The ZFort.com site has posted their latest PHP Digest for November 1st through 19th of 2017 - Digest #9. The post includes happenings in the language, community and spotlights various packages. Items in this latest digest include:

• the PHP Version Statistics 2017.02 Edition
• the RFC to allow trailing commas in function calls
• the collinodell/json5 package
• the tutorial covering deployment of PHP applications with Deployer

There's lots more mentioned in this latest digest so be sure to check out the full post for more packages, events and a list of learning materials for your framework of choice.

On PHPMaster.com they've posted a new tutorial by Sean Hudgston that helps you understand HTTP digest authentication, a simple way to authenticate a user or script against your application.

Digest Access Authentication is one method that a client and server can use to exchange credentials over HTTP. This method uses a combination of the password and other bits of information to create an MD5 hash which is then sent to the server to authenticate. Sending a hash avoids the problems with sending a password in clear text, a shortfall of Basic Access Authentication.

He starts out by looking at the "basic authentication" mechanism that's built into most web servers and points out that it has a major flaw - sending the username/password in (pretty much) plain text. Digest, on the other hand, uses a MD5 hash created from a few pieces of information including username, realm and request method. The result is sent as a header back to the server that can then be parsed by PHP. He also talks about improving on the basic version of the digest method using the qop, nc, and cnonce optional parameters.

Validating users can be a complicated thing but, depending on what you're trying to protect, you may not need an entire user validation and management system to keep it all straight. Evert Pot offers information on using PHP with a good old standby technology - HTTP basic and digest authentication.

HTTP authentication is quite popular for web applications. It is pretty easy to implement and works for a range of http applications; not to mention your browser.

He includes two scripts - one to force the Basic form of authentication (the password is passed over in clear-text) and the Digest method (the password is set over as a hash) - and how to check the values sent back for each. Obviously, the Digest method takes a little more doing and requires compiling a few different keys as an md5 hash to ensure that the user is valid.

On his PseudoCoder.com blog Matt has posted the fifth edition of the CakePHP Digest - summing up recently CakePHP-related news into one neat package.

This is my third digest and for the first time there isn’t a clear lead story. I was going to go with gwoo’s message that CakePHP 1.2 had received close to 25k downloads in the first 6 days of its release. That works out to 1.5 million downloads extrapolated over a full year. Actual download rate will likely taper off - I just wanted to use the word extrapolate.

Other topics mentioned include:

• Daniel Hofstetter’s framework free agency
• Discussions about whether to accept bugs without test cases
• An article on building The Bakery
• Comparisons to Symfony and the Yii frameworks
• Lots of new content in The Bakery

In this new tutorial on Paul James' blog, they spotlight a method for authentication on your site using the traditional HTTP authentication method, but with the customizable frontend of an HTML form.

The main reason people walk away from using HTTP authentication is that they want control over the look of the login form and most browsers display an awful looking dialog box. So what we need is a way for HTML forms to pass HTTP auth data when it's submitted. The HTML spec provides HTML forms as a way to create queries and to POST urlencoded data to a URL, but can we subvert it?

They show that, with the help of some simple Javascript, it can be accomplished. They give the code example to make it all work, including a bit of PHP code to validate the inputted data against two predefined constants. They also include another method, using HTTP Digest, to authenticate without the need to send the login information out to the server plain-text.

In this new tutorial on Paul James' blog, they spotlight a method for authentication on your site using the traditional HTTP authentication method, but with the customizable frontend of an HTML form.

The main reason people walk away from using HTTP authentication is that they want control over the look of the login form and most browsers display an awful looking dialog box. So what we need is a way for HTML forms to pass HTTP auth data when it's submitted. The HTML spec provides HTML forms as a way to create queries and to POST urlencoded data to a URL, but can we subvert it?

They show that, with the help of some simple Javascript, it can be accomplished. They give the code example to make it all work, including a bit of PHP code to validate the inputted data against two predefined constants. They also include another method, using HTTP Digest, to authenticate without the need to send the login information out to the server plain-text.