I’m a little late in writing down some thoughts from my Friday at PHP Conference 2016. Fortunately the delay has given me even more to tell you about, as our progress with PHP marches on!
This post is a lightning overview of a couple of conference highlights we’ll be learning from, and our wider progress with PHP & related technology.
HTTP/2 is one of the most immediately applicable and magical recent advances in web development and Ole Michaelis’s whirlwind tour was a helpful reminder of the benefits.
20% of HTTP and 35% of HTTPS traffic is already using this protocol, and the vast majority of modern browsers can use it. We needn’t think of HTTP/2 as scary or bleeding-edge: it’s already battle tested.
The amazing thing about the protocol update is that by re-imagining something quite low-level, it’s fixed mistakes that have come to feel like a permanent part of the web. Some of the workarounds for these protocol failings are so embedded in how we build sites that they seem like intrinsically ‘best practice’ – well, not any more!
Image sprites. Asset concatenation. Domain sharding. They’ve all been the de facto way for years, but in the light of a better HTTP they reveal themselves to be temporary hacks. We can pretty much get rid of them all, right now!
It’s hard to overstate how much time this could save many developers and designers. Combining images into spritesheets, configuring complex build toolchains, and waiting for them to run: this can be tedious work. With HTTP/2 this can all be reduced or eliminated, freeing us up to do something more constructive.
We’ve got a solid approach to software security in our fundraising tool and across Comic Relief, but this is always a moving target. A key point that one of the talks reminded me of is that PHP 5.5 added some very smart new password helper functions. When used correctly, they can really future proof your code even beyond what’s considered today’s best hashing algorithm – even if you never touch your code again.
This is neither brand new nor rocket science, but I suspect the details of password_needs_rehash() and its friends have been overlooked by a few long-time PHP’ers besides myself. I won’t repeat the basic use case as it’s been covered well elsewhere, but suffice to say it’s easy. And the best thing is that when used as intended, these functions will have your application automatically re-hash and save passwords incrementally, using whatever new algorithm a future PHP version deems safest, with no code changes from you. Safe.
Looking to the Internet more generally, one interesting resource highlighted in a PHP Conf talk is the Shodan search engine. It’s an open web search for finding connected devices on the ‘Internet of things’, searchable by a range of details – like common security vulnerabilities which they exhibit. It’s a really powerful security inspection tool, for both good and evil actors – and a slightly chilling reminder that as it becomes ever easier to connect more devices together, security should never be a secondary consideration.
Our approach to containers and managing them is an open question when it comes to our newest projects, but Billie Thompson’s talk on Kubernetes at the Home Office – and containers more generally – was certainly food for thought. Some of the points about sharing tools for infrastructure management, and not reinventing the wheel per project, are of course as applicable to us as any large organisation writing software in-house.
It’s also interesting to see how far the Home Office is following the Government Digital Service’s strategy in publishing much of its software openly. We’ve already published a Gift Aid tool to try and help smaller charities keep up with new HMRC requirements – and we’ll hopefully be contributing more back to the open source community soon.
PHP for regression testing
Not covered by the talks I attended this time, but certainly an exciting development in CR’s use of PHP: Behat!
As work for Red Nose Day 2017 ramps up, our QA team are busy building a testing infrastructure that will move our core regression tests over to PHP, the language that most of our application code uses.
With the magic of Behat and Mink, we’ve already got useful tests running without too much time investment. Many common assertions are provided by Mink out-the-box, reducing the amount of boilerplate needed to get common behavioural tests working.
And thanks to Behat taking inspiration from Cucumber and its executable test syntax, the move shouldn’t be a huge jump when looking at the tests themselves either. Specifications can be written in the same, human-readable language that works with BDD frameworks in other languages too.
More to come!
It’s a pretty exciting time for PHP. It may not be the trendiest language in 2016 but it’s easy to forget that at language level, with the advances of PHP 7, most benchmarks seem to have it outperforming comparable dynamic languages by an order of magnitude.
PHP elephant picture by Manuel Baldassarri