I’m a little late in writing down some thoughts from my Friday at PHP Conference 2016. Fortunately the delay has given me even more to tell you about, as our progress with PHP marches on!

This post is a lightning overview of a couple of conference highlights we’ll be learning from, and our wider progress with PHP & related technology.


HTTP/2 is one of the most immediately applicable and magical recent advances in web development and Ole Michaelis’s whirlwind tour was a helpful reminder of the benefits.

20% of HTTP and 35% of HTTPS traffic is already using this protocol, and the vast majority of modern browsers can use it. We needn’t think of HTTP/2 as scary or bleeding-edge: it’s already battle tested.

The amazing thing about the protocol update is that by re-imagining something quite low-level, it’s fixed mistakes that have come to feel like a permanent part of the web. Some of the workarounds for these protocol failings are so embedded in how we build sites that they seem like intrinsically ‘best practice’ – well, not any more!

Image sprites. Asset concatenation. Domain sharding. They’ve all been the de facto way for years, but in the light of a better HTTP they reveal themselves to be temporary hacks. We can pretty much get rid of them all, right now!

It’s hard to overstate how much time this could save many developers and designers. Combining images into spritesheets, configuring complex build toolchains, and waiting for them to run: this can be tedious work. With HTTP/2 this can all be reduced or eliminated, freeing us up to do something more constructive.


We’ve got a solid approach to software security in our fundraising tool and across Comic Relief, but this is always a moving target. A key point that one of the talks reminded me of is that PHP 5.5 added some very smart new password helper functions. When used correctly, they can really future proof your code even beyond what’s considered today’s best hashing algorithm – even if you never touch your code again.

This is neither brand new nor rocket science, but I suspect the details of password_needs_rehash() and its friends have been overlooked by a few long-time PHP’ers besides myself. I won’t repeat the basic use case as it’s been covered well elsewhere, but suffice to say it’s easy. And the best thing is that when used as intended, these functions will have your application automatically re-hash and save passwords incrementally, using whatever new algorithm a future PHP version deems safest, with no code changes from you. Safe.

Looking to the Internet more generally, one interesting resource highlighted in a PHP Conf talk is the Shodan search engine. It’s an open web search for finding connected devices on the ‘Internet of things’, searchable by a range of details – like common security vulnerabilities which they exhibit. It’s a really powerful security inspection tool, for both good and evil actors – and a slightly chilling reminder that as it becomes ever easier to connect more devices together, security should never be a secondary consideration.


Our approach to containers and managing them is an open question when it comes to our newest projects, but Billie Thompson’s talk on Kubernetes at the Home Office – and containers more generally – was certainly food for thought. Some of the points about sharing tools for infrastructure management, and not reinventing the wheel per project, are of course as applicable to us as any large organisation writing software in-house.

It’s also interesting to see how far the Home Office is following the Government Digital Service’s strategy in publishing much of its software openly. We’ve already published a Gift Aid tool to try and help smaller charities keep up with new HMRC requirements – and we’ll hopefully be contributing more back to the open source community soon.

PHP for regression testing

Not covered by the talks I attended this time, but certainly an exciting development in CR’s use of PHP: Behat!

As work for Red Nose Day 2017 ramps up, our QA team are busy building a testing infrastructure that will move our core regression tests over to PHP, the language that most of our application code uses.

With the magic of Behat and Mink, we’ve already got useful tests running without too much time investment. Many common assertions are provided by Mink out-the-box, reducing the amount of boilerplate needed to get common behavioural tests working.

And thanks to Behat taking inspiration from Cucumber and its executable test syntax, the move shouldn’t be a huge jump when looking at the tests themselves either. Specifications can be written in the same, human-readable language that works with BDD frameworks in other languages too.

More to come!

It’s a pretty exciting time for PHP. It may not be the trendiest language in 2016 but it’s easy to forget that at language level, with the advances of PHP 7, most benchmarks seem to have it outperforming comparable dynamic languages by an order of magnitude.

We’ve finally got a stable package manager in Composer, better performance, and ever-improving interoperability across frameworks and components. Plus the flexibility and OOP features that we’re pretty used to by now. Especially as we move towards separate JavaScript front-ends and generally better scoped pieces in our web stack, PHP’s looking like a great choice for server-side development.

PHP elephant picture by Manuel Baldassarri

Written by Noel

I'm a developer at Comic Relief, working on the back-end of the platform that powers personal giving pages and event management.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: