[French version available here]

Are we willingly making our servers vulnerable to denial-of-service? After a reminder about hash algorithms and the reasons for their use, let’s discuss their cost on our infrastructures.

Argon glowing under an electric field.

I recently realized that these algorithms were much more complex to implement than expected. Beware, don’t jump to conclusions: hashing passwords is still the most effective way to (not) store them today. But it seems that we should prepare for the next step.

Hashing passwords?

We all have developed applications that identify their users through a login form that asks for a password. It is up to us…

[edit] This discussion has indirectly resulted in a new serialization mechanism added to PHP 7.4. This post is now obsolete.

PHP serialization/unserialization has several drawbacks ^1.

On the serialization side, the Serializable interface:

  • breaks references inside serialized data structures;
  • delegates the responsibility of the serialization format to its implementations, to the detriment of optimized formats that e.g. igbinary provides.

On the unserialization side:

  • security exploits have been demonstrated when using unserialize() on user-submitted data;
  • serialized string referencing missing classes create placeholder objects of type PHP_Incomplete_Class, which behave in an unusual manner and most importantly break the semantics of the original…

© Michael Bolognesi — https://www.flickr.com/photos/bollan/8193188812

In Making Symfony’s Router 77.7x faster - 1/2, we learned how to build a faster URL matcher, using hash-map lookups for static routes, and combined regular expressions for routes with placeholders, while preserving all the advanced features of the Symfony router. However, more work was needed for some real world apps, as at least one of them experienced a slow down. Let’s see how fixing this provided us with (one of) the fastest PHP routers out there.

First and foremost, there is no faster way to match a static route than a hash-map lookup. …

© Hervé Bry — https://www.flickr.com/photos/setaou/2935943672/

Was it slow? Not at all. In 2014, Nikita Popov published an inspiring blog post entitled Fast request routing using regular expressions. The article explains how one can match HTTP routes at very high performance, by combining them together in bigger regular expressions. Its conclusion rightfully reminds us that routing will usually not be a bottleneck in your apps, but also hints some of us are building high throughput HTTP servers in PHP, ending with this sentence: “If you tried to put the Symfony router behind such a server, it would totally cripple your performance.”

Nicolas Grekas

Loves clean architecture, best performance, fast CI, great developer experience. Shipping as Symfony core team member, Blackfire.io CTO, ESPCI Alumni.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store