PSA: If you run Drupal, shut it off, audit your code, upload a clean updated version

A critical exploit is making the rounds, and you should assume any Drupal site has been compromised already:

This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Hacker News discussion here.

PHP 7 will (likely) have return types

PHP 7 continues tightening towards becoming a good general purpose high level language. Having return types is one of those “means business” things, which may increase the demand for top-tier work in PHP.

// Here is a brief example of the syntax in action:
function foo(): array {
    return [];

We always want the interpreter to help us catch situations when things aren’t working the way they should, but the interpreter knows only so much about your expectations. Even though PHP is meant to be a quite dynamic language, more often than not we do know what type of data a function is always meant to return. So, why not share that information with the interpreter? There’s zero advantage to keeping it to ourselves.

It’s important to note that this is not a prescriptive requirement. If you don’t care about the returned type, or you are cowboy-coding and need the output before you need tighter type safety, you don’t have to specify. The cognitive burden is negligible and, in fact, it saves us having to write our own type check, then throw an exception, then make everybody else aware of what the error is going to look like — it all will be standardized through the return type declaration and the associated exception.

Let’s say we have this code:

function file_name( $path ) {
    // do_something
    return $file_name;

function output_file( $f ) {
    return basename( $f ) . '.to.xml';

foreach ( $path in $all_files ) {
    try {
        $i = file_name( $path );
    } catch ( Exception $e ) {
        // handle errors
    $o = output_file( $i );
    $xml = convert_to_xml( file_get_contents( $i ) );
    file_put_contents( $o, $xml );

Lack of proper validations and other questionable behaviors aside, in the code above we are assuming output_file() will always get a String from file_name() (it even has a try catch block, which may give us a false sense of security). But maybe we did some changes in the “// do something” part of file_name() and now it unexpectedly returns false instead.

The thing is, no exception will be triggered, basename will take the false, and it will happily turn it into an empty string. Our code will then proceed to overwrite again and again the file “.to.xml”, until it finishes looping and exits without having told us there was anything wrong.

On PHP 7, by just writing:

function file_name( $path ) string: {

any issues that return a wrong type will trigger a “function answer was expected to return an object of class” exception, which can be caught before it does any damage — it won’t free us from performing other validations, but a whole lot of worries have been removed by adding a single word, which happens to double as function documentation (no more adding a docblock comment just to indicate the @return.)

On service quality alerts, by a Google engineer

It definitely does feel right when your tests are sitting on the same side as the users. No ifs and buts regarding how you hooked your test to the back-end — what you see is what you get.

Alert on the data unavailability. Alert on the symptom: the 500, the Oops!, the whitebox metric that indicates that not all servers were reached from the database’s client. Why?

You’re going to have to catch the symptom anyway. Maybe it can happen because of network disconnection, or CPU contention, or myriad other problems you haven’t thought of yet. So you have to catch the symptom.

LinkHacker News comments.