Fast and secure Composer for PHP dependencies

I am going to introduce you two small tweaks that will help you to use composer. Every PHP developer should know Composer – it’s really useful tool for managing dependencies in your PHP projects. But it’s not perfect as is. Composer is really slow (and sometimes there’s a lot of memory consumption). You can really fix this issue by installing prestissimo. Just run this command:

composer global require "hirak/prestissimo:^0.3"

Your composer is as fast as hell now but there is one other thing. You may install libraries with known security bugs and you are not going to get noticed on this. That’s probably not what you want at all. And we can fix that as well.

You may use security advisories by Friends of PHP (was developed by Fabien Potencier / Symfony). This is pretty great tool but you have to download it and run the security checker to check if your composer.lock does not contain any libraries with security vulnerabilities. It’s not problem to hook this action to precommit hook in GIT but I think it’s not really comfortable. I am using Roave Security Advisories and I recommend you to use this library too.

This package should not be installed globally, so you have to add this as requirement for all your projects where you want to use it:

composer require roave/security-advisories:dev-master

Since that it won’t let you install library with known vulnerabilities and that’s exactly what you want. It will look like this:

7 tools every PHP developer should know

GIT | Bitbucket | GitHub

Distributed revision control and source code management system is what wikipedia says about GIT.  GIT is powerful tool giving you an opportunity to version your code and much more (for example deployment – try it and you’ll love it).

Bitbucket and GitHub are web based hosting services for your repos. Bitbucket gives you unlimited number of private repos (up to 5 users) and GitHub is mostly used for open sourced projects (public repos), so you are able to find there almost every source code you need.

Do you still use Subversion? It’s time to give a try to a GIT.  Are you not versioning your files? You should start with GIT right away!

FTP | Filezilla

GIT deployment is totally cool, but there’s sometimes situation you are not able to use it. For these moments there is the Filezilla – great FTP client supporting linux and windows. Go ahead.

IDE | PhpStorm

Of course you are going to need an IDE. And in my opinion the best one is PhpStorm. For a reasonable price you will get kick ass tool. Integrates GIT, FTP client and terminal, so you really don’t need to switch to other apps during the development. Really worth a try.

Framework | Nette Framework

There’s a lot of PHP frameworks. You probably know Symfony or Zend, but the slickest one is not so widely known framework called Nette. If nothing you should at least check out Tracy (debugging tool), Tester (do you write tests, right?) or Latte (amazing template engine).

Tracy in action
Tracy in action

Dependencies | Composer

You don’t know Composer? And how do you maintain your projects libraries? Go for it right now. This is the future of PHP development.

Hosting | Digital Ocean

If you are maintaining a lot of web apps or websites you should consider to buy a VPS. Just because it’s cheaper and you have the whole environment under your control. There’s no problem with old version PHP, the PHP is set up the way u want to and because you can set up the GIT deployment.

I recommend to try Digital Ocean – it’s working on SSD and servers are really fast and surprisingly cheap. Starts at $5/month, simply scalable.

Server & Database | Nginx + Postgresql

You are probably familiar with Apache (web server) and MySQL. Check out MariaDB (MySQL fork, for now it’s compatible) – it might be better match for your projects. Anyway there’s a lot of great stuff in web servers too. Earlier this year I was trying Lighty (lighttpd) but afterall, the nginx looks like true love for me and I am trying to use this one for all projects from now on. Why? It saves me a lot of server resources and it’s highly configurable.

And at last but not least the PostgreSQL. MySQL is great but not compared to PostgreSQL. If you need to work with JSONs or geodata and you still want to use object-relational database, this is the one.

 Resume

Lot of interesting tools were mentioned above but there’s still lot of them out there. Share your favorite tools in comments. Really looking forward for your opinions.

 

GIT deployment for PHP apps

I would like to describe how I set up my VPS for GIT deployment. Needless to say, you will need a VPS, I recommend Digital Oceans. Cheap, fast (SSD) & simple to manage. I use Debian on my servers, if you have experience with another distro, simply use that.

I am developing with PHP (allright, I am developing with Nette framework) and a while ago I was pissed off ’bout all the FTP deployment (it’s pain in the ass) so I’ve decided to use something more efficient. And discovered GIT deployment.

As I mentioned in another post I use Lighty + PHP + MySQL, but if you are running on LAMP it makes no difference. Because I’ve got multiple domains I created these directories:

/home
  /domains
     /vyvazil.eu
        /git
        /ssl
        /web
           /subdomains
               /blog
               /www
     /another.tld

I store GIT repositories in

/var/git/repo.git

I access GIT repos via SSH. There was a little problem (I working on Windows) because TortoiseGIT (GIT client) didn’t accept my private key so I had to convert it to the correct format using puttygen.

You will have to set up hooks for deployment. For simple deployment post-receive  will do. In the hooks directory is more examples if you are interested and I will post more ’bout hooks too, for now we just create post-receive (will be executed after push is received):

 nano /var/git/vyvazil.eu.git/hooks/post-receive

And write your desired script. My script is really simple, firstly it does checkout to /home/domains/vyvazil.eu/git. Then it rsync data to www root, I use –delete, but be carefull, if you have something on subdomain, it will be deleted (like the wordpress installation I run on subdomain blog). Use it wisely.

And of course it deletes the temp folder used by Nette (for caching, etc). And create temp and log folder if not exists. The real script is much more complex, I actually update database tables using hooks and much more, but I just wanted to show you the simple way how to use it. So the actual post-receive:

#!/bin/sh
#
# POST RECEIVE SCRIPT

# variables
domain="vyvazil.eu"

# checkout
GIT_WORK_TREE=/home/domains/$domain/git git checkout -f

# rsync deploy
rsync -arvx --delete /home/domains/$domain/git/ /home/domains/$domain/web

# check if temp exists and create it if not
if [ ! -d "/home/domains/$domain/web/temp" ]; then
        mkdir /home/domains/$domain/web/temp
        chmod -R 777 /home/domains/$domain/web/temp
fi

# delete temp
rm -rf /home/domains/$domain/web/temp/*

# check if log exists and create it if not
if [ ! -d "/home/domains/$domain/web/log" ]; then
        mkdir /home/domains/$domain/web/log
        chmod -R 777 /home/domains/$domain/web/log
fi

Make sure that the script is executable, you have got the rights for the script set up right and let’s deploy.

What solutions do you use?