Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Théo Fidry:
Create and deploy secure PHARs
Jan 04, 2018 @ 19:45:57

For those Phar users out there Théo Fidry has written up a guide to help you create and deploy them securely with the help of a few tools and OpenSSL to sign the release to ensure integrity.

For those who are not familiar with it, PHAR (Php Archive) is analogous to the JAR file concept but for PHP. It allows you to package an application into a single file making it convenient to deploy or distribute.

[...] So what are PHARs useful for then? Well still the same thing: packaging applications. Although not many people may want to use this technique for web applications, it is still extremely useful for console applications.

The tutorial starts off by showing a few different methods for installing Phars and how to build them from your code. While they can be built manually, he suggests using the box project to help make it simpler. It also covers self-updating phars and shows how to update the box.json configuration to use a generated key to sign the release. Finally it covers a method for using Travis-CI to auto-build the phar and how to keep the OpenSSL key safe and out of the checked in code.

tagged: phar tutorial install create sign openssl box build travisci

Link: https://medium.com/@tfidry/create-and-deploy-secure-phars-c5572f10b4dd

Freek Van der Herten:
Validating SSL certificates with PHP
Jul 28, 2016 @ 15:45:56

In a new post to his site Freek Van der Herten shares some code he's worked up to validate SSL certificates in PHP to ensure they're correct when accessing a remote site.

With vanilla PHP it’s possible to check of if the SSL certificate of a given site is valid. But it’s kinda madness to do it.

He starts with the code required to do it including:

..then on to parsing the certificate and its "valid time" timestamps. He stops it with the above steps, however, and advocates that you instead try out this package (one developed by him) to make the validation a two-line process. He also describes some of the other methods the package includes to get things like the issuer, domain and any additional domains it covers. Be aware that if you're planning on using it you'll need OpenSSL support in your PHP installation as it's required for the connection and validation.

tagged: package certificate ssl validate openssl example

Link: https://murze.be/2016/07/validating-ssl-certificates-php/

Michelangelo van Dam:
Compile PHP 7 on Mac OS X 10.11 "El Capitain"
Jul 19, 2016 @ 14:34:33

In a new post to his site Michelangelo van Dam has posted a guide to compiling PHP 7 on OSX "El Capitan", the latest release of the popular Apple operating system.

Apple has made a numerous changes to the way OS X (10.11) "El Capitain" uses open source elements like PHP and OpenSSL. Compiling PHP from source requires a bit more modifications.

This article is a follow-up on my previous post <a href='http://www.dragonbe.com/2015/12/installing-php-7-with-xdebug-apache-and.html">Installing PHP 7 with XDebug, Apache and MySQL on OS X Yosemite.

He then provides the commands and configuration information you'll need to get things up and running:

  • OpenSSL
  • PHP 7
  • Apache

The end result is a simple PHP 7 installation with plenty of features installed.

tagged: compile php7 mac osx elcapitan openssl apache

Link: http://www.dragonbe.com/2016/07/compile-php-7-on-mac-os-x-1011-el.html

Rob Allen:
SSL certificate verification on PHP 5.6
Dec 23, 2014 @ 18:15:41

Rob Allen has a quick tip posted today about SSL certificate verification in PHP 5.6 and things that need to be updated thanks to recent improvements in PHP's SSL handling.

I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message: "The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed" [...] Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn't find any OpenSSL certificates on my system. This isn't a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.

To resolve the issue he found where PHP was looking for certificates (using openssl_get_cert_locations) and how a quick "brew install" of the needed OpenSSL handling resolved the issue. Then, in the php.ini file a quick update to the "openssl.cafile" path points it to the right certificate.

tagged: certificate validation ssl openssl php56 tip fix

Link: http://akrabat.com/php/ssl-certificate-verification-on-php-5-6/

PHP.net:
PHP 5.4.34 & 5.6.2 Released
Oct 17, 2014 @ 15:14:07

On the main PHP.net site an announcement has been posted about the release of the two latest versions in the PHP 5.4.x and 5.6.x series - PHP 5.4.34 and 5.6.2

These releases fix several bugs in both versions including several security-related issues including CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. In the 5.4.34 release there was also a fix put in to correct a regression issue in the OpenSSL functionality.

As both of these contain security-related fixes, it's strongly recommended that you upgrade as soon as possible. As always, you can find the latest downloads on the main downloads page or windows.php.net for the Windows users. The full list of changes in each of the versions can be found in the Changelog.

tagged: language release bugfix security update openssl

Link: http://php.net/archive/2014.php#id2014-10-16-3

PHPClasses.org:
Lately in PHP Podcast #46 - "Is the Hack Language Going to Replace PHP?"
Apr 21, 2014 @ 14:12:14

In the latest episode (#46) of the "Lately in PHP" podcast series Manuel Lemos and Arturs Sosins wonder if Hack will ever replace PHP.

The release of the Facebook Hack language has shaken the PHP community since it implements several frequently requested features that were never implemented, many users are considering to drop PHP in favor of Hack. This was one of the main topics discussed by Manuel Lemos and Arturs Sosins on the episode 46 of the Lately in PHP podcast. They also talked about the OpenSSL Heartbleed security bug may affect PHP sites or not, ideas for the PHP 6 engine, the need for an official PHP specification, and an advanced email validation that can provide suggestions for address typos like Google did you mean feature.

You can catch this latest episode either through the in-page audio player, by downloading the mp3 or by watching the video of the live Google Hangout recording.

tagged: phpclasses latelyinphp ep46 hack replace openssl heartbleed podcast

Link: http://www.phpclasses.org/blog/post/232-Is-the-Hack-Language-Going-to-Replace-PHP--Lately-in-PHP-podcast-episode-46.html

PHPClasses.org:
OpenSSL Serious Security Bug: Does it Affect Your PHP sites?
Apr 10, 2014 @ 16:55:37

In the wake of the announcement of the Heartbleed vulnerability in the widely used OpenSSL software, the PHPClasses blog has posted a look at how it relates to PHP applications and how you can see if your application is effected.

Just a few days ago it was publicly announced a serious security bug called Heartbleed that affects secure sites based on the OpenSSL library. Read this article to learn more about this security problem, how to test if your Web server or SSH server is vulnerable, how it may affect your PHP sites, what you should do to fix the problem.

They start with a look at the bug, what it is and why it's such a big problem. It talks about what kinds of applications are vulnerable (hint: it has nothing to do with the PHP) and how you can test to see if your server is secure. The rest of the post talks about how to resolve the issue and how it relates to OpenSSL connections to other servers and SSH.

tagged: openssl bug heartbleed security effect webserver

Link: http://www.phpclasses.org/blog/post/231-OpenSSL-Serious-Security-Bug-Does-it-Affect-Your-PHP-sites.html

PHP.net:
Multiple Releases - PHP 5.4.23, 5.3.28 and 5.5.7
Dec 13, 2013 @ 15:33:42

The PHP.net site reports three new versions of various revisions of the language being released all at once, all fixing an OpenSSL issue announced in CVE-2013-6420. This includes updates for all three supported versions:

  • PHP 5.4.23
  • PHP 5.3.28 (also fixes CVE-2013-4073)
  • PHP 5.5.7

As this is a security-related issue, it's recommended that you update to the latest version for your installation. You can get these latest downloads from either the main downloads page or for Windows users, windows.php.net.

tagged: language release security update openssl cve20136420 cve20134073

Link: http://php.net/

Timoh's Blog:
Secure random numbers for PHP developers
Nov 06, 2013 @ 15:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user’s “initial password”, for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I’m not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

tagged: secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html

PHP.net:
PHP 5.4.19 and PHP 5.5.3 Released!
Aug 23, 2013 @ 15:57:51

The PHP development group has officially released the latest editions in the PHP 5.5.x and 5.4.x series - PHP 5.5.3 & 5.4.119:

The PHP development team announces the immediate availability of PHP 5.4.19 and PHP 5.5.3. These releases fix a bug in the patch for CVE-2013-4248 in OpenSSL module and compile failure with ZTS enabled in PHP 5.4. All PHP users are encouraged to upgrade to either PHP 5.5.3 or PHP 5.4.19.

As this is a security-related patch, all users are strongly encouraged to update their installations to prevent any potential issues. You can find out more about that flaw here. As always, you can download these latest release from the downloads page (or here for Windows binaries).

tagged: language release bugfix security openssl update

Link: http://php.net/index.php#id2013-08-22-1


Trending Topics: