I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

His sample application stores the user data in a MySQL database and does the salting+hashing at the time of the request. It uses a hard-coded salt and a value of 8 for the hashing/stretching. Screenshots of each page in the example application are also included.

If you've ever integrated with another API that requires security (such as Twitter), you've probably consumed an OAuth service. In this article, I'll explore what it takes to create your own three-legged OAuth server allowing you, for example, to create your own secure API which you can release publicly.

They include a visual representation of the OAuth authentication flow (it's not the simplest thing) and the database structure/sample code you'll need to get the server up and listening. Also included is a registration form and how to generate a request token and give back an access token. There's also some sample code showing how to validate the request and it's access token to check for a correct (and allowed) request.

I can code fairly well in PHP these days, but my security isn't so hot. Is there a tutorial or plugin you guys can recommend as to how I should be protecting my php pages/inputs? I want to avoid common attacks like XSS, inputs with NULL or DROP TABLE etc?

Responses on the post include recommendations related to:

• Using the Chorizo scanner to find common issues in your code
• Using PDO for database connections (with bound parameters)
• Not trusting "$_SERVER"
• Data sanitization

There's also links to a few other resources with more details.

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

ContractLib is a simple-to-use PHP component for easily enforcing programming contracts throughout your PHP components. These programming contracts can go a long way to helping you, and the users of your components, develop more robust code.

In his example tests he shows how to set a pre-condition on a method's input ensuring that it will always be the correct datatype (array). In his comparison with PHP's "assert", he lists out some of the features that either one has and notes that ContractLib allows you to be much more flexible with your checking than just simple statements.

This little fable describes the most common vulnerability found in web sites, the Cross Site Scripting (XSS) attack. According to a report from WhiteHat Security 83 percent of websites they tested have had at least one serious vulnerability and 66 percent of all websites with vulnerabilities are susceptible to XSS attacks making it the most common vulnerability web developers face. To fix this, it takes 67 days on average. Tools like WebScarab and Paros Proxy can be used to scan sites for possible vulnerabilities.

They offer two simple pieces of advice that it's all too easy to forget when developing applications - validate all user input to ensure it's what it should be and escape any untrusted output (even sometimes your own!) before pushing it out to the page.

When maintaining or running a website , Webmasters need to keep in mind that one of the pertinent issues they will need to focus on is :Website Testing, which is not only vital for the website itself but for the user as well and one should not overlook its importance. [We have] collected some vital and free website testing tools which will help Webmasters in testing their sites thus saving users to conduct time consuming needless searches in finding the best resources pertaining to Web related tools and info.

Among the tools on the list are services like:

• Load Impact
• Browser Mob
• Host Tracker
• Built With
• CSE HTML validator

Most of these resources are free services, if not then they have a trial where you can see if it's a good fit.

A standard select list can be created using Symfony's choice field type; it is pretty clear how to create a new choice field with simple, non-dynamic options (e.g. gender), but it gets a little more complicated when you want to create and validate a dynamically generated choice list.

He includes the code for a simple entity, a Post model to fetch the category information and the set up of the form element - a select list of post types/categories. He also includes a bonus section showing how you can achieve the same thing without a model to bind to. The code's a little bit more complex than the previous example, but it's basically just reproducing some of the validation and fetching logic manually.

Regular expression for the PHP developers, on of the most popular tool for validating data is the regular expression. In this list we provides some validation - string match, password match validation, email address validation, date format and many more which helps developer to make their application more fast and easy to execute. [...] Have you note that, regular expressions are more slower than the basic string function, its takes a short time to execute than any others.

Included in their list are things like:

• Password Match Validation
• Validate URL
• Validate URL using Preg_match
• UK Postcode Validation
• SSN,ISBN and Zipcode Validation

A few of these could be done with either one or two string calls or some of the filtering functions that are included in PHP.

I discovered recently that Zend Framework 1's Zend_Date has two operating modes when it comes to format specifiers: iso and php, where iso is the default. When using Zend_Validate_Date in forms, I like to use the php format specifiers as they are what I'm used to and so can easily know what they mean when reviewing code that I wrote months ago.

His example code shows how you can use the standard date formatting strings in a Zend_Form validator (the "php" format) and an example using the Zend_Date::MONTH or Zend_Date::YEAR identifiers (the "iso" format). He also shows how he met two other requirements - validation for empty and a consistent format on the date validation ("Y-m-d").