It’s not as big a move as it sounds. I can still get to Boston in 45 minutes if traffic permits me. Plus I have all the fresh air, hiking, biking, and great restaurants I want.

But it is a huge move in terms of developer community. I find myself routinely driving to Boston for the always great Boston PHP meetup but most other meetups I dropped entirely because I can’t justify the commute.

I have yet to meet a single PHP developer in New Hampshire. I know they exist, they are just very difficult to find! Developers need to network and mingle with like-minded people and share ideas too. The business and marketing people can’t have all the fun.

There is a growing start-up scene in New Hampshire, in no small part thanks to organizations like abi Innovation Hub in Manchester — where my company currently has it’s office — and New Hampshire based companies like Dyn (yes, that Dyn).

In fact Startup New Hampshire just joined forces with Startup America. But the infrastructure of developer meetups and community that you get in established tech hubs isn’t there yet. Unless I missed it or it is hiding in the bushes waiting to pounce. A search of Meetup.com finds a bunch of business, marketing, and recreational meetups but only a handful of tech meetups. Some of which are ghost towns.

That has to change. And I might as well be the one to try to change it. I’m not sure if this will work but I’ve taken some of my own money and started a Meetup group. That’s right, I upgraded to an organizer account on Meetup.com, registered a domain name, and drew a fun logo that looks strangely like the PHP elePHPant only it is a moose (because… you know… New Hampshire). This is serious stuff.

And I encourage other people to do the same with their own favorite technologies. Well, except the blue moose logo part, it only makes sense for PHP anyway since the PHP mascot is an elephant.

Now all I need is members. Lots of them so that I can attract great guest speakers.

If you or someone you know is in New Hampshire and is a PHP developer (or even just a general web developer) let them know about the new meetup group at www.NewHampshirePHP.org.

Once I get 10 members I will start finding a venue and sponsors for the first event. I’ll do my best to make it a fun and worthwhile for everyone involved.

It started with one question:

Print numbers from 1 to 1000 without using any loop or conditional statements. Don’t just write the printf() or cout statement 1000 times.

How would you do that using C or C++?
Source: Stack Overflow

My favorite answer was an amazing example of obscure C. Using math to iterate between two function pointers (printf and exit). And while it brought back memories of my C days, I kind of left it at that.

Later in the day, one of my co-workers messaged me with his version of a 1-1000 iterator in PHP. So naturally, I had to write my own version.

Remember the rules: no control loops and no conditionals.

I hammered out a quick example using an array to simulate the pointer technique used in my favorite C-language solution. It was 10 lines of code. I managed to break it down to one function call:

call_user_func( $x = function( $f, $i=1 ) {
  echo "$i\n", $f[floor($i/1000)]($f, ++$i);
}, array( $x, function(){} ));

Try it. Assuming that you have PHP 5.3 for the lambda functions, it will work. Now to break down why it works:

The call_user_function call takes a callback as the first parameter and passes all subsequent parameters directly to the callback. A callback in PHP can be a string, array, or lambda function. I’m using the later here.

My lambda function takes two parameters. An array and a counter. If the counter is not specified it will default to one. The trickier part is the array. In this case it is an array of functions. My function is recursive so the array needs to reference it. By taking advantage of the left-to-right nature of PHP, I am assigning the function to the variable $x prior to the array being constructed.

Now, inside my function I am echoing the value of $i and the return value of the recursive function (which is undefined… it’s just a little cheat to keep it on one line).

Now to break down the second parameter to the echo.

It looks up a function in the array that is passed in. Remember, the array contains only one value (the function itself) two values (the function itself and an empty “exit” function). It uses the floor of $i/1000 as the array index. Which means that the value will be 0 until $i is equal to 1000. Then it passes in the array and the counter. Remember that if the “++” is before the variable then the increment will happen prior to the enclosing function being called.

When the index does hit 1, there will be an error. I suppressed that using the “@” operator it will call the empty function. At this point the recursion ends.

And we’re done.

Benchmarks (added March 15th)

This is obviously meant to be a thought exercise and not a practical thing to do in a real-world application but I thought it might be fun to run some tests against a normal loop. I upped the loop to 1,000,000 to make things more interesting. Here is my test code:

<?php

ini_set('memory_limit', '1000M');
const COUNT = 1000000;

$t1 = 0;
$t2 = 0;

$s = microtime(true);

call_user_func( $x = function( $f, $i=1 ) {
  echo "$i\n",  $f[floor($i/COUNT)]($f, ++$i);
}, array( $x, function(){} ));

$t1 = microtime(true)-$s;

$s = microtime(true);

for ( $i=0; $i<COUNT; $i++ ) {
  echo "$i\n";
}

$t2 = microtime(true)-$s;

echo 'Recursive: '.number_format($t1,2)."s\n";
echo 'Loop: '.number_format($t2,2)."s\n";
?>

The results:

Recursive: 6.38s
Loop: 5.28s

Not to mention that every recursive call needs to add the current state to the stack. Which is why the memory limit is increased the the beginning of the script. So clearly it is impractical. However, I’m actually a little surprised that the results are as close at they are.

I’ve seen a number of blog posts floating around today about GMail Desktop Notifications (here, here, here, here and here — did I miss anyone?). I tried them out myself and they are very useful. Being a rich web applications developer I, of course, wanted to figure out how it works and how I could use it for my own apps. Here’s a quick overview of what I found.

There is a proposed web notification standard over at the W3C that Google submitted earlier this month (you can find it on the W3C site) but from what I can tell, that draft isn’t implemented in any browsers (including Google Chrome!). But you can get desktop notifications today without the need for any third-party browser extensions, if you’re using Google Chrome. You can find the documentation over on the Chromium developer site. The rest of this post is a collection of quick examples I put together for using notifications:

Checking for permission

It is pretty easy to check to see if the user has allowed notifications for your website. The first example displays an alert depending on the permission level.

switch ( webkitNotifications.checkPermission() )
{
  case 0: // PERMISSION_ALLOWED
    alert( "Permission: allowed" );
    break;
  case 1: // PERMISSION_NOT_ALLOWED
    alert( "Permission: not allowed" );
    break;
  case 2: // PERMISSION_DENIED
    alert( "Permission: denied" );
    break;
}

Try it: Check Permission

Unless you skipped ahead and tried the next bit of code, the answer is “No” my site doesn’t have permission to display notifications.

Requesting Permission

So before we do anything we need to ask for permission.

This method will only work when responding to a user gesture. Which means you can call it as a direct response to an action taken by the user; but you can’t call it (for example) on the response to an Ajax function. So if you wanted to call it when your Ajax call returns or when a timer fires, you’re out of luck. You need to request permission before then.

webkitNotifications.requestPermission();

Try it: Request Permission

Creating and Showing Notification

Notably, showing a standard browser alert dialog when permission is denied is a terrible user experience. Don’t do that! This is just for demo purposes.

if ( webkitNotifications.checkPermission() == 0 )
{
  var iconImageUrl = "http://www.example.com/foo.png";
  var title = "Hello World";
  var subTitle = "This is a sample desktop notification."

  var notification = webkitNotifications.createNotification( iconImageUrl, title, subTitle );
  notification.show();
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

The new notification looks something like this (for those of you not using Chrome and want to see what I am talking about):

Example Notification (Google Chrome on OS X)

Creating and Showing an HTML Notification

You can also create a notification by passing in a URL.

if ( webkitNotifications.checkPermission() == 0 )
{
  var url = "http://www.example.com/notification.html";
  var notification = webkitNotifications.createHTMLNotification( url );
  notification.show();
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

At first this seems like a terrible idea. It could be yet another way to have annoying advertisements pop up on a site. But it’s not as bad as it sounds since the user has to explicitly allow the notifications and they can be turned off at any time.

One Final Example

Now, you probably don’t want the notification to pop up and stay there forever. So, you can auto-hide it using a timer.

if ( webkitNotifications.checkPermission() == 0 )
{
  var iconImageUrl = "http://www.example.com/foo.png";
  var title = "Hello World";
  var subTitle = "This is a sample desktop notification."

  var notification = webkitNotifications.createNotification( iconImageUrl, title, subTitle );
  notification.show();
  setTimeout( function() { notification.cancel() }, 10000 );
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

Wrapping it Up

I hope someone found this useful. If you do anything cool with this library please let me know in the comments.

Note: this is an experimental API that only works in Google Chrome right now. The API may change at any time and may be different when other browsers decide to implement similar functionality. Use with caution. Always check to make sure window.webkitNotifications !== undefined.

Here are few things I want to improve:

First, and I’ve been saying this for a while, I need to start blogging more. This post is a okay start but I want to finish my initiative that I start back in December. Which is to to break the site up into code in business and to post in each of those categories at least once a month. Once I get there, I can see where it goes.

Second, I’m going to start replying to more e-mails. This may seem like a no-brainer but I haven’t been in the habit of replying to e-mails that aren’t urgent or work related. So a lot of e-mails and the going unanswered. I want to change that.

Third, I want to participate more in the open source world. I work for start up so it’s difficult to find any time to work on open-source projects, but I imagine I can find a little time here and there and I want to all get a bit more involved with the community. I believe open source is fundamental to innovation and I think I can make some valuable contributions.

Fourth, and this is really my only non-tech related goal, I want to be more active in my life. Being a software engineer it’s sometimes easy to get into a rut where you’re just sitting at a desk 12+ hours a day staring at a computer screen. It’s clearly not the most healthy thing in the world. So my final resolution is to get out and be more active on both in the community and also in a more traditional sense (exercising, eating right, etc.).

Usually don’t like to post about my personal life but I want to get this out there for everybody to see. Maybe it will provide a bit of motivation. I know that some of you out there will start nagging me if I fall behind (thank you for that). And finally I wish you all the absolute best in this new year and with everything you do.

I was inspired by a question that I was asked on Twitter to write a quick code snippet.

As you may know, set_error_handler can be used to set a custom error handler in PHP. It will catch any errors that happen in the script (with a few notable exceptions). If the function returns false then error handling resumes as normal; otherwise it is assumed that the custom handler took care of things. The problem is that you can only have one error handler active at one time. The purpose of this code is to provide a error handeling stack for PHP.

Using this code you can have more than one error handler while taking advantage of the set_error_handler function.

Because this example uses closures, it will only work in PHP 5.3 or newer.

function push_error_handler( $error_handler, $error_types = 32767 )
{
  $old_callback = null;

  $callback = function( $errno, $errstr, $errfile, $errline, $errcontext )
  use ( &$old_callback, $error_handler )
  {
    $result = call_user_func($error_handler, $errno , $errstr, $errfile, $errline, $errcontext);

    if ( $result === false && $old_callback != null )
      return call_user_func( $old_callback, $errno , $errstr, $errfile, $errline, $errcontext );

    return $result;
  };

  $old_callback = set_error_handler($callback, $error_types);
}

Let’s see it in action:

function test1( $a, $b, $c, $d, $e ) { echo "Test 1 -- "; return false; }
function test2( $a, $b, $c, $d, $e ) { echo "Test 2 -- "; return false; }
function test3( $a, $b, $c, $d, $e ) { echo "Test 3 -- "; return false; }
function test4( $a, $b, $c, $d, $e ) { echo "Test 4 -- "; return false; }

push_error_handler( 'test1' );
push_error_handler( 'test2' );
push_error_handler( 'test3' );
push_error_handler( 'test4' );

trigger_error('testing');

The output is:

Test 4 -- Test 3 -- Test 2 -- Test 1 --
Notice: testing in /Users/andrew/recursive_error_handler.php on line 32

It is worth a closer look. First we initialize a variable that will be needed by the closure later on. Then we define the closure (which will be our actual error handling function) and register it as the error handler. The function set_error_handler returns the old handler which we then assign to the variable that we created earlier. We also return the old handler to keep compatibility with the normal set_error_handler.

The closure itself calls the new error handler. If the handler returned false (resume error handeling) then we call the previous error handler (if there was one). We also make sure to pass the error code and the old callback function into the closure. It is important that the old callback is passed by reference (note the “&”).

If you want to learn some more, here are some handy links:
PHP Manual for set_error_handler and anonymous functions and closures.
My book, Expert PHP and MySQL, also talks about closures in depth starting on page 78.

Note: this method only works if almost all the error handlers in the application use this or a similar method. Otherwise the chain will be broken. I say “almost” because the first registered error handler doesn’t have to worry about calling the previous handler since there isn’t any at that point.

When conference day two roles around you’ll be able to find all my presentation notes here and I will be uploading the slides as well.

As you may know, I will be talking on API Development with CakePHP. It is a complex topic so my presentation won’t be the end of it, I will be adding additional information over time. So I hope that you subscribe to me via RSS.

Happy coding!

This article covers the concepts of authentication and authorization.

Authentication is knowing who the logged in user is. Authorization is knowing what the user can and can’t do and can be as easy as checking that the user ID in the database matches the user ID of the authenticated user. It can also be as complex as Access Control Lists, social graphs, and multi-moderator systems. Either way it needs to be taken care of. Very few things are more devastating than when a malicious user finds that all you have to do to edit another user’s data is to change the value of a POST variable or all you need to do to access someone’s private photos is to change a URL. Do either of those two cases sound familiar?

Thinking like a hacker

If I were to try to exploit this feature: how would I go about it?
you, every time you write code (hopefully)

Let’s start by looking at a imaginary site that makes an Ajax request to delete a resource via a RESTful API. The HTTP request probably looks a bit like this:

POST /resources/1234.json HTTP/1.1
Host: www.example.com
Content-Length: 14

_method=DELETE

Now, make the assumption that you can find the ID of any resource on the system. This could be because it is exposed in a “view” URL or it could be that it is returned in an API call for search. Either way, assume that if it exists a hacker can find it either by design or through flaws in the code. Never assume primary keys are a secret. The next step is to find an ID of a resource not owned by the hacker (in this example: 5678) and to go the command line (assuming cURL is installed on your system):

curl -d "_method=delete" http://www.example.com/resources/5678.json

Curl doesn’t share cookies with the web browser so if that call succeeded and record 5678 was actually deleted then the application is not checking to see if the user is authenticated. There is no need to go any further, you’ve already found a devastating exploit. If this is your application (I hope that you aren’t using this article to try to hack other people’s apps!) it is time to go back to the code, add a check to make sure that the user is logged in. Then come back here to read on.

If the call didn’t work then it is time to try to delete the resource as an authenticated (but hypothetically not authorized) user:

curl -d "username=you&password=abcdefg" -c "cookies.txt" http://www.example.com/login/
curl -d "_method=delete" -b "cookies.txt" http://www.example.com/resources/5678.json

The first line authenticates the user and stores the cookies. The second line tries the delete method again with the new cookies. Make sure to replace all the appropriate variables and URLs in all of these examples. If all went well bad the resource 5678 should now be deleted. If that happened then the application needs to check for authorization as well as authentication.

The same concepts can be applied to viewing, editing, and creating resources. This article uses cURL but there are numerous other ways of spoofing Ajax and API requests, including injecting Javascript into the browser and writing a PHP / Perl / Ruby / Python / etc. script to do it.

One thing to watch out for is any request that takes the user ID as a parameter. It should raise a red flag. Whenever possible, get the user ID from the currently authenticated user. I once saw a password vault web application that returned the entire password list from a SOAP call given only the user ID. Just so you are sufficiently mortified, I’ll rephrase it: I could enter in any user’s ID and get back a list of passwords for other sites on the Internet (including Google). Don’t let that happen to you!

Taking care of business

Addressing the problem takes as much thought and planning then actually technical know-how. Imagine a user for each role (resource owner, administrator, moderator, customer support, friend of the user — if you are a social network — etc.) then ask three questions:

1. User X can/can’t view resource Y because…
2. User X can/can’t edit resource Y because…
3. User X can/can’t delete resource Y because…

Then for each of those, check to make sure the code reinforces that statement. It is also a good idea to give these stories to the testers and have them try to break your code. And remember: the authentication system tells you WHO the user is and authorization system tells you WHAT actions the user can perform.

How complex a system you need for authorization depends on your application. It can range from one-off code to full-featured generic systems that can be used for any type of resource imaginable. Social networks are the most complicated of the bunch because authorization often depends on a personal relationship with the user requesting access to the resource. The simplest form of authentication is:

if ( $user->id != $resource->owner_id )
  throw new Exception("Access denied");

Or if your application is a social network and you give friend’s access to resources:

if ( $user->id != $resource->owner_id && !$user->isFriendsWith($resource->owner_id) )
  throw new Exception("Access denied");

For a more robust system you’ll probably want to implement an Access Control List (ACL). An ACL at its core is just a mapping of users to resources. For example: Joe has view, edit, and delete access to resource 1234.

More advanced access control lists also have groups (called “roles”) and they can cascade. Roles introduce some ambiguity, and multiple entries in the list may govern the same action. If that happens, the most specific one is taken. For example, editing a resource may be governed by the rules:

• “Joe” is in the group “Basic Users” and “Basic Users” explicitly can NOT edit resources of type “forum post”
• “Joe” CAN edit resources of type “forum post” with ID “1234″

Since Joe has edit rights to the forum post with an ID of 1234 it doesn’t matter that the role Joe plays (a “Basic User”) cannot edit any forum posts. There are numerous articles on implementing an ACL in a PHP application and many frameworks have built-in classes for ACL.

Summary

When developing web applications (or any application for that matter): always be cognizant of authentication and authorization. Remember, authentication answers the question of WHO and authorization answers the question of WHAT. The application must always know the answer to both of those questions and be able to deny or allow certain actions based on those answers. It might be useful for newer developers to to actually put themselves in the shoes of a hacker and attempt to find exploits for their own website. Eventually, it will become second nature.

If you can, you may want to set post_max_size to a low value (say “1M”) to make testing easier.

First test to see how your script behaves. Try uploading a file that is larger than post_max_size. If you do you will get a message like this in your error log:

[09-Jun-2010 19:28:01] PHP Warning:  POST Content-Length of 30980857 bytes exceeds the limit of 2097152 bytes in Unknown on line 0

If you’re not careful this can lead to unexpected behavior in your application. The end result can range from silent failure all the way to lost customers.

Solving the problem

The PHP documentation provides a hack to solve this problem:

If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. <form action=”edit.php?processed=1″>, and then checking if $_GET['processed'] is set.
Source: PHP manual

To be clear, it is suggesting that you pass a value in the query string along with your form. If the value is in the $_GET superglobal and both $_FILE and $_POST are empty then the maximum upload size is exceeded. There are two problems with this approach: it adds extra complexity on the front-end and it can potential give a false positive.

Extra complexity on the front-end means extra documentation and more room for mistakes. And if there is a mistake it may not be caught for a long time (does your QA team routinely upload large files?). In this case we already have all the data that we need to determine if the maximum file size was exceeded without adding extra complexity and headache for developers.

We know what type of request is being processed, we have the $_POST and $_FILES arrays, and we have the content length as it was passed to the HTTP server from the client. From that we get this code:

if ( $_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
     empty($_FILES) && $_SERVER['CONTENT_LENGTH'] > 0 )
{
  $displayMaxSize = ini_get('post_max_size');

  switch ( substr($displayMaxSize,-1) )
  {
    case 'G':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'M':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'K':
       $displayMaxSize = $displayMaxSize * 1024;
  }

  $error = 'Posted data is too large. '.
           $_SERVER[CONTENT_LENGTH].
           ' bytes exceeds the maximum size of '.
           $displayMaxSize.' bytes.";
}

The important thing to notice is the “if” statement on lines one and two. The example code just sets an error string. Production code might display a message to the user, execute some Javascript (for asynchronous uploads), or pass back a XML or Json object for Flash clients.

I’ve tested this code with Apache as both a module and as CGI. As far as I know it should work fine with IIS as well.

Situation #1: A variable named “new” in a dynamic class

You are creating a dynamic object and you need to use a reserved word as a member variable name but you can’t.

var x:Object = new Object;
x.new = "this doesn't work";
x['new'] = "this works";

The first method is a nice way to get 1084: Syntax error: expecting identifier before new when you try to compile. Remove that line and use just the second one and you are all set. It is OK to mix and match access methods, as long as you never use dot notation for reserved words.

Situation #2: A RPC method named delete

You are making a remote call via the RemoteObject class (such as I was doing with Drupal) and you need to call a method named “delete” (or “new” for that matter). You naturally try this:

var ro:RemoteObject = new RemoteObject;
ro.endpoint = "http://www.example.com/amfphp";
ro.delete( 1234 );

You will be promptly greeted by the now familiar 1084 error when you try to compile and using a different notation won’t work. I’ll break the solution into multiple parts although it could just as easily be chained together:

var op:AbstractOperation = ro.getOperation('delete');
op.send( 12345 );

Incidentally the result of the “send” method is a AsyncToken object (the same object that “ro.delete()” would return if delete were not reserved) which can then be used to add responders.

There you have it. Two quick and easy ways to get around methods and properties with reserved words for names.

The other day I was reading the release notes and I couldn’t help but smile.

1. New native MySQL driver

I’m saving the best for last. So bear with me. Lets get through the small grins before we get to the big toothy ones (or you can read ahead… you’re choice). PHP 5.3 ships with a new MySQL driver called mysqlnd. A database driver is responsible for making the actually connection from PHP to MySQL. The previous MySQL driver had some flaws. For one, it was license in a way that was not compatible with the PHP license. The new MySQL Native Driver has a more amicable license (which is big in the open source world). It also adds some experimental functionality including improved persistent connections. There is also a down side but that is for another post.

2. Host specific PHP INI configurations

I previously worked on a hosted CMS and web publishing tool that had dozens of virtual hosts but only one php.ini. The new functionality allows to section off your PHP configuration to have a different configuration for every host or file path. I haven’t tried this one yet so I’m not sure how well it works. Try it out for yourself. There is a comment on PHP.net right now saying that it only works for CGI PHP and not for the CLI implementation.

[HOST=example.com]
error_reporting = E_ALL
display_errors = On

Example from the PHP documentation.

3. Shortcut ternary operator

I had never considered this before. However, this saves a lot of time for rather repetitive code. Consider these three identical code snipits.

<?php
if ( $foo ) $x = $foo;
else $x = $bar;

$x = ( $foo ? $foo : $bar );
$x = ( $foo ?: $bar );
?>

The third method is the new shortcut. It reads simply: “if foo than foo else bar.” I am still waiting for the first time for this to be useful. The biggest issue I see is that in the above example $foo cannot legitimately be anything that evaluates to false. As a result it is best used for variables that should be non-empty strings or non-zero numbers.

4. Date math

The DateTime class now has several new methods in it for dealing with date arithmetic. It puts an end to manually converting to timestamps and back to dates again. It works very simply:

<?php
$date = new DateTime('2009-06-30 09:00:00');
$date->sub('P5D'); // Subtract five days
echo $data->diff( new DateTime() )->format('%d').' days ago';
?>

The new DateTime methods and the new DateInterval class (returned from and passed to math functions) aren’t very well documented because they are so new.
It is worth noting that the format methods are different in the two classes. Intervals require a percentage (%) in front of placeholders. Watch out for that.

5. Closures

Closures are one of the best parts of PHP 5.3. At first I wasn’t very excited about them. I use closures constantly in Javascript but in a stateless HTTP request situation they appear less useful. But then I got into it. They are improved methods of dealing with lambda-functions. In other words, they are functions that are nameless and can be assigned to variables. In actuality they are classes.

<?phpi
$y = 10;
$x = function($number) use ( &$y ) {
  return $number * $y;
};
$y = 100;
echo $x(8); // Output: 800
?>

This is the point at which a lot of PHP programmers would pause. Did I say they are classes? Since when can you call a class like it was a function? Since PHP 5.3 you can! . You do it by defining the “_invoke” magic method. Like so:

<?php
class testInvoke {
  public function __invoke( $x ) { echo "Hello $x"; }
};
$x = new TestInvoke();
echo $x('world'); // outputs "Hello World"
?>

This is by far one of the coolest new features in PHP 5.3. It opens a whole new world of possibilities for clean / manageable code.

Bonus Things

5.1. New magic method for matching calls to static methods

For a while now we have been able to define the magic method “__call” in our classes that will be executed if you try to call a method in a class instance that does not exist. Now the “__callStatic” method does the same thing only for methods of static classes.

5.2. Late static binding

Late static binding is a long time coming. In fact, this has tripped me up in several projects. In simplest terms late binding is waiting to determine what object a method or member variable belongs to until it is called. Late static binding in PHP, as its name indicates, applies this concept to static methods and members variables in PHP. The PHP.net website bests describes in on the manual page for late static binding.

5.3. E_DEPRECATED

Here is a tip for everyone: if you are developing open source PHP software you should develop it in E_STRICT mode. This new E_DEPRECATED flag is actually part of E_ALL which sends a strong message that you shouldn’t be using these depreciated functions. I am a huge fan of anything that helps us write better code.

I hope everyone got through this post just fine. It is a long one. Leave comments (the comment section is OpenID enabled).