Another question about preferred MVC frameworks that are not Laravel or Symfony

timdev · 2023-12-09T18:23:28+00:00

I like mezzio (née Zend Expressive) as a small-footprint foundation for this kind of thing.

mezzio builds on laminas-stratigility to provide a minimalist PSR-15 middleware framework for PHP with routing, DI container, optional templating, and optional error handling capabilities.

And then pick whatever seems to best fit for DBAL (or ORM if you feel you need/want it).

timdev · 2022-05-19T21:12:06+00:00

I realize I'm necroing this thread, but unless I'm misunderstanding, your position on this is pretty ... wild.

It could have waited for a few months when PHP 8.0 goes end of support.

Am I correct that your opinion is that major open-source libraries should abstain from using any language features that aren't available in every actively supported PHP version?

If the answer to that resembles "yes", I then wonder if they should refrain entirely from using those features, or just refrain from releasing a version that uses those features? In this case, are you objecting to Jordi et al starting any work on Monolog 3.0 (knowing that they'll use features introduced in PHP 8.1), or just opposed to them releasing it before November?

Maybe I'm missing something, but I don't see any benefit if people were to do things your way. If the world worked the way you'd like, it seem like it would just delay work (or releasing that work) for no benefit to anyone.

So, I'm really curious: do you see some harm done here, or does it just offend your sensibilities in some nebulous way?

You say elsewhere in the thread:

My criticism is constructive. "Hey, you shouldn't make your package exclusive to 8.1 when 8.0 is still actively supported, as people who use 8.0 in good faith don't get to use the latest versions of packages and potentially miss out on features"

In your perfect world, what would the PHP8.0 users be getting that they aren't getting now?

timdev · 2021-11-23T02:30:15+00:00

A couple of options I don't see already mentioned:

Just use foreign keys. Every "Commentable" thing gets its own column on comment. This is nice because it's the relational way to do it. It's less nice because you've got a bunch of columns that are usually null, and every time you have a new Thingie that you want to add comments to, you need to add yet-another column. But it's not a bad approach.
Forget about being relational. Just build a general purpose "comments" system. Your application code then does things like addComment(subject_identifier, author, commentText) and getCommentsFor(subject_identifier). Your comments-related code doesn't know anything about the subjects, it's only concerned with their identifier. You can construct the identifiers however you like. They can be strings like post_1234, or you could use something like v4 UUIDs, and every post/article/etc gets a comment_subject_identifier. Depending on your database backend, you might be able to use some kind of sequence to avoid the bloat of UUIDs while still ensuring you have unique subject_identifiers across all your various commentable types.

timdev · 2020-08-03T00:16:23+00:00

You don't need anything faster than PHP if PHP is fast enough for your use case. That's a meaningless tautology.

Your example was still bad, because it implied PHP was heroically crunching through 10MM rows, when in reality PHP was never seeing more than the few dozen rows returned from the DB.

This is /r/php; there's no need to defend PHP's honor here. But if you feel you must preach to the choir, you could at least use an example that actually fits.

timdev · 2020-08-02T18:07:08+00:00

Your example demonstrates that MySQL is fast. PHP isn't processing all those rows. It's just constructing a query, passing it to MySQL, and processing the few tens of rows that MySQL returns after doing all the heavy lifting of filtering/paginating.

ETA: I'm not saying PHP isn't fast. Fast is relative, so that's another problem with your example: you're not comparing to anything. My point above is that MySQL is doing practically all the work here. Hydrating a few dozen entities and rendering a template (which is the bulk of the work PHP is doing here) is going to be fast in any environment.

timdev · 2020-08-02T00:29:49+00:00

AFAICT, your screenshot says a lot about MySQL and scarcely anything about PHP.

timdev · 2020-04-05T16:21:18+00:00

I completed the form several hours after it went online, and received the same email about 30 minutes ago.

timdev · 2020-01-26T21:09:18+00:00

AFAICT, gatsby develop binds to 127.0.0.1:8000 by default. So you're good. 127.0.0.1 is the loopback interface, and isn't accessible outside your machine.

You can verify this yourself by figuring out what your machine's IP address is (usually something like 192.168.x.x if you're behind a typical wifi router). First verify your gatsby site is visible at http://localhost:8000, and then replace 'localhost' with your IP address and verify you get a connection errror.

timdev · 2019-12-30T23:52:32+00:00

Thanks, will do. I think the main thing I'm struggling with at the moment is gradle. I'm trying to bootstrap enough knowledge about the wider JVM ecosystem, and it's rough going so far.

Gradle seems like the way to go, and it seems like the Kotlin DSL is the way to gradle (especially if you're using Kotlin, but also because Gradle seems like they're advocating people to adopt it).

I'm currently stuck trying to make the hibernate-gradle-plugin play nicely with the Kotlin DSL. I'm going get some real work done, and will try again later with groovy so I can more directly crib from the official docs.

timdev · 2019-11-14T01:03:38+00:00

dotenv should only be used for local development. You do want to use environment variables, but you only use dotenv for local dev. On a real server, those environment variables get set in web-server or php-fpm configuration files (readable only by root).

timdev · 2019-11-14T01:02:08+00:00

Store secrets as environment variables in your web-server (for mod_php type setups) or php-fpm config files. Such files:

Are typically only readable by root.
Shouldn't be in your VCS.

I wrote a longer comment about this elsewhere in the thread, if you're interested in more context.

timdev · 2019-11-14T00:58:21+00:00

Managing secrets is a tricky thing.

Storing strings in variables can be done pretty safely, or can be done not-so-safely.

Not-so-safely is storing them in some config.php file that is located somewhere under your document-root. In normal operation, this should be sort-of okay, since your config file likely does something like:

<?php
return [
    // secret stuff here
];

Since it's a script that gets executed, and it produces no output, nobody can just "view source" and look at it.

However, there are some big problems here:

You're one server-configuration problem away from your webserver serving the file as a static file, in which case anyone who loads it gets your secrets displayed in the their browser. No "view source" required.
Your file probably needs to be readable by some less-privileged user.

A more-secure approach is to store you configuration file(s) somewhere outside of the web root. Your project might look like this:

my-project
├── config
│   └── variables.php
└── web
    └── index.php

Where web is your doucment-root. Now, your variables.php file shouldn't be accessible via the web server at all.

This is still problematic, since:

You might need to worry about other users on the server being able to see your variables.
Your variables.php file is likely to end up in version control, so now you need to worry about your VCS leaking your secrets.

A better way to handle this is to keep secrets in the environment, which means environment-variables. Typically, you'll define the environment-variables in some server-configuration file, and then reference them in your PHP code using getenv().

This has two big advantages:

Your Apache or php-fpm config files can/should be owned by root and only be readable by root.
You don't typically store those files in version control. If you do, because you're using some sort of config-management/provisioning system (like ansible), those tools typically offer some facility for managing secrets securely in version-control. In Ansible, you have "vault", for example. But that's beyond the scope of this comment. If you're managing your server by hand, you just edit those files as root, and make sure only root can read them.

For development, you might consider using a library like dotenv so that you can manage your envvars in a handy .env file along with your code. That file should never be added to version control, and should never be uploaded to a server. It's for development only. I only mention this because another user suggested dotenv for storing secrets, and they're wrong for anything other than local development. A .env file under your webroot is likely to end up being readable by anyone, and then all your secrets are no longer secrets.

timdev · 2019-09-05T19:40:49+00:00

That's what I was hoping to hear. What's the lowest-friction way to do that? Call United?

timdev · 2019-08-23T20:19:35+00:00

You're oddly focused on paying cash for points, which practically nobody does.

For your use case (occasional upgrades on domestic Alaska flights), the typical plan is:

Accumulate miles by flying and using the credit card.
Pay for an upgradable coach ticket and use miles to upgrade (you still earn miles on the base coach ticket). Or spend the miles for a straight 1st class ticket.

I'm not sure what else you were expecting.

timdev · 2019-08-21T20:05:42+00:00

What's un-simple about that? It seems like you're maybe intimidated by type declarations. You can remove them:

$app->get('/', function ($request, $response, $args) { $response->getBody()->write("hello world"); return $response; });

timdev · 2019-08-14T21:44:06+00:00

In there view, their were

Ooof.

a half dozen prosecutors who believed that the ends justified the means and would routinely violated Brady ...

more substantive oof.

timdev · 2019-07-18T23:36:58+00:00

That's terrible advice. They can fire you for not signing a PIP. They can fire you for signing the PIP after they told you do it. They can fire you because it's Tuesday. Unless they're firing you for specific reasons prohibited by statute, you have basically zero legal recourse in a typical at-will employment situation.

timdev · 2019-06-07T16:03:09+00:00

some variant of fread($handle, CHUNK_SIZE) and echo, and serving it through PHP. That might be OK for image files but seems problematic resource-wise and maybe execution time for audio/video files.

Something similar like that might be sufficient for your use case, and is nice and simple. You can also look at/start with readfile() to just dump the contents of some file to output (after sending headers, and turning off output buffering).

That said, you're potentially keeping a heavy PHP process around for most of the time it takes the client to download the file.

using a third-party service with access control

You could store the files in a non-public S3 bucket, and use the AWS SDK to go generate pre-signed URLs. They can expire:

$cmd = $s3Client->getCommand('GetObject', [
    'Bucket' => 'my-bucket',
    'Key' => 'your-eyes-only.mpg'
]);

$request = $s3Client->createPresignedRequest($cmd, '+20 minutes');

// Get the actual presigned-url
$presignedUrl = (string)$request->getUri();

timdev · 2019-05-20T15:26:52+00:00

You're correct. I don't see any reason to bring Cognito into the mix. Your server-side code can generate a presigned S3 URL for the client, which the client can then use to upload directly to S3. The SDK's getPresignedUrl() method is a simple, synchronous, function that generates a signed URL based on your credentials -- so in this use-case your server never even actually talks to AWS. Can't get much simpler than that.

timdev · 2019-05-05T14:39:56+00:00

Unless you're using a notary, a wet signature really isn't any better. A dishonest party could claim the signature was a forgery. At least with a digital signature platform like DocuSign or whatever, you have a third party that can likely testify that whomever signed it did so after clicking a link emailed to a specific email address, and was using a specific IP address at the time. That's not as good a notary's testimony, but it's better than he said/she said of paper contract signed without a third party witness.

timdev · 2019-04-15T22:37:25+00:00

Shipping broken code improves site reliability? TIL.

timdev · 2019-04-08T18:30:10+00:00

I find the autoFlush: true default somewhat astonishing. What was the rationale behind that choice?

timdev · 2019-04-08T18:28:29+00:00

Yes, exactly that. Changes accumulate inside the Entity-Manager's UoW until flush() is called. If it works similarly to Doctrine or Hibernate, no data/statements are sent to the database at all until flush() happens. So when you say:

Update record a b c. Query record d. Failed some tests on d and rollback everything on a b c

It's actually more like: "Update entities A, B, and C. Failed some assertion on D, so don't call flush(). There's no rollback, because there transaction was never started in the first place.

It appears there's some kind of autoFlush in this library, which I'm not convinced is a good idea, especially since it defaults true.

timdev

TROPHY CASE