PHPBenelux Conference 2020
24 - 25 Jan 2020 at Ter Elst

1

In this tutorial we will go over setting up a standard LEMP stack for development use and learn how to modify it to mimic your production/pre-production environments as closely as possible. We will go over how to switch from Nginx to Apache, upgrade PHP versions and introduce additional storage engines such as Redis to the equation. We’ll also step through how to run both unit and acceptance suites using headless Selenium images in the stack. Leave here fully confident in knowing that whatever environment you get thrown into, you can replicate it and work in it comfortably.

User Experience, User Interface, User Experience Designer, welcome to the world of buzzwords. We developers tend to stay away from this world and its processes. Yet, like those who fulfill these roles, we have the same end-goal in mind, a great product for our end-users. A User Experience Designer will combine the UX and UI research to get to a beautiful and useful end product. But how exactly do they get this result? In this workshop, we will learn how User Experience Designers do the following: Use Design Thinking Construct a Business Goal and a User Goal Build up Persona’s Create User Stories and User Paths Build wireframes with best practices We’ll also learn how to use this process to our advantage. Resulting in better analysis, more in-depth test cases and more useful fixtures.

Security is a tedious cat and mouse game, that’s increasing in development speed and complexity every single day. Hackers’ game plan is to know more about certain edge cases and in-depth details regarding the technologies they’re attempting to compromise, than the developers who initially built and are currently maintaining those technologies. To truly understand and to be competent in the security aspect of PHP development, we need to learn how to think like a hacker. Once you’ve exploited a simple SQL injection vulnerability for the first time, I can guarantee that you’ll never let one slip through a code review process again. In this workshop, you’ll be working your way through exploiting a series of vulnerabilities present on a set of intentionally poorly crafted PHP applications. There are vulnerabilities of various difficulty levels, ranging from very simple basic ones to more complicated multi-step ones that require a deeper understanding and longer development background to be exploited successfully. This workshop includes an introductory part after which we’ll be focusing on actually hands-on exploiting the applications either by ourselves or in small groups. Learn hands-on how the most common mistakes that PHP developers make while developing web applications escalate into full-scale breaches and compromises. Gain an in-depth understanding of these vulnerabilities, and will ultimately be much more capable of protecting your applications from being hacked in the future. Once you know the basics of hacking PHP applications, you’re much less likely going to fall into these common security pitfalls in your future projects. This workshop is intended to run either on a Linux machine (Kali, Arch, Ubuntu, Debian, or similar will do, can be in a VM as well) or on a recent version of macOS. The workshop is intended for people that have previous professional PHP development experience, and preferably basic understanding of Linux OS, command line, and TCP/IP networking basics.

Event-sourcing is hard? Well it is, just like creating your first CRUD system was hard when you first started. It’s a different mind-set you need to get before you can really have fun with it. In this workshop I get you through the basics and get you ready to fill in the rest. We will be building a system with the help of prooph to get a good idea of what event-sourcing is, what you can do with it and when you want to use it.

To improve your code base, you run an audit. Now, with so many diagnostics, the situation appears to be overwhelming. If you have a mere million lines of code, it may display thousands of errors, in various orders. And with that, the market leaves no time to reduce technical debt before the next feature: we’ll do it when pressure gets lighter, right? WRONG! Code quality starts with a daily review. Learn how to navigate in the results of code audits that actually find more issues than you want. During this workshop, we’ll check PHP classic traps, architecture errors, security vulnerabilities and logical bugs. We’ll see how to detect those bugs, how they happen, and how to prepare a fix (or not). By the end, you’ll be able to set up your own coding reference, the one that reflect your style of coding in your projects.

More than just good code, DDD is about language. Language that your product owner and stake holders live. Language that your work must embody. Language your code should speak. In this workshop we’ll learn how to make our code speak the language of our clients. We will gracefully evolve our understanding from nothing to something and learn to write code that radiates our understanding of the problem. If you want to have better conversations, make more useful models and write better code, then this is the workshop for you. Topics include: Out-of-the-box thinking and modelling Clean language essentials Matrushka doll design Lot’s and lot’s of DDD

Kubernetes is a very powerful container orchestration platform that is quickly gaining traction and gives you lots of benefits in deploying, running and scaling your microservice web application. But it has also a steep learning curve. In this workshop you will deploy your first application which consists of multiple Micro-Services to Kubernetes and learn how you can use persistent storage and service meshes and set up sensible monitoring.

7

Most application code freely mixes domain logic with infrastructural concerns. Models are directly tied to the relational database of the project, use cases are inseparable from their web controllers, and external services are used without an appropriate abstraction. This limits your ability to design the application in a domain-driven, test-first way. What we need is a way to separate core code from infrastructure code. And that’s surprisingly easy. All the design patterns have already been invented for that. Until we run out of time, we’ll keep (re)discovering patterns like Controller, Application Service, Entity, Read Model, Domain event, and so on. These patterns can be used to establish a testable, portable application core, with a focus on behavior, instead of data.

You’ve just stepped out of the third product meeting this week and still have no clear idea about how the new feature that the product owners are so excited about is supposed to work but you are clear on one thing: this feature will be make or break for the company and it is important to get it right. Event storming (otherwise known as attack of the post-it notes) is a relativity new technique for exploring and modelling a problem as a group. It is a valuable technique which everyone on the development team, not just the software engineers, can benefit from. During this workshop we will use event storming to explore a sample domain and produce a model based on the key domain events. We will then look at how this model can be refined and turned into a working piece of software.

PHP has come a long way since it’s days as a handful of Perl scripts. These days it powers some of the most powerful applications on the web. Let’s take some time to look at where we are, and where things seem to be headed. We’ll discuss some new tricks the elePHPant has learned, and consider some we hope it will learn soon. Oh, and I’ll tell ElePHPant jokes. Here’s one to get you started. Q: Why did the elephant cross the road? A: Chicken’s day off. Yeah…I’ve got a LOT more. 🙂

During this presentation, we are going to look at the new features that are being introduced PHP 7.4. Join me to have a look at how the type system is strengthened with typed properties and co- and contra-variance of methods, what changes to operator precedence are, and which new features, such as pre-loading classes, are going to be introduced. At the end you will have a good understand about all the new and exciting features that are going to be part of the upcoming PHP 7.4 release.

7

Building an API for the biggest retailer of Switzerland has some challenges. We are an API with a lot of extremely complex data. Our bottleneck is and always has been serializing. It has been a long journey for us to get the most performance out of this. We are proud of what we’ve accomplished. Let me first share what advanced serialization is, and what tools there are out there to solve any needs you may have, we tried them all. Then I will share our personal journey trying them out. And in the end: A colleague wrote php-to-go so that we could GO beyond PHP, using PHP and GoLang together, for an amazing performance boost. (Spoiler alert: We found a solution in PHP that we ended up with, and open sourced)

12

Everybody wants quick applications. A lot of that speed can be gained by the way you write your software, but a big chunk has to do with the way PHP is configured. As PHP matured, it got quicker, it used less memory and it accumulated a lot of settings which can be tuned for performance. The biggest, and often most misunderstood, features for performance are OPCache (introduced in 5.5) and preloading (introduced in 7.4). This talk covers how both features work, how you can take advantage of them on your servers and during deployments, and tries to show all the ini settings relevant for performance.

TBD

Devonomics

19

PHP loves its arrays. Arrays are the uber-data structure. They’re a list, a map, a stack, a queue, everything in one! Which is the problem. Modern PHP grossly over-uses arrays. In most cases there are better options today, and when you find yourself reaching for “oh I’ll just make this an associative array”, stop. An extra 60 seconds of thought and code will often give you a more readable, faster, more memory-efficient, more flexible alternative. Classes, iterables, and collections can and should replace arrays in most of your day to day coding. This talk will go through what PHP arrays actually are (hint: they are not, in fact, arrays at all), why they’re so problematic, and what to do instead. By the end, you should find yourself (almost) never reaching for arrays to solve a problem.

3

Most organizations feel the need to centralize their logs — once you have more than a couple of servers or containers, SSH and tail will not serve you well any more. However, the common question or struggle is how to achieve that. This talk presents multiple approaches and patterns with their advantages and disadvantages, so you can pick the one that fits your organization best: * Parse: Take the log files of your applications and extract the relevant pieces of information. * Send: Add a log appender to send out your events directly without persisting them to a log file. * Structure: Write your events in a structured file, which you can then centralize. * Containerize: Keep track of short lived containers and configure their logging correctly. * Orchestrate: Stay on top of your logs even when services are short lived and dynamically allocated on Kubernetes. Each pattern has its own demo with the Elastic Stack (previously called ELK Stack), so you can easily try out the different approaches in your environment. Though the general patterns are applicable with any centralized logging system.

Graphs are part of our reality! Therefore it is essential to have a database capable of handling this type of data with high performance. In this talk we will talk about how to use PHP with Neo4J by manipulating graphs simply and quickly.

Hiring Methods Being a Teamlead - Frederick Vanbrabant

Elephants show2tell - Damien Seguy

Every web developer should know about typical attacks such as SQL Injection, Cross-Site Request Forgery, or Cross-Site Scripting. And even though those risks still exist, the bad guys worked on finding new twists to old attacks, or even find new kinds of vulnerabilities on a web site. In this session, we will show and discuss several of those new vectors, including attacks against Angular applications, Clickjacking, abusing external links, XSS via file uploads, and a few more. Technology never stops to evolve, so it’s crucial to stay on top of current developments.

9

How to measure the quality of unit tests? Code coverage is not necessarily a good indicator to answer this question. What other options do we have? Do we need tests to test the quality of our tests? In some way, yes we do. In this session, I will introduce you to the concept of mutation-based testing and how this technique can be used to improve the quality of your test suite.

An often overlooked and under-invested area of the DevOps transformation is monitoring, and specifically real user monitoring. This talk is about how taking small steps towards enabling real user monitoring can result in huge strides towards improvements for DevOps teams. Monitoring, which is a part of the DevOps toolchain, isn’t given the right kind of treatment. It is mostly included as an afterthought and is a hodgepodge of custom telemetry, impulsively built instrumentation, and a handful of mark-and-measure scripts for the front-end. The landscape of monitoring tools consists of infrastructure and system monitoring tools, network monitoring tools, log monitoring tools, application monitoring, performance monitoring, synthetics, and various others. These form a complex pool of software by themselves, and their output quickly overwhelms engineers and engineering teams with numbers. Enormous time and effort is spent by engineering teams in converting these numbers into intelligent and actionable insights. Only to be made extinct by the next failures in production or new wave of tools and techniques introduced to the DevOps ecosystem. The perpetual priority for DevOps is user experience. Degradation in user experience should always be priority #1. Therefore, all monitoring, alerting, and paging systems must be tuned to focus on metrics about user experience. This talk explores many tips, tricks, and techniques that will help you complete your transformation to a truly DevOps-ready team/organization.

Wordpress development the Laravel Way - Julien Lambé

Immutability, the good, the bad and the impossible - Tim Huijzers

7

As a developer you spend your entire life learning. But what happens when the tables are turned and you become the teacher? Do you want to become a conference speaker or a mentor, talk at your local user group, give presentations at work, or become a technical trainer? As a previous classroom teacher with a Master’s Degree in Curriculum Development, I will take you on a journey to understand the various learning styles and how to effectively reach everyone. We will look at how to present your information, best ways to structure it, and learn ways to reach all students no matter their level. We will also cover a number of best practices for crafting your presentation decks themselves. Join me for this exploration into the inner workings of the human mind.

6

Effective encryption is a vital component of a safe and secure internet, especially since the arrival of HTTP/2. Many sites and mobile apps still don't use TLS to encrypt their traffic, often citing some kind of fear over the complexity of it all, or if they do, they make a mess of it, resulting in a literal false sense of security. The basics of TLS encryption are straightforward, but the practical realities run into a bewildering forest of acronyms. This talk gives you a breadcrumb trail through the backwoods of TLS, OCSP, ECDHE, ALPN, HTTP/2, HSTS, CT, and more, including the latest changes in TLS 1.3. You'll get an overview of what problems TLS solves, how it works, its component pieces, how they fit together, where vulnerabilities and mitigations apply, and what tools and resources can help you get up to speed, and keep the wicked witch away!

12

Traditional software development occurs in phases, where QA, security and other roles act as gatekeepers to production. This leads to silos, delays and doesn’t scale. So, instead of waiting for a human to decide what is and isn’t valid, learn how to use automation to continuously enforce standards in your software. Let’s turn gatekeepers into build breakers!

OCD & me - Kathryn Reeve

Open-Source Sustainability & project management 101 - Christian Lück

Join us for some food, drinks and good fun. Engage with our sponsors and have a chat with your fellow peers.

For the last couple of years, I have been building, maintaining, and fighting projects that make use of distributed computing, parallel processing, message brokers, queues, and workers. This is one of those “from the trenches” talks, where I will regale you with tales about the series of unfortunate events that may happen as your application grows in complexity. Tales like disk space fluctuations, importance of logging, NoSql problems, restructuring your order of execution in code for performance gains, short-sighted albeit logical architectural decisions that will cost you in the long run.

7

Think about PHP for a few seconds… What came to mind? It’s very likely you thought about your average product catalog, a blogging platform, or how the platform is inferior to things like Node.js. But wait, it’s 2020! What if I told you PHP’s huge ecosystem has way more to offer and PHP is not inferior at all to its evil cousin Node.js? In this talk you will learn about the core concepts of async PHP and why you too should care about ReactPHP being a real thing. The talk has a strong focus on sparking the idea that PHP can be way faster and more versatile than you probably thought. Bring along an open mind, and through lots of interesting examples and live demos learn why what sounds crazy at first might soon be a valuable addition in your toolbox. You’re already familiar with PHP and want to learn what ReactPHP is all about? Then this talk is for you! We will start from scratch and see what it takes to build an application that pushes data from your command line to your browser in real-time. You’re invited to join the interactive demos or lean back and learn more about why an event-driven approach might be the next big thing in making your application faster and more responsive.

What is it what we do? I believe we are problem solvers. But not just problems, complex problems. And most of the time these problems are unknown to us. This is what makes our job challenging. This is why we love our job. So how to find the problems we need to solve. And how to come up with solutions for these problems? You might have heard about the Double Design Diamond as a structure to face design challenges. I found this structure to be a nice and easy way to explore options and make choices, as a team. In this talk I’ll explain why it is hard for us to come up with right solutions for the right problems. How the Double Design Diamond structure can help organising the design choices. Afterwards you are capable to explain why the Double Design Diamond approach might work to your team members.

Stop doing Scrum!

Holy Grail of Code Structuring

2

PSR-14 is the latest specification from the PHP Framework Interoperability Group (PHP-FIG), this time addressing event dispatching. Many frameworks and applications contain an “event dispatcher”, “message bus”, “hook system”, or some other variation on the same basic concept, but to date they are all incompatible with each other. No more! The PSR-14 spec offers a way to interleave these disparate systems together, making it far easier to swap individual libraries into the framework of your choice. It goes beyond the basic “register and call” object that most systems use to make it easier to plug different implementations together, offering an easier experience and greater flexibility for library authors. This session will cover how PSR-14 works, some examples of how to leverage it effectively, and how to adopt it alongside, and even encompassing, your existing one-off tooling.

There are some exciting new things in Symfony 5. Besides removing some deprecations and bumping the PHP verison requirements, several components have left the experimetal stage. the Mailer & Mime, HttpClient (and why do we need one?), Notifier, String handling, and more. In this talk, we’ll look at the new features in depth both from the high level perspective of using them in Symfony full stack, and how you can fit the pieces together and use them in any generic PHP application.

12

Now you will probably have heard of PHP_CodeSniffer as a tool to check your code for consistent code style, but did you know it can also be used to check for common best practices ? Out of the box, PHPCS already contains the basics to check your code against common industry metrics, however, when you add a few external standards into the mix, it can do so much more. Suddenly you can check your code for PHP cross-version compatibility, check your unit tests for using the right assertion or enforce strict typing across your application. Join Juliette to learn about a variety of external standards available, what they can do for you and how to integrate them in the tooling you already use every day.

PHP + Minecraft

3

An Event Sourced Score App for a Card Game

7

There are so many benefits from code review; lower development costs, increased code quality, quick up-skilling and on-boarding of team members. Despite these benefits many teams don’t have code review as part of their process at all. Others don’t get the gains they should from it. This talk first outlines the business case for code review. It then explores how to make code review effective, specifically looking at: Expectations of what can be achieved with code review. - What should be covered by code review (including example code) - What should not be covered by code review - How to write code that makes code review easy - What makes good code review comments - What makes good responses to code review comments - Finally to wrap up you’ll be shown how to enable a code review with Github. Spoiler alert: It can be done it under 5 mins! So if you are on a team that isn’t using code review, or isn’t using it effectively then you should be at this talk.

12

In many projects, error handling is an afterthought that gets hacked in too late in the process. There is no consensus on how to deal with exceptional conditions. Code is typically dominated by null checks that hide errors and breed more null checks. Error handling logic is inconsistently scattered throughout the codebase making it difficult to reason what the code actually does. Exceptional conditions are inevitable, we need to write some error handling code. It is therefore imperative to start with solid conventions and structure in order to avoid expensive refactoring at a later stage of the project. This highly practical talk full of applicable code examples presents manageable strategy for handling errors that makes the code clean, maintainable and less error prone, and provides mechanisms for easier troubleshooting. Emphasis is on promoting exceptions as first-class citizens of the project through some of the essential techniques for structuring and modeling exceptions. Special attention is also given to the solution for implementing centralized error handling system equipped with features that make managing exceptions efficient and keep the user experience consistent. Overall, the combination of these practices constitute a robust and scalable error handling architecture.

6

Don’t know the difference between a grant type and an auth code? Know the difference but not sure how to implement OAuth 2.0 in your own application? In this talk I’ll start with OAuth 2.0 basics, then jump into implementation details using The PHP League’s oauth2-server library.

Rebuilding Mailchimp with PHP and Amazon SES

Ninja Training

5

Even though Map Reduce was created for parallelization, which PHP does not natively support, the syntax is supported. In this article I will outline how to use map, filter, and reduce with PHP collections and the benefits you can gain over traditional for loops. In this talk we will explore different methods of processing and manipulating collections of data giving you new tools in your developer’s toolbox.

9

You are tired of documenting yours application architecture in wikis? You want an updated definition with your source code changes? You want failing continuous integration pipelines on violations? I will show how you could track your application layers, enforce rules between them and document your definitions within your repository.

Description underway. Cal is filling in for Brent Roose's talk slot

Spying on PHP: PHPSpy

4

Security is Hard

PHP may not have a native data type for an Enumerated Type like other programming languages, but there are other solutions we can leverage to represent a member of a set of values. We’ll see how representing things like statuses with enums provides immutability, improved readability, and type safety — preventing the kind of errors that happen with “magic strings” and class constants. In this session, we’ll be making our own immutable enums from scratch in order to explore the concept, but we’ll also introduce some open source libraries for use in your production code. We’ll also demystify the imposing-sounding “finite state machine” by using using immutable enum objects to regulate the transitions between member elements.

We keep our credentials and secrets in .env files, env variables, and config files. We share that data often in an insecure way. We rarely think about if we are making it easy for someone to access our data. Do you understand what happens after the breach? This talk looks into the business repercussions of weak secrets management; we go over the typical patterns of use and why they might be harmful. We shall also look at ways to improve this situation and decrease the fallout in case the worst happens.

Alice and Bob are the protagonists of so many cryptographic tutorials. And at least for me those tutorials where most of the time very cryptic. But encryption and digital signatures are part of our everyday duties so wouldn’t it be great to understand what we are doing there? At least to a certain extend? So let me take you on to a journey with Alice and Bob and have a look at what Cryptography is about(no deep-dive into the mathematics behind. Promise!). And along the way we will learn about trust and how to use that in everyday life like with E-Mail or Git.

Bye Bye Mac - My Linux Story

3

A 30-minute introduction to the features of Apache Kafka, the anatomy of a Kafka cluster, and how to talk to a Kafka cluster once you've got one.

PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them. Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !

4

If you are not writing tests yet, you should start. Tests will improve the quality of your code, reduce bugs and probably force you to think more about design and quality. Actually, the hardest thing is to start and figure out which type of tests to write. So you start researching and you find a lot of different materials and get even more confused.Even when you decide what type of tests to use, it can be hard to decide how to test some specific logic in your app. Don’t give up! We have some tips we learned along the way that will hopefully make your life easier. In this talk you will hear about different test types and when to use them. We’ll also show some tools for checking quality of your test.

We all know that having a single-point-of-failure is not something you want, but dealing with multiple machines doing the same thing at the same time takes a lot of coordination. How do they keep your data in sync while dealing with things like network outages, incorrect data or systems lagging behind in time? It’s not as easy as it sounds but we use it all on a daily basis. This talk is about RAFT, a popular distributed consensus protocol that allows clusters to keep their data available and consistent. I will talk about how the cluster will elect leaders, how it makes sure everybody is kept up-to-date and how it deals with things like server outages.

Unknown

Time to close down the conference with some awesome prizes!

Enjoy some time with a lovely dinner and take your final chance to talk to our sponsors and the people you met or still wanted to catch up with.