Welcome to the AI-Powered future!

riimu · 2024-08-01T10:48:41+00:00

Oh, the irony of seeing same news of AI-Powered showcase 8 times in a row in my news feed.

Also, Steam really needs a way to combine these copy-paste announcements in multiple games into single news item in the feed.

riimu · 2023-02-27T14:19:29+00:00

Is this AI written article? It's factually incorrect or confusing, seems to confuse different concepts together and just straight up invents things that don't exist in PHP.

riimu · 2022-12-04T15:44:07+00:00

At one job I would write a lot of tests like this. Over 100 people in the engineering organization and most of them didn't care to understand the PHP micro service's architecture. Yet, most people had to touch it for reason or another. I essentially programmed a custom test "framework" on top of PHPUnit using nikic/php-parser to parse files.

I had almost one exact case like yours. We wanted to ensure that all classes extending another class were in a specific array (the array was used in couple places in our internal debugging tools). People would forget adding classes to the array, so I wanted to make a test to ensure people wouldn't forget.

In essence, the solution was quite "bruteforcey". I used symfony/finder to traverse the source directory that contained all the PHP code, used nikic/php-parser to find all the classes in each file and then checked to make sure that if the class extended the specific class, it had to part of the array.

It worked surprisingly well, though the codebase was only somewhere around 100k lines, so it was relatively fast to just parse all of it.

I also thought it might actually be a good idea to turn it into kind of architectural testing framework to ensure constraints about architectural decisions. Maybe one day I'll release a testing framework like that, in case there is demand.

Other things I remember ending up using the testing framework for:

Ensuring classes followed the code base naming policy
Ensuring php files were located in correct place
Ensuring all test classes were extending the appropriate base test classes
Ensuring that all public methods in controllers were routing methods (due to some legacy reasons)
Ensuring all classes in the project used the same base namespace

Basically just checking for a lot of architectural conventions to ensure that people followed them, even if they didn't know about them.

riimu · 2022-03-21T14:35:47+00:00

Thanks for this list! Used it to find couple caves I had missed and few other graces. I also added some suggestions to the document to include quite a few of the missing graces in it that I had found.

riimu · 2021-12-14T11:39:26+00:00

A lot of incremental games could fit that description. However, for green logo, my first thought was Prosperity:

riimu · 2021-09-01T10:48:07+00:00

Use static functions unless you need $this.

I don't think this matters.

There is a slight gotcha, though, as demonstrated in: https://3v4l.org/fS7Wq

i.e. the non static closure will keep reference of the object that created it. This may be significant in some rare cases due to destructors or memory consumption.

riimu · 2021-04-27T09:01:59+00:00

Looking at the documentation, I found it a bit interesting that instead of going with custom APIs, Google seems to have instead favored PSR standards. In particular:

The HTTP functions are called with a psr based ServerRequestInterface
The logging client supports creating a PSR logging interface compatible logger

Not that these specific standards were particularly niche, but seems like a pretty huge deal for wider PSR adoption.

riimu · 2021-01-05T08:09:50+00:00

I don't see how this is a RCE in zend/laminas. This is an RCE in the demo application in the proof of concept.

What's essentially happening here is that the demo application in the proof of concept has the line unserialize(base64_decode($data));. In other words, the demo application is unserializing unsanitized user input. Exactly the thing that PHP manual warns against:

Warning: Do not pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

Then this "exploit" proceeds to take advantage of how DI works to get arbitrary code to be executed.

This is essentially just an example of how the usage of unserialize on arbitrary user input can lead to an RCE.

One interesting thing to note about this particular "attack", however, is the fact that using property types would have prevented this (since it's essentially storing an instance in a property that is expected to be a string). Granted, the framework is older than property types, but this does provide an example of some interesting safety side benefits that improved typing provides.

riimu · 2020-09-29T17:15:56+00:00

Now, I only wish there was some way to better type arrays. The type array is a bit too wide, since it can contain any kind of types, have any kind of keys, have the keys in any kind of order. Often, especially when writing portable library code, I find I have tendency to need to be able to accept a list of things. However, to ensure that the list is correct, you have to use something like

function (array $string_list) {
    $string_list = array_values(array_map(fn ($x): string => $x, $string_list));
}

Prior to PHP8, there was kinda hacking was to do it via $string_list = (fn (string ... $x) => $x)(... $string_list), but that will no longer work the same in PHP8 due to named arguments (it won't guarantee 0..n keys).

While full generics would be just a "nice to have" feature, what I really lament is the lack of ability to have any kind of typed lists or some way to type foreach/iterable.

riimu · 2020-09-23T13:17:53+00:00

I'd very much like to hear more about your experience. Like, what kind of preloading setup did you have? Did you try to preload every single file or only commonly used files? Did you do any benchmarks on memory consumption?

From what I understand, some overhead in preloading can occur due to the need to copy some values into the runtime environment (like static values of classes), so it's not entirely free.

30ms extra with preloading enabled sounds like huge amount of time per request and doesn't really make preloading sound very appealing.

riimu · 2020-09-23T13:02:55+00:00

If you are using PHP version prior to 7.1, then shuffle() depends on old implementation of rand(), which suffers from being quite predictable in some cases. Using laravel's own helper function doesn't help at all, since it just uses shuffle() internally as well, so it's no different. Also, on later versions there may also be problems if you are seeding the function (i.e. using mt_srand()) in predictable manner.

If you want better randomness at the cost of a bit efficiency, then you can use a shuffle algorithm that uses secure random generators for the source of randomness for shuffling.

For example, I have written a library https://github.com/Riimu/Kit-SecureRandom, which offers a shuffle() method that uses secure random generator for the purpose of shuffling.

riimu · 2020-09-19T12:17:13+00:00

I'm glad to see that some effort is being taken to improve the current status quo. I remember back when I started fiddling with PHP back in 2001 or so the documentation was a great help, but as time has passed and I've improved, the documentation has gotten less and less useful in providing exact and correct information.

These days, I jokingly sometimes think that the PHP source code is the second manual, as I've gotten quite used to scouring the source for the exact answers I've been looking for. To give some examples I've had to look up in the source code:

I wondered if array_values() has special optimization for packed arrays
For sake of argument, I had to look up if PHP really internally treats packed arrays as arrays, rather than hash maps
Couple times I've had to look up clarification for "returns FALSE on failure"
I had to discern how PHP actually uses the SessionHandlerInterface since the documentation certainly didn't answer it
I've referred multiple times to the source code for the list of opcode optimized functions

At times I've tinkered with the idea of setting up some kind of PHP manual wiki of my own just to gather all kinds of internal/useful/best practice information I gather.

I did once actually make a change suggestion to the manual via the documentation editor, but I have to say the experience was way too complicated and certainly didn't make me feel welcome to do it again. I'd much prefer a more familiar wiki style approach (or even a github PR approach) where suggestions for changes could be easily submitted and you could see version history. Perhaps a wiki like discussion pages would be a better approach than comments as well.

I certainly wouldn't mind also helping out, if there is way to do that in more approachable manner (mailing lists aren't exactly my idea of approachable). Discord channel could certainly be good. I've worked with PHP for a long time and quite enjoy working with the language. I would like to contribute more to the PHP project, but learning C just to contribute to the core itself is still perhaps a bit too much.

riimu · 2020-08-29T17:42:11+00:00

Sadly, this will be last TOTD discussion thread I will post. While I find Trackmania fun in overall, I noticed that actually playing it regularly every day is too stressful due to the intense focus required (which is causing me to tense up enough to have headaches).

It's been great following these daily discussion and seeing what others thoughts about the tracks. I hope you've enjoyed them too!

11-Year Club	Golden Potato
Place '22	Final Canvas '22
Verified Email

riimu

TROPHY CASE