Jump to content

NotionCommotion

Members
  • Posts

    2,365
  • Joined

  • Last visited

  • Days Won

    10

Everything posted by NotionCommotion

  1. Thanks for your sound advice maxxd, I am still back and forth but more in your camp. I thought this blog was good as it tried to give perspectives of both approaches, but it ultimately recommended hard deletes. Definitely not saying it is right and would much appreciate your thoughts of their pros and cons. More importantly, and high-level recommendations (and maybe later low-level) on how to implement with PHP would be great.
  2. Thanks Strider, For some applications, I understand one can get in legal trouble for not hard-deleting the data (privacy, etc). Not for my application and not over the top security as well. While adding a constraint on email and username/street/birthday/etc solves some of the constraint issues, wouldn't doing so prevent allowing users to sign in using just their email?
  3. I am working on a document management system where users that belong to a given organization can upload documents and tag them accordingly and then later retrieve them. Note that these documents are not owned by the individual users who uploaded them but by the organization. I am trying to decide whether I should push for one of the following business rules regarding the deletion of records: Do not delete the data but tag them as deleted (soft-delete). Actually delete the row from the table (hard-delete). Move the deleted record to another table (moved-delete). Maybe some other strategy? Under what conditions, would you recommend having a business rule of one of the above? Some concerns/thoughts for each option: Soft-Delete - How should unique constraints such as user's email and username be handled? I think a reasonable business rule is to make username unique for all time but not for email. Hard-Delete - Foreign key constraints could be an issue. For instance, I currently have a non-NULL uploadedByUserId column. If an individual user uploads a document and that user is later deleted, I can't just delete the document because it wasn't the user's but the organization. One option is to change it to nullable, but doing so isn't ideal, and there are other use-cases other than user-id which are not so simple. Or maybe the user is required to reassign all documents first so there will not be a constraint violation? Moved-Deletes - Seems like it will have the same challenges with foreign keys as with hard-delete. If going this path, should one mirror the columns of each not-deleted and deleted table or serializing the data and sav as JSON in the deleted table? Any other general insight would be appreciated.
  4. Thanks requinix. I was previously using 5.1.19 and after upgrading to 5..1.21, no errors. Just curious but do you know why PHP reported "Unknown on line 0"? PHP Deprecated: Return type of APCUIterator::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0
  5. I upgraded a docker-compose package to use PHP 8.1, and the application still works but I get the following warnings. $ docker-compose exec php php -v PHP Deprecated: Return type of APCUIterator::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 Deprecated: Return type of APCUIterator::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 PHP Deprecated: Return type of APCUIterator::next() should either be compatible with Iterator::next(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 Deprecated: Return type of APCUIterator::next() should either be compatible with Iterator::next(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 PHP Deprecated: Return type of APCUIterator::key() should either be compatible with Iterator::key(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 Deprecated: Return type of APCUIterator::key() should either be compatible with Iterator::key(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 PHP Deprecated: Return type of APCUIterator::valid() should either be compatible with Iterator::valid(): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 Deprecated: Return type of APCUIterator::valid() should either be compatible with Iterator::valid(): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 PHP Deprecated: Return type of APCUIterator::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 Deprecated: Return type of APCUIterator::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in Unknown on line 0 PHP 8.1.1 (cli) (built: Dec 18 2021 01:38:53) (NTS) Copyright (c) The PHP Group Zend Engine v4.1.1, Copyright (c) Zend Technologies with Zend OPcache v8.1.1, Copyright (c), by Zend Technologies Looking for the cause, I searched for "APCUIterator" and found very few occurrences. No return declaration on APCUIterator in the two PHP files and I don't think they are the cause. The binary files I think might be the issue as I do see "class APCUIterator implements Iterator{...}" but hard to tell as they are binary files and I don't really know what they do. Maybe that PHP says "Unknown on line 0"? Any suggestions? If the warning is caused by script maintained by others and I just want to wait for them to update it, is it possible to silence just this specific warning and ideally just for the specific files? $ grep -inr . -eAPCUIterator ./api/vendor/symfony/cache/Adapter/ApcuAdapter.php:97: return isset($namespace[0]) && class_exists(\APCuIterator::class, false) && ('cli' !== \PHP_SAPI || filter_var(ini_get('apc.enable_cli'), \FILTER_VALIDATE_BOOLEAN)) ./api/vendor/symfony/cache/Adapter/ApcuAdapter.php:98: ? apcu_delete(new \APCuIterator(sprintf('/^%s/', preg_quote($namespace, '/')), \APC_ITER_KEY)) Binary file ./api/vendor/phpstan/phpstan/phpstan.phar matches Binary file ./api/vendor/rector/rector/vendor/phpstan/phpstan/phpstan.phar matches
  6. I never used to and also didn't originally understand the point of doing so, but eventually came to appreciate how sprintf/printf offers some separation of concerns. I am sure it is personal choice but other reasons why I like to use them include: Ability to format/pad/etc. Consistency when working with associated arrays and multiple-dimension sequential arrays. Ability to apply a function to the arguments, ability for arguments to be a method applied to an object, etc. Reuse of templates. Less troubleshooting values that need to be escaped. Easier to read and less dinking around with presentation (once you get used to them!).
  7. Don't know whether more efficient or not from a processing perspective but using printf/sprintf will be more efficient from a your time perspective.
  8. There are also some existing libraries to meet this need: https://github.com/brick/money https://github.com/moneyphp/money
  9. I would try to minimize the number of PHP scripts which are publicly accessible and typically just have a single index.php in my public folder, and would locate header.php outside of the document route. This way, you don't have to add all those silly "if something is not defined, die not accessible" It also makes the paths easy to deal with relative url's to your client resources and you can hardcode them in your HTML if you wish. YourProject/ public/ index.php (routes to the appropriate part of the application) style/ custom.css js/ custom.js images/ custom.png src/ YourClasses.php testing/ test.php vendor/ (if you currently don't use composer, I recommend you learn about it) template/ includes/ header.php config/ config.ini (or json, etc)
  10. I too do not understand what "complete cyber security mitigation" is and https://github.com/rectorphp/rector certainly is not, however, it may help you identify and revise some legacy or poorly written code and thus improve security.
  11. While not curated, I suppose I could build my own using https://www.iana.org/assignments/media-types/media-types.xhtml as a reference, or perhaps https://github.com/jshttp/mime-db will be a better starting point. I seems, however, that this would be a fairly common need in PHP applications and there would be some composer package which would be easier to maintain.
  12. Yes, I think so. Any suggestions on where to find one? Thank you, I was originally thinking differently, but now fully agree.
  13. There is both the Content-Length in the request header and the size value in $_FILES. Aren't they two separate things? My purpose is to allow a user (organization) to limit the types of files outside users can upload based on the software the user/organization has. Almost everyone has software for PDF's, various images, various Microsoft documents, etc, but there is also file types such as AutoCAD, various BIM formats, and others. ZIP archives will need to be supported to allow OpenDOcument files and they add some complexity as they contain other files, but suppose they can be opened and inspected prior to saving. Regarding validating that the detected MIME type is consistent with the extension, seems like this is a common need and there would be some de facto standard opensource package but I haven't found it. Will have to give this one more thought... Guess I can store it but don't know what to do with it. When later providing the file for download, would I want to use this value or the detected value? What if two identical files were uploaded but with different clients and were given different MIME types? Would I return them with different MIME types?
  14. When a file is uploaded, $_FILES will be populated with the name, type, and size (which are all provided by the browser and in the body and not headers, right?) as well as the tmp_name and errors (which is presumably set by PHP). If browser provided size is different than what filesize() reports, should I care or just go with filesize()? What about similar question but for mime type? Some file types result in false positives such as the following and I will want to accept those as being valid, but should I reject them as being invalid if if they are actually different? Regarding detecting these multiple valid mime types, is there a PHP function to do so or any good composer/etc packages? Also, I am thinking I should never bother saving the browser provided mime type because it is based on the individual browser and/or operating system the user happened to be using at the time, agree? printf('extention: %s type: %s (provided) %s (fileinfo) FILEINFO_EXTENSION: %s<br>'.PHP_EOL, pathinfo($_FILES['expenseFile']['name'])['extension'], $_FILES['expenseFile']['type'], (new \finfo(FILEINFO_MIME_TYPE))->file($_FILES['expenseFile']['tmp_name']), (new \finfo(FILEINFO_EXTENSION))->file($_FILES['expenseFile']['tmp_name']) ); extention: csv type: application/vnd.ms-excel (provided) application/csv (fileinfo) FILEINFO_EXTENSION: ??? extention: gz type: application/x-gzip (provided) application/gzip (fileinfo) FILEINFO_EXTENSION: ??? extention: js type: text/javascript (provided) text/plain (fileinfo) FILEINFO_EXTENSION: ??? extention: css type: text/css (provided) text/plain (fileinfo) FILEINFO_EXTENSION: ??? extention: yaml type: application/octet-stream (provided) text/plain (fileinfo) FILEINFO_EXTENSION: ??? extention: ini type: application/octet-stream (provided) text/plain (fileinfo) FILEINFO_EXTENSION: ??? There is also the issue of having file extensions that matches the actual file type and I wish to reject those that do not. finfo's FILEINFO_EXTENSION constant provides solutions for some but very few at least with my version of magic.mime database. Any good approaches or 3rd party packages that can manage this? extention: ods type: application/vnd.oasis.opendocument.spreadsheet (provided) application/vnd.oasis.opendocument.spreadsheet (fileinfo) FILEINFO_EXTENSION: ods extention: png type: image/png (provided) image/png (fileinfo) FILEINFO_EXTENSION: png extention: jpg type: image/jpeg (provided) image/jpeg (fileinfo) FILEINFO_EXTENSION: jpeg/jpg/jpe/jfif Thanks!
  15. Thanks again kicken, I thought that php-fpm brought some unique differences but maybe not.
  16. Thanks kicken, I removed all the settings I showed for the pool and just used Apache's Timeout and it worked perfect. May I ask what if any is the any difference between using ini_set ('max_execution_time', '120') and set_time_limit(120)? Also, I have found that some settings must be made by editing the pool while others are set by php.ini and/or php commands such as ini_set() and set_time_limit(). Is there any general categorization which dictates which must be defined where?
  17. When making a request from the browser, I get a 503 Service Unavailable after exactly 60 seconds, however, the I see that PHP is still executing the script. I first tried the following without success. Curiosity question - What is the difference between these two lines? ini_set ('max_execution_time', (string) $container['maxTime']); set_time_limit($container['maxTime']); I then tried making the following changes to my default pool /etc/php-fpm.d/www.conf, but still defaults at 60 seconds. Note that the only reason I added default_socket_timeout is that it is the only item displayed with a value of 60 by phpinfo() and was just hoping. request_terminate_timeout = 120 ;max_execution_time=120 ;results in error php_value[max_input_time] = 120 php_value[max_execution_time] = 120 php_value[default_socket_timeout] = 120 Any ideas? Thanks
  18. Start by looking at phpinfo(), /etc/php.ini (or whatever on windows), and your php fpm settings if used. If no culprits, maybe your web server? Also, I often do reality checks such as the following. printf('filesize: %s copy(%s, %s)<br>'.PHP_EOL, filesize($source . $file), $source . $file, $destPath . $file);
  19. Ah, got it! The above also says the same, and the datetime string can contain the timezone and nothing says that it needs to contain more. Not a bug, not incomplete documentation (but a little ambiguous, but my misunderstanding. Thank you for your clarification. My initial thought was to first use DateTime and then validate against false positives, but I cannot disagree with your position and will most likely do as you recommend.
  20. I don't know the format, and while I could guess using the most common and likely be correct, I would rather not need to duplicate PHP's guessing algorithms. Maybe I only confirm that it has either a hyphen or forward slash will be enough. Not sorry happy it is documented, but I still don't see it. The first parameters is datetime - A date/time string. Valid formats are explained in Date and Time Formats, and can also be null, "now", and probably a few other things The second parameters is timezone - A DateTimeZone object representing the timezone of $datetime. Where does it say that if datetime is omitted, then the timezone is accepted by the first parameter.
  21. Thanks Barand, I will need to take this "feature" into account. I have an array created from a CSV file and wish to identify all records where a given cell has a date in it (and not "ROC", etc). I came up with the following, but it is not impervious to "next weekday". Think I will need to also add some regex check? protected function getDateTime(string $input):?DateTimeInterface { $input = trim($input); if(!$input || strtolower($input)==='now' || $input[0] === '@') { return null; } try{ $dt = new DateTimeImmutable($input); if($input===$dt->getTimezone()->getName()) { // Don't accept timezones as a date. return null; } return $dt; } catch(\Exception $e) { return null; } }
  22. I know that DateTime and its OOP and procedural cousins can accept as their first argument a date string of multiple formats, an at sign followed by an integer, "now" in either lower or uppercase, and either null or an empty string which has the same effect as "now". I was surprised, however, when I received a valid date using new Datetime('ROC'). Upon further research, found this is the time zone for Taiwan, and strings such as "utc" or "America/Shiprock" will return a valid DateTime object as well. Is this to be expected?
  23. Thanks Kicken, I was rather surprised about not being able to do so, and based my understanding on this stackoverflow post and the fact that the PHP interface document doesn't include the word "static" and the PHP static documentation doesn't include the work "interface". After looking at the post again, I see that the last comment said it was all bunk.
  24. Sorry, didn't mean to imply that you only provide simple code (which is obvious since you know about that setAccessible black magic!). I do know a guy, however, that is in charge of what was the largest BSL4 lab at the time, and he definitely believed in KISS. I ended up going with an interface and it worked perfectly. Later, a new requirement came up where I needed similar information but before the object had been instantiated. Given this new requirement, would consider using attributes? Not positive, but I don't think interfaces support static methods. If not, under what circumstances would you use attributes? Thanks
  25. Okay, I won't, but purely out of curiosity, how would one make it work without needing to publicly expose them or use hackish getters? Thanks, will think twice before considering reflection and not be swayed by all those frameworks that depend on them. Yep, forgot about the dang name. Don't need it, however, because it is either a ProjectStage or NULL, but still... Boring, but simple and easy to maintain. You a proponent of KISS?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.