0xdeadbeef

In the beginning…

It’s been some time since i’ve had a functional site on this domain. This time, I jumped on the static site bandwagon. This first post isn’t going to be a wall, simply because it’s late and after 10 hours of hacking on PHP, I’m pretty fried.

Currently I’m finally seeing the light at the end of the tunnel with bringing a legacy codebase into the current era. This has entailed uncovering countless vulnerabilties, imnplementing proper OOP design patterns, removing redundant code and implementing CI/CD for automated deployments. There has been a lot of relationship building both with business customers and new coworkers, enjoying the first year of my son’s life, and realizing where I am now in relation to where I want to be.

This blog will serve as a medium for me to project my thoughts, frustrations, aspirations, current obsessions, and lessons learned in the course of my continued evolution as a software engineer and aspiring vulnerability researcher.

The pulp

So all is not lost on this first post, I wanted to bring up something that I consider to be the single biggest evolution in the work I’ve been doing lately. As part of upgrading this codebase, I’ve implemented PSR standards, which means we are now using Composer for dependency managment, a PSR-4 autoloader is in place, and namespacing has been introduced. The complexity of working on a codebase of this scale (2M LOC) is, things break when you introduce drastic changes. We’ll get into that later though.

When i came on board, one of the biggest things that really urked me was this:

<?php

    include('../Lib/includes/sessionless.inc.php');
    ini_set('display_errors',0);

    include '../CRMRecord.php';
    include '../CRMDataAccess.php';
    include '../DispositionManagerGeneric.php';
    include '../ContactHistory.php';
    include '../GetIVRVariable.php';

...

?>

<html>
<!-- the content -->
</html>

Despite everything that’s wrong with having 2,000+ templates that have a snippet of PHP (roughly 70 lines) right at the top, PHP sprinkled throughout the HTML, CSS buried inline and in <style></style> elements, and around 3,000 lines of jQuery being buried at the bottom (I’m not bitter or anything), was that series of includes. I’ll dig into the, what I presume was, the thinking behind sessionless.inc.php later as well. I digress.

By introducing PSR, I was able to eliminate a bunch of include and object instantiations (mostly unnecessary) to this:

<?php
require_once dirname(__DIR__).'/vendor/autoload.php';
require_once dirname(__DIR__).'/includes/config.php';
require_once dirname(__DIR__).'/Lib/includes/sessionless.inc.php';

Yes there’s still about 30 lines of PHP nested in the top of every single template, but this is much easier to manage. No longer do we have a string unnecessary includes in each file (often, half the includes scripts weren’t ever used), and it’s easier to reason about what’s going on. I’ll dig into the abstraction details later, but for now I’ll leave it at this. Dead beef can be brought back with enough patience and effort.