This recent post from the Mind Tree blog shares a few methods for testing your web application (not unit test, just general things).

Because the Web "environment" is so diverse and contains so many forms of programmatic content, input validation and sanity checking is the key to Web applications security. This involves both identifying and enforcing the valid domain of every user-definable data element, as well as a sufficient understanding of the source of all data elements to determine what is potentially user definable.

They note that the root of most problems is input validation - most applications either just don't do it or do it poorly. They include a few tips on first security the environment the application is running in (like checking the HEAD/OPTIONS values and ensuring you're only allowing known file extensions and directories). They also mention the insecurity behind HIDDEN form elements and some issues surrounding user authentication.

The CodeIgniter blog has posted another community spotlight by one of its members - this time it's Mathew Davies (author of the Redux Auth library) talking about hashing.

He talks about how several topics are used in his Redux library including hashing, salts, a method for getting/resetting a forgotten password and how to use database sessions to manage users logged in.

The Redux Authentication System is a "great CodeIgniter Auth library. It's light, easy to use and fully featured. It's a great choice for your new or existing project due to the power it gives to the developer".

In a new entry to his blog, Jonathan Street talks about a new wrapper class he's built up around the Windows Live Contacts service.

It was a shame really as it was a really exciting project with Microsoft leading the way in the area. It's been only recently that Google and Yahoo have caught up and released their own APIs for accessing their users data. [...] With the possibility of actually using the code myself creeping up on the horizon I decided to put the time in to write wrappers for PHP. It can be broken down into two components.

These two components are the delegated authentication, used to get permission from the user to grab the data, and the actual interface to the Windows Live Contacts data. Both packages have been submitted to PEAR.

Padraic Brady has gone back to a previous project, working with OAuth, and some thoughts on it and its possible implementation in both the Zend Framework and PEAR.

Starting yesterday, I opened up my IDE, updated PHPUnit, and got cracking. At the current rate of development a Consumer is likely at the weekend. I've already started writing up a formal proposal for PEAR and, of course, the Zend Framework also. I'm thankful the OAuth specification is this simple - it's one of the easiest to read specifications I've had to pleasure to work with.

He notes that an update to the API's Core (from 1.0 to 1.1) might be on the horizon, but can't see it affecting extensions/packages that much. He also mentions Extensions - not PHP extensions, these are augmentations to the OAuth core that allow for other different functionality to be included (like Discovery).

The PHP Every Day site has just posted a whole new list of tutorials that might interest Zend Framework developers:

• Zend Framework Login: Creating Switching for Front Page
• Zend Framework Login: Creating Logout
• Zend Framework Login: Protected Page
• Zend Framework Login: Fatal error Cannot use object of type stdClass as array
• Zend Framework Login: Creating Authentication
• Zend Framework Login: Creating Form Login
• Zend Framework Login: Preparing Database

Check out their site (or grab their feed) for more PHP-related articles and tutorials.

In a new entry on his blog today, Matthew looks to answer and help those once and for all wondering how to handle user authentication and persistence in their Zend Framework applications.

The typical issue is that they're unsure how to combine: an authentication adapter, a login form, a controller for login/logout actions and checking for an authenticated user in subsequent requests. It's not terribly difficult, but it does require knowing how the various pieces of the MVC fit together, and how to use Zend_Auth. Let's take a look.

He gives the complete code for a loin controller to cover most of that functionality and an example showing how to check for and keep track of which users have been authenticated.

Jonathan Snook has posted a helpful trick for CakePHP users out there looking to secure sections of their site away from "normal users" and keep it only in the hands of the admins.

I just wanted to document this for easy future reference but if you don't want to hook up a complex user adminstration with authorization components, you can simply specify that the admin path be password protected in either your .htaccess file or in your httpd.conf.

This method is actually one of the built-in methods Apache has for restricting access (http authentication) that he's placed on his "/admin" directory. Call htpasswd to create the password file and you're all set to go.

Rich Zygler has a few choice words concerning the implementation of WS-* web services in PHP and how they compare to other methods (like SOAP and REST).

I'd love to give ws02 a fair shake because they have an open source business model. They have a web services framework for PHP which seems interesting from an academic standpoint. But I think WS-* web services are WAY too complicated when compared to REST.

He points at a certain bit of documentation (to show the "simplicity" of it) and gives a personal example of his SOAP experience with the Amazon API as well as mentioning other opinions on the matter.

As mentioned by Derick Rethans on his blog today, there's some new versions of several (five) of the components in the next version of the eZ Components framework:

In the just released alpha versions you can find new features, such as better support for OpenID, a Database backend for OpenID authentication, a validating method for e-mail addresses, SMTP authentication support for DIGEST-MD5, CRAM-MD5, NTLM and LOGIN and encoding support for e-mail headers.

He also mentions other goodies like tree structure handling and functionality to support WebDav connections. Check out their roadmap to get a better idea of what's to come.

On The Bakery today, there's a new tutorial covering the use of the ToniAcl component to handle authentication in your CakePHP website.

This component follows the traditional way of acl only slightly modifying it. In example there's an inheritance feature, which will help tremendously the access controlling because you don't have to specify every action in aros_acos-table.

The tutorial includes all of the code you'll need - the component class for ToniAcl, the controller class to put it to use and database structure to handle the user information storage.