Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
How to Properly Deploy Web Apps via SFTP with Git
Nov 29, 2016 @ 11:53:49

On the SitePoint PHP blog there's a new tutorial posted showing you how to properly deploy applications with SFTP and Git. In their examples they build a PHP-based deployment process that uses a few handy packages to make the flow simpler than a set of manual commands.

Uploading files is an integral aspect of any deployment process, and the underlying implementation can vary depending on the type of your server.

[...] The PHPSECLIB (PHP Secure Communications Library) package has an awesome API for routine SFTP tasks: it uses some optional PHP extensions if they’re available, and falls back on an internal PHP implementation otherwise. You don’t need any additional PHP extension to use this package, the default extensions that are packaged with PHP will do. In this article, we will first cover various features of PHPSECLIB – SFTP, including but not limited to uploading or deleting files. Then, we will take a look at how we can use Git in combination with this library to automate our SFTP deployment process.

They start with a quick command (Composer) to get the phpseclib library installed but then quickly move into using it and some SSH keys to:

  • authenticate to the server with public/private keys
  • uploading a sample file
  • automating the deployment with Git, pushing only changed files from a local git repo
  • getting the contents of a specific commit
  • the actual push of the files via SFTP

There's also a few other helpful hints included showing how to manage permissions on the remote server, execute remote commands and downloading files. The post ends with links to other similar tools if you're interested in more complete approaches.

tagged: deploy application sftp git deployment tutorial phpseclib example

Link: https://www.sitepoint.com/how-to-properly-deploy-web-apps-via-sftp-with-git/

SitePoint PHP Blog:
Phpseclib: Securely Communicating with Remote Servers via PHP
Oct 04, 2016 @ 13:37:33

The SitePoint PHP blog has posted a new tutorial by Viraj Khatavkar showing how to use the phpseclib library to securely communicate with remote servers directly from your PHP code.

PHP has an SSH2 library which provides access to resources (shell, remote exec, tunneling, file transfer) on a remote machine using a secure cryptographic transport. Objectively, it is a tedious and highly frustrating task for a developer to implement it due to its overwhelming configuration options and complex API with little documentation.

The phpseclib (PHP Secure Communications Library) package has a developer friendly API. It uses some optional PHP extensions if they’re available and falls back on an internal PHP implementation otherwise. To use this package, you don’t need any non-default PHP extensions installed.

The first step is getting the library installed (via Composer) and a few example use cases including generating SSH keys dynamically and testing a SSH/SFTP connection. The tutorial then talks about three methods you can use with phpseclib to connect to remote servers: using an RSA key, using a password-protected RSA key and just the normal username/password combination. With the connection made they then show you how to:

  • execute (single and multiple) commands on the remote server
  • exit on the first error
  • gather the output from the commands

There's also a bit included about some other interesting configuration options and a few alternatives to the library if phpseclib doesn't work exactly right for your application.

tagged: phpseclib security communication server library tutorial introduction

Link: https://www.sitepoint.com/phpseclib-securely-communicating-with-remote-servers-via-php/

Paragon Initiative:
Choosing the Right Cryptography Library for your PHP Project: A Guide
Nov 16, 2015 @ 12:19:16

On the Paragon Initiative blog there's a new article posted that wants to help you pick the right cryptography library for your project and your needs. In it they make several recommendations and the benefits of each.

Cryptography is not magic. Adding encryption to an application doesn't automatically make it secure against attackers (especially if you aren't authenticating your ciphertext). But if you do need it to satisfy a business need, conventional wisdom states that you almost certainly should not try to design your own cryptography. Instead, you should use an existing cryptography library.

Okay, great. So which PHP cryptography library should I use? That depends on your exact requirements. Let's look at some good choices. (We won't cover any terrible choices.)

The three libraries they recommend are: Halite, the Libsodium library, the Defuse Security PHP Encryption library and the PHPSecLib library. For each they make some recommendations on places they may be most effective and how it using them relates to passwords (hint, hashing over encryption).

tagged: cryptography library choice hailite libsodium phpencryption phpseclib password

Link: https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

SitePoint PHP Blog:
How to Encrypt Large Messages with Asymmetric Keys and phpseclib
Jan 20, 2015 @ 11:40:51

On the SitePoint PHP blog today David Brumbaugh shows you how to encrypt large messages with phpseclib and asymmetric keys. phpseclib is a PHP library specifically designed to handle encryption and decryption in an easy-to-use way.

Most of us understand the need to encrypt sensitive data before transmitting it. Encryption is the process of translating plaintext (i.e. normal data) into ciphertext (i.e. secret data). During encryption, plaintext information is translated to ciphertext using a key and an algorithm. To read the data, the ciphertext must be decrypted (i.e. translated back to plaintext) using a key and an algorithm. [...] A core problem to be solved with any encryption algorithm is key distribution. How do you transmit keys to those who need them in order to establish secure communication? The solution to the problem depends on the nature of the keys and algorithms.

He talks some about the difference between symmetric and asymmetric algorithms and some advice about the selection of the right one (or ones) to use in your app. He also talks briefly about the problem with RSA keys, mostly that it has limits on the amount of text it can encrypt. His solution is to "encrypt the message with a symmetric key, then asymmetrically encrypt the key and attach it to the message". He explains the encryption/decryption process step by step and starts in showing the code to make phpseclib do the work. He shows how to generate the keys, build the encrypt function and the decrypt function with about 30 lines of code each.

tagged: encrypt decrypt large message asymetric key phpseclib tutorial

Link: http://www.sitepoint.com/encrypt-large-messages-asymmetric-keys-phpseclib/