this this whole coded thing, man, I’m giving, giving, lazy getting lazy with my with my intros. How’s everybody holding up? Everybody’s good.

[00:02:24] John: Yeah, I’m good here. Very good.

[00:02:26] Eric: Uh, yeah. That’s one of the good things about industry are about our specific situation. The three of us we don’t have to go to an office. It’s This whole covert thing didn’t interrupt us from that perspective too much. But there’s all the other little things off. Just enjoying the outdoors of family going to a restaurant. I don’t know how long this guy I know baseball. There’s no baseball. It’s driving me crazy. There’s no base by. I didn’t notice. Even when they have baseball, I don’t know when I’m going to go again. Go to an actual game and I’m a little leery of that right now.

[00:03:06] Oscar: Yeah, we’re lucky here. We went to a D C. United game the weekend before all the lockdowns happened and we hadn’t been to one in person in probably two years. So it was nice to get that in before everything. Shut down. Oh, don’t you have Korean baseball to watch now?

[00:03:23] Eric: Don’t think I haven’t been watching

[00:03:24] John: it. Speaking of offices were actually in the middle of shutting ours down. Yeah, hearing it out, getting getting out of their

[00:03:37] Eric: business, not only of business. Just, uh, you haven’t office for over a year now. Um, it’s the second time we’ve having office. Isn’t going in the first time. We’ve done it. But, you know, it was just the developments that the developers that are local here to see. Diego didn’t really take advantage of it as much as we thought they would, and I don’t know. It just became an expense that with Kobe going up, the office has literally been checked out of the last two months. Nobody’s going into it, so I don’t know. We just making a renewed for another year. We find where every mote company anyway, So it doesn’t really affect us that much, but it’s makes a park to have. But ultimately, I don’t know. We’ll see. I’m sure will probably do it again in the future.

[00:04:19] John: Well, we’re not here to talk about our business. We’re here to talk about the magazine

[00:04:22] Eric: business. A PHP buddy. We’re here to talk about the business of PHP. Let’s go, Let’s go last month. So, Oscar, you’re a Drupal right or work? Or is our,

[00:04:34] Oscar: um and I have been in the past. I can’t disavow that. I did Rupel pretty heavily from a group of four through seven, and I’ve done a little bit group a late work last year, and yet when I was at D C United were all Drupal and the league, uh, used uses Drupal.

[00:04:55] Eric: right, now that’s cool. Well, how do you feel about the article of just having Drupal be your back end and in the idea of throwing a custom frontend on it.

[00:05:07] Oscar: I liked it. And, uh, obviously one of reasons that picked it to run in the magazine was my own personal interest in it. Headless Drupal has been, ah, hot topic for a while now, pretty much all the way since Drupal eight released mainly because Drupal 8 added a bunch of modules which exposed the content through an API, a REST API that you could get JSON data out of and I really like Drupal. It might be my familiarity platform for building a useful editing experience that could be really custom. And you can have ah, fairly complicated editor workflow and approvals and, uh, publishing on publishing provisioning much richer. I really miss it working with WordPress a lot not to ding wordpress too much, but the way you can add fields and create relationships and categorize stuff is really useful. So it I think It’s a natural evolution. Then I want to take all the data that’s in there for articles or people or whatever you have and make it available to a front end. That’s not tightly, tightly coupled to the application itself on. And I know a lot of folks are using you react and maybe view to build out pages where the actual content lives in truthful. But the rest of the application or site is skinned with react.

Eric: Well, actually, I didn’t think about it from that you that use case because I was still thinking you would have you still need to like a PHP front end that was pulling that data from the FBI’s. Now it can be anything now.

Oscar: Yeah, that makes a lot of sense. I think NPR uses a similar model where they have a central store and they use PHP a lot. But then, depending on whether you’re looking at NPR’s IOS app, or android app, or on the Web site or a stations specific website there, they can all be pulling in the same content from the central store and then just tailoring it specifically for that device for experience.

[00:07:06] Eric: Jack Politica does a great article of decoupling Drupal, from its frontend system to use in the existing web. And that’s kind of what we’re talking. He has that has a bunch of wonderful code samples here. Thats just such a good read, especially if you’re a Drupal person. But yeah, you mentioned WordPress. I didn’t … WorkPress did something similar, didn’t they? Where WordPress now is It could be decoupled where you can interact with it through APIs. Or am I wrong on that?

[00:07:38] Oscar: Yeah, I I’m sure it has an API way to get data out. The big advancement, uh, in WordPress has been that the new editor is all javascript old interactive, a lot more like a wixs, and not just a big text field or a bunch of select boxes.

[00:07:56] Eric: I like what Jack has here because where we’re actually in the middle of redoing our user group website in I’m getting to the point now where I need to figure out what I’m going to do for the input of posting meetups, things like that. Job postings. And yeah, you can go through and build that stuff yourself and probably is not a terrible practice, but the idea of throwing a Drupal backend, managing all that content with with a group of backend and then consuming it without having to do any changes to the website we’re designing. But just consuming those API is very appealing. It’s very, very appealing.

[00:08:39] Oscar: Yeah, the other nice thing with Drupal that I haven’t found in other systems without a lot of coding is it’s permissions system so you can assign people to roles. And then you can tailor exactly what that role can do and what what kind of objects they can work with. You can even go further down and limit like what fields they see. So if you really need to lock down a particular saying, uh, you can do that with without coding much, if anything, because just knowing which modules to install on how to configure them, which is always, I think, Drupal’sstrength in the past.

[00:09:13] Eric: very long time since I’ve taken a look at Drupal, maybe maybe it’s time for me to spend up another another install of that and see if it’s something that would work for me.

[00:09:23] Oscar: Yeah, Drupal 9 is coming out. It’s a lot. He uses a lot of Symfony and old Zend framework components. A lot of stuff. That’s the thing you have to temper. And I think which is why some people, um, are shocked as Drupal was not meant to be both. It’s meant to empower people to build websites, and you don’t have to code necessarily to do that. So if you just want to build your entire website and control everything in code, that’s where it can get tricky. And you might bang your head because you’re trying to swim upstream.

[00:09:55] Eric: Okay, let’s move on. Next, we have password lists, authentication, the ability authentic without a password from Brian. Redder rhetoric ever isn’t really rhetoric. That’s also was that name forever brand rhetoric. I thought I thought maybe had that. That was an editorial mistake there for a second.

[00:10:16] Oscar: I double check it, cause I usually put the wrong number of T’s and R’s.

[00:10:20] Eric: Sorry, Brian. Uh, apologize for that. But I do like your name rhetoric. We I’ve come across this. So Brian even brings it up in this article about how this is that one of the formats that slack uses, but it gives you the ability to long into their application without having to put in the password. I have thoughts and feelings on this, but I’d really like to hear how you guys feel about it.

[00:10:42] John: They’re so using slacks. Example. They use the whole magic link you put in your email address. They send you an email, you click it and you’re logged in because I use a password manager. I don’t tend to go that route because it’s an extra step of. I have to wait for the email to get to me, go find it and click on it versus just a quick key combination of to logmein. But I can definitely see the advantages of it. You combine this article with the one we’re gonna talk about in a couple of minutes, and it’s a great source of

[00:11:13] Eric: one of the arguments Brian makes here from a security perspective, is that there’s no password for me and that’s great. It’s it’s why one of the arguments of security for me. Personally, I am a big opponent of email. I actually dislike email very much. I only check me email about twice a day and I feel like it’s one of the the least secure way you communicate what they mean by the so that idea of being in a long into an application from something I get through an email makes me leery. I am a huge fan of it, but on the other side of the coin, we just went out and visited my mother out in Arizona this past weekend, and she can’t remember the password of anything she puts it, and she uses the same password for everything. And so this works perfectly. For like I would I would much rather her click on emails to log into stuff, realizing my mind concerns of the security with email. But I also know that the way she manages their passwords are way less secure than that.

[00:12:26] John: But it becomes spoofing those emails becomes more more prolific too soon as it becomes more mainstream, us are getting emails saying, Hey, log into slack with this magic link. That’s a good witch. If there will spoof, do you don’t know if you’re looking, but you were really logging into, so you should be clicking on random log in links. Yeah, e.

Oscar: I could see how this would be useful if you have the depending on your user base or if you don’t want to log in via email, you could probably build some immigration where you send someone a twitter DM or something else that’s more secure. But eso the channel can be different because I think he also hints that instead of an email, you could ask them for a one time password if you use Google authenticator. That one part of it that gave me pause was like, You have to make sure that people’s emails are current and active, cause if suddenly someone uses their work email and they don’t work there anymore and they’re trying to log into your app, they’re gonna have to find another way to verify that that’s really their account, which opens up a place where they could, um, attacker could socially engineer and take over an account. So I think I don’t know if I would go a complete passwordless route. Um, you probably still want tohave a user name and password or some other unknown undefined authentication option.

John: Well, it goes back to Teoh that initially your applications storing passage but using some sort of eso using like Facebook or Twitter or a Google logging. Because even with the email route, you still have to have authentication to your email or authentication to Twitter. So there’s gonna be authentication somewhere. It’s taking the attack vector away from your application. You know, if if you’re not storing passwords, yeah, a little bit less to worry about, especially for those users that use the same password on every single site. If there’s a vulnerability in your site that leaks password information, we’re now the attacker couldn’t attack my email. That’s gonna be bad.

Oscar: Yeah, or my bank account. Even worse, I went. I went all paranoid like three or four years ago and started moving everything to a password manager and super long, totally random passwords. I have no idea. If you ask me what my bank password is, I couldn’t tell you because it’s just in a password manager and I never see it. And yeah, friend, that’s what that’s where I should be.

[00:14:51] Eric: Yeah, and then add the two factor authentication on top of that is huge for me because you still your security conscious people will still say, Well, Now somebody just needs to get access to your password manager. Now they have everything. It’s never a great solution ever, you know, But you just make it as difficult as possible And the where I’m getting super Lisi at. And, uh, I can’t believe I’m sharing this on the podcast is the pastor banter I started to use for the majority of the time, allows for two factor inside of it and use it having complete convenience. And I realize that by those things, not being two separate applications, I’ve lowered that attack that now significant. But it’s just so makes the have to factor in your password in the same manager. But

[00:15:43] Eric: I go back. I go back to if I have. If someone gets access to my password manager, they’re gonna have access to everything anyway, except for those things that don’t have except of those things that have to factor if they are separate. But yeah, um, I don’t know. I don’t know what

Joyn: What I have found by using a password manager is you start to realize the security vulnerabilities or flaws and so many systems, like banks, where they limit your number of characters you can use not just the actual number, but like the special characters, you can only use three or four instead of a big array of character, so making it easier to its act. So I did a password change on application I worked on recently where I was trying to add some of those moves. Rules in has to be at least eight characters. You have to have at least a digit, at least in upper case, at least a special character. And the client complained about that because, well, for various reasons. But then I started on research, and that’s actually not recommended anymore. In 2015 it was recommended that you have those requirements now. It’s frowned upon because you’re starting to. Once you start putting in those restrictions, you’re also saying what passwords are going to contain, making it a little bit more intractable, you reducing the problem space for an attacker’s. They know they don’t have to try a certain kind of passwords right in. Yeah, if you if you have to have. If you have to have a number in there, well, you know, one of those characters is a number. So you’ve you restricted what you’re gonna put if you have to have a number and a special character, especially if you know what the list of special characters is. You can now start to your getting rid of a whole other set of possible passwords, so you’re only trying. You’re only trying possible ones at that point, which is now a smaller space.

[00:17:43] Eric: So is, is the recommended suggestion is just a have a minimal amount of characters

[00:17:49] Oscar: and no restrictions on those characters or as little as possible, and to figure out how many different combinations of things you would have to try. You can look at Sherry’s column on factorials and combinations because that’s the math behind. If you have, like a password of length X, which can have so many characters in them, you can do the math to figure out how many possible permutations there are using factorials.

[00:18:15] Eric: So let’s talk about Sherri’s new article a little bit here. She’s doing her her her whole puzzle thing.

[00:18:22] Oscar: Thse PHP puzzles? Yeah, a reader pitched that idea to me a couple months ago. They’re like, you’d be great if each issue had this and I was like, Yeah, it would be great if that if it had that when I reached out for her to write the business of PHP article last month, I threw that idea out for her and she was game to try it on. So she’s got a couple lined up already and hopefully will be brainstorming more and each month still. Look at the solution for the puzzle from last month and introduced the next one. So there will be some motivation to do homework between each issue and then see if how your solutions match up. The nice thing that she’s doing is providing multiple solutions. Usually so far we have seen 2 or 3, which leads leads to a nice discussion of like, what is a good solution? Readability issues, performance.

[00:19:15] Eric: This is helps to have an area that puzzles. I’m looking at this, and maybe it’s how how bad I am a coding. I don’t know. That’s what concerns me, but I’m looking at this. I’m like, man, I don’t should have do this. I’m not sure what to do, and I’m trying to read through it. Well, I was speaking to her recently, and I had pitched the idea of giving people way to communicate to her about the puzzles. And she’s like, Oh, that would be amazing then I could start making harder posts than hat. That’s the part that was a very hard thing.

[00:19:54] John: So these are very much down there along the lines of code katas where it’s one, making you think of different ways to solve a problem and being able to test your solutions. So it’s right. It’s just a good exercise to to get into going back, to go back to security. We were talking about the past wordless authentication. The next up would be security corner with Eric Man’s Request replay protection. And this is what I was saying by adding a nonce to your password. This authentication. You could make sure that that link is only used once, so if you receive a link in your email, you click on it, uh, us, the whole idea behind the scenes. It’s a number used once, and there was a great job of talking about the reasons to use it and has had to generate one very easily. But think about you have a link. You can only only click on once if somebody else happened and get it. It’s basically a race at that point. Who’s gonna click that first? Right?

Oscar: That was a part of the article. I had the hardest time. Ah, wrapping my head around when I was reviewing it. That, uh, you don’t Your application doesn’t have to generate the nonce necessarily or at all. He recommends you don’t. Um, But once you see some you say you’re API has to say, if you want to use this end point, you got to send me a nonce, and then you just track the used nonces for the last hour or whatever timeframe makes sense so that if you see one come up again because they’re random and long that youe could be almost 100% certain that it’s unique to a specific person or call if you see it more than one it’s an attack

[00:21:31] Eric: well, and with the knots approach, and they probably already do this. I don’t I don’t know if this is the practice, but just thinking about it is that because you know where the request is coming from, you know the request for the nonce. The response to the match should be coming from ideally for security should be coming from the same place. Right.

[00:21:52] John: Well, there is no to and from ricght.I’m going to post to your API and I’m including I’m creating announcing passing it to you if I if I tried to do it a second time, you know it’s a a duplicate request to you and you can ignore it. I’m not asking you with 40 nonces.

[00:22:11] Eric: I see this is that he’s using it beyond just like the bargain scenario, right?

[00:22:17] Oscar: Anything in your API Any call in your API that that I assume, writes, If it’s a read only API I don’t know if you necessarily need should limit with a nonce.

[00:22:27] Eric: that central

[00:22:27] John: Because it it it should be idempotent at that point, so it shouldn’t matter on a get so with with the post its it’s really it’s a replay prevention. So if I if I post, you can’t come in, make that same post on my behalf. But it also protects me from making a mistake of posting a couple of times that may change the data inadvertently.

[00:22:50] Eric: ITT’s basically see CRF tokens for API’s

[00:22:54] Oscar: That’s not quite the cause. He’s talking about that in the June issue because you’re not validating that the nonce is one you gave to that requester, and that’s the part again I had a hard time wrapping my head around. So your application doesn’t give out noces and keep track of which ones it’s given out and expects to see back again. It’s just saying “if you want to get in through the door, you have to have a nonce.”

[00:23:23] Eric: Can’t give me, give me a unique identifier for this for this post. So so that I know if it comes to me again with this identifiery its one that I’ve already processed it it and you’re not trying to do it from the data.

[00:23:31] John: If you think about like posting a transaction, you want to post it once in exactly once. But I might post a very similar transaction in 10 minutes. There’s got to be some way to identify those as being unique.

[00:23:49] Eric: I like this idea a lot. I got I’ve got to be honest with you. I never thought of it from that perspective and makes a lot of sense, especially when you’re talking about accounting and very transactional sort of requests that you want to make sure you don’t duplicate. This really makes a lot of sense, especially area

[00:24:10] John: As yeah, that’s especially when you’re using something like Curl, where it may be set up to repeat a request that it doesn’t that fails. For some reason, maybe the request got to you. But do too late and see Curl doesn’t think you got it. It didn’t get the acknowledgement. So it tries again and just post the same data without you even knowing about it. So you’re it’s a prevention against that as well. You screwing yourself up unintentionally. Yeah, I have to look and get about one of my We might even see if I’m if the original architect added these or not. Because otherwise that’s going to be something that’s

[00:24:47] Eric: definitely going on my future architect list of design. Yeah, for sure it makes sense

[00:24:53] John: And it’s so easy to implement. Like he says, you just throw it in tow something like you’re a memcache or redis database. Are you doing this thing? Has this not been used. If it has, I’m gonna ignore the requester. You could reply with an error message if you wanted to.

[Oscar] Yeah, and to figure out which, http status code you would use you would read Chris’s web response column in education corner “Anatomy of a Web Response.”

[00:25:16] Eric:Yep. It’s like you plan this stuff, Oscar. It all just ties together.

[00:25:24] Oscar: Either planned it or the human mind is great at picking out patterns where where they may or may not exist.

[00:25:31] Eric: Chris last month did, uh, the request. I am. We talked about it. What? You know what? Great inside. He gives you to a web request that maybe you forgot that bad out are you just don’t know about. And he does it again with Web response. Uh, based article here,

[00:25:48] Pscar: Time back, te the if so, if a token is used, I guess that’d be a 400 air. He lists what pne of the components of a response is the status code number. We’re from you, like a 200 okay, 404 are not found. But there’s a whole range of them from that. It’s good to know. And I was just happy when you’re working in API

[00:26:09] Eric: hear one c e Never remember. Or were you trying to figure out what best went best cone to respond with? I’ve always having to look up based on his article.

[00:26:22] Oscar: I need to look into some of the library’s he uses for working with requests and responses data as objects instead of the native PHP functions, which is what I generally been doing.

John: Yeah, the PSR is have made that a lot faster, and the the big project I work on that’s been introduced over the past couple of years of having extra very standard request and response objects like to deal with exactly really help with testing to

[00:26:50] Eric: John. You’re you’re a big tester here. What did you think of Joe Ferguson specifications in BDD with peach respect.

[00:26:57] John: I like the idea. I just Unfortunately, I don’t work with specifications very much e mean he’s states right in the opening that this works great when you are giving very strict specifications. So I’m more used to the unit testing aspect of of code. I have also used be hat which you ah references in his article for doing more of the behavior driven approach Or is this storage er than not, You know, as a user, I expect this to happen. So using spec BDD is interesting and I would like to look into it, But again, I don’t get a lot of very well written specifications upfront.

[00:27:37] Eric: You Oscar, are you a big tester?

[00:27:38] Oscar: I do a lot of testing with Behat and integration tests. Ah, because that I usually work with a lot of legacy code, and it’s, I find easier to write those first before I can re factor and introduce unit test. And honestly, a lot of the times I never get to that step of time or are other considerations. I’d love to hear what the difference between a spec and a unit test really is and where you draw that line If it matters. Yeah, that guy, I don’t know for sure I didn’t gather.

John: That difference is much, Um, they they looked very similar when I was He’s going through, like in addition specifications. And to me it looks very much like a unit test already. Yeah, he does Talk about how featuring acceptance testing are respect testing so you’re not necessarily limited to is this message work? I know I looked at PHP spec in the past, and there are a lot of really cool features about, like when you’re running it, it offers to try and create your classes that are missing, making it. If you’re doing it properly, you start with absolutely nothing, and it will help you build out your application as you add missing classes, missing methods. And then you start to add the code in to make your test pass. But that’s kind of where I’ve ended. I don’t I’ve grown up with in the PHP unit camp, and that’s just what I use more often. Right now, I’m more familiar yet with piece for unit and behat as a result. So it’s tricky to jump into a different testing camp and really get your hands dirty. And I guess I’m missing the death difference between a specifications because I can. I think I could take a specification and turn it into PHP unit tests, but again, I don’t work with specs that often, so I don’t know the difference. I don’t know what I’m missing here.

[Oscar] Ask Joe in the new PHP arch discord for subscribers. Which most people, if your subscribers of the magazine should get invites to in the next couple days, slash weeks or by the time this goes out live, some of you will have already been invited.

[00:29:45] Eric: I was wondering. That’s how I was speaking to Sherrji earlier was through the new PHP architect Discord Channel, and I didn’t know what. I didn’t want to spoil it. I’m like, I don’t know for talking about that yet. So look, let me be very very of how we spoke to each other.

[00:30:01] Oscar: I thought you might have been talking to her in your phpugly discord. I was hesitant to create one, cause I’m kind of in that camp like, Do we really need another place to chat? There’s, like so many channels for it, but I think there are useful communities where you want to get together with other people with similar interests and a subscriber. Magazine subscribers or,

[00:30:27] Eric: I think, with the phpugly discord. It actually does a good job at living on its own when I’m in there a couple times a week and people will post questions to specifically so I’ll come, come in and answer it. But like when we first did the discord, I was very self conscious of always, like responding right away. Like if you make sure they knew somebody was there. But now it’s like the people who are in the discord channel, the they have full conversations and were not a part of. And actually, this is cool. Your it’s it’s a It’s like a community,

[00:31:05] Oscar: especially since this is the week that tek would have been, um,

[00:31:09] Eric: way we’re gonna go there, man. Too soon, too soon. The pain is just too just currents to you. John and I talked to each other Monday morning like air flights taking off. We’re supposed to go

[00:31:26] Oscar: When I logged into Facebook when there’s a big canceled PHP tek reminder on their uh So I thought that discord would be a nice wayto have that kind of hallway track sense with the reader. And if you had been to a previous world or tek, those slacks were still up and running.

[00:31:44] Eric: I like to this guy. I’m interested to see how the discord go, so you’re opening up to subscribers first, and then I meant not to put words in my mouth, but we did. You say you’re going to serve it to the general public, are just always of subscribers

[00:31:58] Oscar: I think, and keep it to subscribers. And if also book readers, probably. Once I figure out the integration so that it’s automatic that assumes you purchase a book, you’ll get the invite Linker will display in the phparch admin. You may cancel your subscription. You don’t think? No, no, I’m not gonna police it that much.

[00:32:18] Eric: You let the channel dough your job have left the family. Nobody city to

[00:32:24] Oscar: use. Maybe Maybe I’ll try and figure out some way to, like, put him.

[00:32:29] Eric: I just have to be part of their profile, you know, if you’re not a subscribe just having

[00:32:32] Oscar: This month, we also have Ed Barnard’s column on the transcontinental railroad, and he’s been taking ah, look into one. I know he’s really interested. Having ah started his career is a Cray programmer on the history of computing, and in this one, he he follows up on last month’s column and continues to talk about how a lot of the issues we and problems we see with the Tech giant’s today are very similar to the ones over a century ago when railroad baron started buying up land and connecting East Coast and West Coast and building these giant companies that had pretty negative effects around. I like how he draws the parallel to that and then makes he makes the case that the current Department of Justice is probably gonna rely on a lot of the laws from that time to address the issue. Some of the issues were experiencing with, you know, Facebook or Google or Amazon having so much concentrated power in in their spheres. If you like this topic. Ed’s also just put out a book on the fizz buzz fix that dives into the same similar historical contexts. And this one is specifically built around. And this one looks to why hiring in the tech industry is broken, but also what you can do to prepare yourself for the next coating interview that’s gonna have an exercise like fizz, buzz and overall, how toe think like an experienced developer who’s worked with different kinds of computer systems and programming language that that’s ah if he had to. PHP arch dot com There’ll be a look. It’s exactly needed. Learn how to think like a developer.

[00:34:25] Eric: We don’t typically talk about Community Corner, but I feel like I owe an apology to York region. PHP User group on and I need to go back through and figure out how this happened. But I did get some corrections. Enough meat e mailed to me from the organizer Bob Bloom. And what the biggest correction being that I didn’t call Bob lunar surface and which I don’t know how this happened. Um, for people who read my, uh, community corner section, it’s I’m not talking to these organizer’s every every month. So we do it. We fell on a profile. So somewhere between the profile and then me doing my research on Meet Up or I usually check Meet up cuz check Twitter to get more information about the user groups, and somehow I I had come up with the wrong organisers for that group, only got one of the I list three organisers and think only got one of them correct and that I don’t know how that happened because I goto meet up now and everything is correct, so I don’t know. Hey, I screwed that. I’m sorry, Bob, but Bob says that everybody’s calling him Andrew now because that’s one of your argument is your Sorry. I feel really bad about that. And I know how much work it takes. Toto organize. You saying so? You, Bob Bloom, your your your champion for doing it. I’m sorry I didn’t give you the recognition you deserve.

[00:35:55] Oscar: We should put a little correction in July.

[00:35:56] Eric: We do that. I think he was nice enough to send me an email. Afford to the Okay, we should wrap this up, But before we go, Eli has his final thoughts on finally with PHP eight. Are we, uh, you guys getting excited with about PHP?

[00:36:15] John: I am. I mean, a lot of the stuff you he brought up in there sounds like it’s gonna be really cool. And I didn’t pushing our developers a lot more to use return types, for instance, So the fact that we’re not gonna have union types is great. The static return type I know has been in this year in the past, So lots of really cool things coming down in PHP eight that I’m looking forward to.

Oscar: Yeah, I’m looking. He pushing to use more types as well. And the one leg see client project I had started adding them in and found it really helpful except in one or two methods, where it caused a fatal error because the program said it read like it is expected to specific kind of type, but it didn’t.

John: It was a little reform then than I thought it was a legacy side note. The big project that work on. It’s like 15 years old at this point, and somebody recently found a class of still using a PHP four style constructors it wasn’t a critical part of the application, but like, Oh, interesting. I’m assuming a lot of these.

Oscar: There’s a couple of projects I’ve used in the past, the suss out upgrading differences between versions. I guess that they’re gonna have to do a little work. Have you found one that works decently or used any of them? I used PHP codesniffer. Some sniffs for compatibility that were the easiest ones. I found that I could get running

John: and you know, the recent versions of PHP with the deprecate deprecation notices a front have made it more helpful, unfortunately, and having a super legacy application, we’re now in the midst of battling our lack of error reporting. So because the the code is so poorly written and prices are the error, reporting is way turned down deprecation notices turned off. Basically, almost all air reporting has turned off glare outside of, you know, exceptions. Basically. So yeah, so we’re in the process of cleaning that up so that we can pay attention to the actual error log and the deprecation. Notices from PHP have made upgrading versions a lot easier. And staying on top of the upgrades also makes it easier where you can go through the change log where they say, Hey, this is gonna be backwards breaking and you can go and fix those issues before upgrading. We should look at

Oscar:I think PHPstan and a lot of the static analyzers will go through your code before you run it and try to identify those places as well. And when you you mentioned the peace be forced out, constructor, I know the code sniffer found those for me cause by the code I have updated. I’m surprised that we used codesniffer. If I’m surprised it hasn’t, it’s a separate set of sniffs that you have to install. Um, I’ll check that I will try to find a link to send it to you.

John: Sounds good.

[00:39:21] Eric: Okay, well, I think this is a good spot to wrap up the show. Thanks everybody for being with us.

Air date May 21, 2020
Hosted by Eric Van Johnson and John Congdon
Guest(s) Oscar Merida

Leave a comment

Use the form below to leave a comment: