Paragon Initiative Enterprises shared an interesting piece to Cryptographically Secure PHP Development. The article could be considered as additional resources to rules for programming cryptography code in C and point to some tips and techniques to :
– The Zeroth Rule of PHP Cryptography
– Easy Wins for PHP Cryptography Code
– PHP Cryptography: The Hard Parts
As conclusion, some cryptography best practices are simply not possible. To wit: PHP doesn’t allow you to perform direct memory management, so zeroing out memory buffers is not possible.
Furthermore, if a vulnerability is introduced somewhere else in the PHP interpreter (for example, via OpCache), there’s very little (if anything) you can do to mitigate it from a PHP script.