Updated for November 2016

Author: Phil Sturgeon

manuscript/converted/chapter1.txt

@@ -9,7 +9,7 @@
 If you are getting started with PHP, start with the current stable release of [PHP 7.0][php-release]. PHP 7.0 is very
 new, and adds many amazing [new features](#language_highlights) over the older 5.x versions. The engine has been largely re-written, and PHP is now even quicker than older versions.
 
-Most commonly in the near future you will find PHP 5.x being used, and the latest 5.x version is 5.6. This is not a bad option, but you should try to upgrade to the latest stable quickly. Upgrading is really quite easy, as there are not many [backwards compatibility breaks][php70-bc]. If you are not sure which version a function or feature is in, you can check the PHP documentation on the [php.net][php-docs] website.
+Most commonly in the near future you will find PHP 5.x being used, and the latest 5.x version is 5.6. This is not a bad option, but you should try to upgrade to the latest stable quickly - PHP 5.6 [will not receive security updates beyond 2018](http://php.net/supported-versions.php).  Upgrading is really quite easy, as there are not many [backwards compatibility breaks][php70-bc]. If you are not sure which version a function or feature is in, you can check the PHP documentation on the [php.net][php-docs] website.
 
 [php-release]: http://php.net/downloads.php
 [php-docs]: http://php.net/manual/
@@ -36,7 +36,7 @@ To start the server, run the following command from your terminal in your projec
 ## Mac Setup {#mac_setup_title}
 
 OS X comes prepackaged with PHP but it is normally a little behind the latest stable. Mavericks has 5.4.17,
-Yosemite has 5.5.9 and El Capitan has 5.5.29, but with PHP 7.0 out that is often not good enough.
+Yosemite 5.5.9, El Capitan 5.5.29 and Sierra 5.6.24, but with PHP 7.0 out that is often not good enough.
 
 There are multiple ways to install PHP on OS X.
 
@@ -56,15 +56,15 @@ command-line, X11 or Aqua based open-source software on the OS X operating
 system.
 
 MacPorts supports pre-compiled binaries, so you don't need to recompile every
-dependencies from the source tarball files, it saves your life if you don't
+dependency from the source tarball files, it saves your life if you don't
 have any package installed on your system.
 
 At this point, you can install `php54`, `php55`, `php56` or `php70` using the `port install` command, for example:
 
     sudo port install php56
     sudo port install php70
 
-And you can run `select` command to switch your active php:
+And you can run `select` command to switch your active PHP:
 
     sudo port select --set php php70
 
@@ -76,7 +76,7 @@ applications/projects require different versions of PHP, and you are not using v
 ### Install PHP via Liip's binary installer
 
 Another popular option is [php-osx.liip.ch] which provides one liner installation methods for versions 5.3 through 7.0.
-It doesn't overwrite the php binaries installed by Apple, but installs everything in a separate location (/usr/local/php5).
+It doesn't overwrite the PHP binaries installed by Apple, but installs everything in a separate location (/usr/local/php5).
 
 ### Compile from Source
 
@@ -108,13 +108,13 @@ you and tie them all together, but ease of setup comes with a trade-off of flexi
 
 You can download the binaries from [windows.php.net/download][php-downloads]. After the extraction of PHP, it is recommended to set the [PATH][windows-path] to the root of your PHP folder (where php.exe is located) so you can execute PHP from anywhere.
 
-For learning and local development you can use the built in webserver with PHP 5.4+ so you don't need to worry about
+For learning and local development, you can use the built in webserver with PHP 5.4+ so you don't need to worry about
 configuring it. If you would like an "all-in-one" which includes a full-blown webserver and MySQL too then tools such
 as the [Web Platform Installer][wpi], [XAMPP][xampp], [EasyPHP][easyphp], [OpenServer][openserver] and [WAMP][wamp] will
 help get a Windows development environment up and running fast. That said, these tools will be a little different from
 production so be careful of environment differences if you are working on Windows and deploying to Linux.
 
-If you need to run your production system on Windows then IIS7 will give you the most stable and best performance. You
+If you need to run your production system on Windows, then IIS7 will give you the most stable and best performance. You
 can use [phpmanager][phpmanager] (a GUI plugin for IIS7) to make configuring and managing PHP simple. IIS7 comes with
 FastCGI built in and ready to go, you just need to configure PHP as a handler. For support and additional resources
 there is a [dedicated area on iis.net][php-iis] for PHP.

manuscript/converted/chapter10.txt

@@ -23,12 +23,17 @@ methods to protect yourself against them. This is a must read for the security-c
 Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a
 database and later used to authenticate users upon login.
 
-It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible, one
-way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
+It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible,
+one-way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
 reversed. This means you can compare a hash against another to determine if they both came from the same source string,
 but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
-unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password
-for other services. Therefore, it is important to take security seriously.
+unauthorized third-party, all user accounts are now compromised. 
+
+Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of "rainbow tables" (a reverse list of crytographic hashes for common passwords.)
+
+Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor. 
+
+Fortunately, nowadays PHP makes this easy. 
 
 **Hashing passwords with `password_hash`**
 
@@ -54,17 +59,20 @@ if (password_verify('bad-password', $passwordHash)) {
 }
 ~~~~~~~~  
 
+`password_hash()` takes care of password salting for you. The salt is stored, along with the algorithm and "cost", as part of the hash.  `password_verify()` extracts this to determine how to check the password, so you don't need a separate database field to store your salts. 
 
 * [Learn about `password_hash()`] [1]
 * [`password_compat` for PHP >= 5.3.7 && < 5.5] [2]
 * [Learn about hashing in regards to cryptography] [3]
+* [Learn about salts] [5]
 * [PHP `password_hash()` RFC] [4]
 
 
 [1]: http://php.net/function.password-hash
 [2]: https://github.com/ircmaxell/password_compat
 [3]: http://en.wikipedia.org/wiki/Cryptographic_hash_function
 [4]: https://wiki.php.net/rfc/password_hash
+[5]: https://en.wikipedia.org/wiki/Salt_(cryptography)
 
 
 ## Data Filtering {#data_filtering_title}
@@ -147,7 +155,7 @@ via the file system.
 that, even if the script is accessed directly, it will not be output as plain text.
 - Information in configuration files should be protected accordingly, either through encryption or group/user file
 system permissions.
-- It is a good idea to ensure that you do not commit configuration files containing sensitive information eg passwords or API tokens to source control.
+- It is a good idea to ensure that you do not commit configuration files containing sensitive information e.g. passwords or API tokens to source control.
 
 
 ## Register Globals {#register_globals_title}

manuscript/converted/chapter12.txt

@@ -44,10 +44,14 @@ Alternatively, if you want to squeeze more performance and stability out of Apac
 same FPM system as nginx and run the [worker MPM] or [event MPM] with mod_fastcgi or mod_fcgid. This configuration will
 be significantly more memory efficient and much faster but it is more work to set up.
 
+If you are running Apache 2.4 or later, you can use [mod_proxy_fcgi] to get great performance that is easy to setup.
+
 * [Read more on Apache][apache]
 * [Read more on Multi-Processing Modules][apache-MPM]
 * [Read more on mod_fastcgi][mod_fastcgi]
 * [Read more on mod_fcgid][mod_fcgid]
+* [Read more on mod_proxy_fcgi][mod_proxy_fcgi]
+* [Read more on setting up Apache and PHP-FPM with mod_proxy_fcgi][tutorial-mod_proxy_fcgi]
 
 
 [nginx]: http://nginx.org/
@@ -59,16 +63,19 @@ be significantly more memory efficient and much faster but it is more work to se
 [event MPM]: http://httpd.apache.org/docs/2.4/mod/event.html
 [apache]: http://httpd.apache.org/
 [apache-MPM]: http://httpd.apache.org/docs/2.4/mod/mpm_common.html
-[mod_fastcgi]: http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
+[mod_fastcgi]: https://blogs.oracle.com/opal/entry/php_fpm_fastcgi_process_manager
 [mod_fcgid]: http://httpd.apache.org/mod_fcgid/
+[mod_proxy_fcgi]: https://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html
+[tutorial-mod_proxy_fcgi]: https://serversforhackers.com/video/apache-and-php-fpm
+
 
 ## Shared Servers {#shared_servers_title}
 
 PHP has shared servers to thank for its popularity. It is hard to find a host without PHP installed, but be sure it's
 the latest version. Shared servers allow you and other developers to deploy websites to a single machine. The upside to
 this is that it has become a cheap commodity. The downside is that you never know what kind of a ruckus your
 neighboring tenants are going to create; loading down the server or opening up security holes are the main concerns. If
-your project's budget can afford to avoid shared servers you should.
+your project's budget can afford to avoid shared servers, you should.
 
 To make sure your shared servers are offering the latest versions of PHP, check out [PHP Versions](http://phpversions.info/shared-hosting/).
 
@@ -90,40 +97,46 @@ Among the tasks you might want to automate are:
 * Deployment
 
 
-### Build Automation Tools
+### Deployment Tools
 
-Build tools can be described as a collection of scripts that handle common tasks of software deployment. The build tool
-is not a part of your software, it acts on your software from 'outside'.
+Deployment tools can be described as a collection of scripts that handle common tasks of software deployment. The deployment tool is not a part of your software, it acts on your software from 'outside'.
 
-There are many open source tools available to help you with build automation, some are written in PHP others aren't.
-This shouldn't hold you back from using them, if they're better suited for the specific job. Here are a few examples:
+There are many open source tools available to help you with build automation and deployment, some are written in PHP others aren't. This shouldn't hold you back from using them, if they're better suited for the specific job. Here are a few examples:
 
-[Phing] is the easiest way to get started with automated deployment in the PHP world. With Phing you can control your
-packaging, deployment or testing process from within a simple XML build file. Phing (which is based on [Apache Ant])
-provides a rich set of tasks usually needed to install or update a web app and can be extended with additional custom
-tasks, written in PHP.
+[Phing] can control your packaging, deployment or testing process from within a XML build file. Phing (which is based on [Apache Ant]) provides a rich set of tasks usually needed to install or update a web application and can be extended with additional custom tasks, written in PHP. It's a solid and robust tool and has been around for a long time, however the tool could be perceived as a bit old fashioned because of the way it deals with configuration (XML files).
 
-[Capistrano] is a system for *intermediate-to-advanced programmers* to execute commands in a structured, repeatable way
-on one or more remote machines. It is pre-configured for deploying Ruby on Rails applications, however people are **successfully deploying PHP systems** with it. Successful use of Capistrano depends on a working knowledge of Ruby and
-Rake.
+[Capistrano] is a system for *intermediate-to-advanced programmers* to execute commands in a structured, repeatable way on one or more remote machines. It is pre-configured for deploying Ruby on Rails applications, however you can successfully deploying PHP systems with it. Successful use of Capistrano depends on a working knowledge of Ruby and Rake. Dave Gardner's blog post [PHP Deployment with Capistrano][phpdeploy_capistrano] is a good starting point for PHP developers interested in Capistrano.
 
-Dave Gardner's blog post [PHP Deployment with Capistrano][phpdeploy_capistrano] is a good starting point for PHP
-developers interested in Capistrano.
+[Rocketeer] gets its inspiration and philosophy from the Laravel framework. Its goal is to be fast, elegant and ease to use with smart defaults. It features multiple servers, multiple stages, atomic deploys and deployment can be performed in parallel. Everything in the tool can be hot swapped or extended, and everything is written in PHP.
 
-[Chef] is more than a deployment framework, it is a very powerful Ruby based system integration framework that doesn't
-just deploy your app but can build your whole server environment or virtual boxes.
+[Deployer] is a deployment tool written in PHP, it's simple and functional. Runs tasks in parallel, atomic deployment, keeps consistency between servers. Recipes of common tasks for Symfony, Laravel, Zend Framework and Yii. Younes Rafie's article  [Easy Deployment of PHP Applications with Deployer][phpdeploy_deployer] is a great tutorial for deploying your application with the tool.
 
-[Deployer] is a deployment tool written in PHP, it's simple and functional. Runs tasks in parallel, atomic deployment, keeps consistency between servers. Recipes of common tasks for Symfony, Laravel, Zend Framework and Yii.
+[Magallanes] another tool written in PHP with simple configuration done in YAML files. It has support for multiple servers and environments, atomic deployment, and have some built in tasks that you can leverage for common tools and frameworks.
 
-#### Chef resources for PHP developers:
+#### Further reading:
 
-* [Three part blog series about deploying a LAMP application with Chef, Vagrant, and EC2][chef_vagrant_and_ec2]
-* [Chef Cookbook which installs and configures PHP and the PEAR package management system][Chef_cookbook]
-* [Chef video tutorial series][Chef_tutorial]
+* [Automate your project with Apache Ant][apache_ant_tutorial]
+* [Expert PHP Deployments][expert_php_deployments] - free book on deployment with Capistrano, Phing and Vagrant.
+* [Deploying PHP Applications][deploying_php_applications] - paid book on best practices and tools for PHP deployment.
+
+### Server Provisioning
+
+Managing and configuring servers can be a daunting task when faced with many servers. There are tools for dealing with this so you can automate your infrastructure to make sure you have the right servers and that they're configured properly. They often integrate with the larger cloud hosting providers (Amazon Web Services, Heroku, DigitalOcean, etc) for managing instances, which makes scaling an application a lot easier.
+
+[Ansible] is a tool that manages your infrastructure through YAML files. It's simple to get started with and can manage complex and large scale applications. There is an API for managing cloud instances and it can manage them through a dynamic inventory using certain tools.
+
+[Puppet] is a tool that has its own language and file types for managing servers and configurations. It can be used in a master/client setup or it can be used in a "master-less" mode. In the master/client mode the clients will poll the central master(s) for new configuration on set intervals and update itself if necessary. In the master-less mode you can push changes to your nodes. 
+
+[Chef] is a powerful Ruby based system integration framework that you can build your whole server environment or virtual boxes with. It integrates well with Amazon Web Services through their service called OpsWorks.
 
 #### Further reading:
 
-* [Automate your project with Apache Ant][apache_ant_tutorial]
+* [An Ansible Tutorial][an_ansible_tutorial]
+* [Ansible for DevOps][ansible_for_devops] - paid book on everything Ansible
+* [Ansible for AWS][ansible_for_aws] - paid book on integrating Ansible and Amazon Web Services
+* [Three part blog series about deploying a LAMP application with Chef, Vagrant, and EC2][chef_vagrant_and_ec2]
+* [Chef Cookbook which installs and configures PHP and the PEAR package management system][Chef_cookbook]
+* [Chef video tutorial series][Chef_tutorial]
 
 ### Continuous Integration
 
@@ -151,6 +164,7 @@ PHP.
 [Apache Ant]: http://ant.apache.org/
 [Capistrano]: https://github.com/capistrano/capistrano/wiki
 [phpdeploy_capistrano]: http://www.davegardner.me.uk/blog/2012/02/13/php-deployment-with-capistrano/
+[phpdeploy_deployer]: http://www.sitepoint.com/deploying-php-applications-with-deployer/
 [Chef]: https://www.chef.io/
 [chef_vagrant_and_ec2]: http://www.jasongrimes.org/2012/06/managing-lamp-environments-with-chef-vagrant-and-ec2-1-of-3/
 [Chef_cookbook]: https://github.com/chef-cookbooks/php
@@ -160,4 +174,13 @@ PHP.
 [Jenkins]: http://jenkins-ci.org/
 [PHPCI]: http://www.phptesting.org/
 [Teamcity]: http://www.jetbrains.com/teamcity/
-[Deployer]: https://github.com/deployphp/deployer
+[Deployer]: http://deployer.org/
+[Rocketeer]: http://rocketeer.autopergamene.eu/
+[Magallanes]: http://magephp.com/
+[expert_php_deployments]: http://viccherubini.com/assets/Expert-PHP-Deployments.pdf
+[deploying_php_applications]: http://www.deployingphpapplications.com
+[Ansible]: https://www.ansible.com/
+[Puppet]: https://puppet.com/
+[ansible_for_devops]: https://leanpub.com/ansible-for-devops
+[ansible_for_aws]: https://leanpub.com/ansible-for-aws
+[an_ansible_tutorial]: https://serversforhackers.com/an-ansible-tutorial