News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Three Devs & A Maybe Podcast:
Episode #51 Midweek Random Rambles
December 10, 2014 @ 10:53:28

The Three Devs & A Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, has posted their latest episode - Episode #51: Midweek Random Rambles.

In our 51st podcast we temporarily revert to a midweek recording of the show. This essentially means we were all a bit tired and delirious, leading to some fantastic randomness, none more than Lew's 'different' introduction to the show. We will let you be judges of that! Following our usual discussion of how things are panning out in our working week, we then move on to discuss some of the interesting security issues cropping up on Michael's university course. Also, Fraser has landed an exciting new job in London, Lew has found front-end dependency bliss with Bower and Edd is doing some exciting stuff at work too. We also talk about asset file compression/concatenation and issues we've encountered with those too. So... plenty to discuss, in fact too much to cram in to our usual hour so we will continue the theme next time. Enjoy folks, and as ever, thanks for listening and for your feedback.

Other topics mentioned in this episode include the Google no CAPTCHA reCAPTCHA, the Gitminutes podcast and new book covering domain driven design in PHP. You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy the show, be sure to subscribe to their feed too!

0 comments voice your opinion now!
threedevsandamaybe podcast ep51 midwekk random ramblings

Link: http://threedevsandamaybe.com/midweek-random-rambles/

Pádraic Brady:
Composer Downloading Random Code Is Not A Security Vulnerability?
February 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn't request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it's the other thing you don't want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it's called "unintuitive", but if a package states that it replaces something that might lead to the unintuitive behaviour, it's an abuse.
0 comments voice your opinion now!
composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

Timoh's Blog:
Secure random numbers for PHP developers
November 06, 2013 @ 09:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user's "initial password", for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I'm not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

0 comments voice your opinion now!
secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html

Pádraic Brady:
Stateful vs Stateless CSRF Defences Know The Difference
August 13, 2013 @ 09:49:00

In this new post to his site, Pádraic Brady looks at two methods for generating CSRF (cross-site request forgery) tokens to help protect your application. It's not a tutorial, per se...more of a comparison of two methods: stateful and stateless CSRF tokens.

The difference between Stateful and Stateless CSRF defences is that the former requires storing the CSRF token on the server (i.e. session data) while the latter does not, i.e. the server has zero record of any CSRF tokens. As far as the server is concerned, the number of parties with persistent knowledge of a valid token is reduced to just one - the client. [...] Let's compare both types of CSRF protections.

He introduces the concepts behind both types of token generation, pointing out that most of the PHP frameworks out there rely on the stateful option (the "synchronizer" method). The other method ("double submit") actually involves two tokens, one in the POST content and the other as a cookie value. He also dissects this other stateless concept article he found and how its method of generation may not be ideal.

Like most attacks, CSRF does not exist in isolation so developing a good defence requires mitigating other attacks. [...] Any good CSRF token implementation, whether stateful or stateless, should reflect those requirements with features for limiting tokens by scope and time.
0 comments voice your opinion now!
csrf token stateless stateful difference doublesubmit random synchronizer

Link: http://blog.astrumfutura.com/2013/08/stateful-vs-stateless-csrf-defences-know-the-difference

PHPMaster.com:
Better Understanding Random
April 26, 2013 @ 11:52:49

On PHPMaster.com there's a new tutorial talking about randomness in PHP, what it is and some of the things it can be used for.

Use of random values is very important in the computer security field. It is crucial in computer programming for development of secure systems that are not vulnerable to malicious subversion. Cryptography relies on random value's generation and their reproducibility for unpredictable output that is core for security of any system. Random values are fundamental for secure coding practices and PHP highly makes use of them for security. You will find them used in all libraries and frameworks and almost all codes rely on them for the generation of tokens, salts and as inputs for further functions.

He talks about the important of good random numbers and some of the common uses for it including generating salts and unique identifiers. He mentions the "pseudorandomness" of PHP's generators and how they're seeded to help increase this randomness. He finishes up the tutorial with some suggestions and language features for creating "as random as possible" values like using "/dev/urandom" on Linux-based systems.

0 comments voice your opinion now!
random language feature pseudorandom uses tutorial

Link: http://phpmaster.com/better-understanding-random

Anthony Ferrara:
Seven Ways To Screw Up BCrypt
December 21, 2012 @ 12:20:04

If you're going to be rolling your own user handling in your application, no doubt you've heard that something like bcrypt-ing your passwords is a good idea. Well, Anthony Ferrara has some suggestions for you and shows you seven ways you can "screw up" when trying ti implement it.

There are numerous articles on the web about how to properly use bcrypt in PHP. So this time, rather than write yet-another-how-to-use-bcrypt article, I'm going to focus on the mistakes that are commonly made when implementing bcrypt.

Here's the list of seven ways (each has its own description in the post):

  • Using A Non-Random Salt
  • Using An Incorrect Random Source for Salt Generation
  • Using Too Weak Of A Cost Parameter
  • Using The Wrong PHP Version
  • Using The Wrong Prefix
  • Not Checking For Errors
  • Not Using A Library

He also includes two "bonus" things to consider: "Not Using A Timing Safe Comparison" and "Not Encoding The Salt Correctly".

0 comments voice your opinion now!
bcrypt screwup implementation suggestion salt random prefix library


Derick Rethans' Blog:
Random Bugs and Testing RCs
February 27, 2012 @ 11:48:29

In a new post to his blog Derick Rethans mirrors the call made by Rasmus Lerdorf at this year's PHP UK Conference - get involved (and help test PHP)!

At the PHP UK Conference Rasmus mentioned that he wants more people contributing to PHP. There are plenty of ways how you can do that.

Derick points out two more immediate ways you can help, one not even requiring any C knowledge:

  • Help test the Release Candidates (like the current PHP 5.4.0 RC8) with a call to "make test" just after your compile.
  • The recently added "random PHP bug" functionality that's been added to the bugs.php.net site
0 comments voice your opinion now!
releasecandidate test involvement bugs random c


SitePoint.com:
How to Create Your Own Random Number Generator in PHP
February 09, 2012 @ 10:03:35

On SitePoint.com today there's a new tutorial showing how to create a random number generator in PHP (with the help of methods like mt_rand and mt_srand).

Computers cannot generate random numbers. A machine which works in ones and zeros is unable to magically invent its own stream of random data. However, computers can implement mathematical algorithms which produce pseudo-random numbers. They look like random numbers. They feel like random distributions. But they're fake; the same sequence of digits is generated if you run the algorithm twice.

Included in the post is code showing how to use the random functions and how to create a class (Random) that provides a few methods to help make generation easier - "seed" and "num". It first calls "seed" with a number to start the random generator off with and then "num" in a loop to pull out random values based on that.

0 comments voice your opinion now!
random number generator tutorial introduction mtrand


Anthony Ferrara's Blog:
Random Number Generation In PHP
July 21, 2011 @ 10:03:28

Anthony Ferrara has a new post to his blog today looking at true random number generation as it relates to predictability and bias. He also talks about a method/tool you can use (based on RFC 4086) to generate truly random numbers - PHP-CryptLib.

When we talk about "random" numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.

He looks at how predictability can effect true random number generation and a common mistake in generation related to bias in the calculation method. He talks about some of the functions PHP includes to work with randomness, but notes that they all have their flaws. He points to the PHP-CryptLib package as a solution (adhering to the guidelines in RFC 4086 for randomness). He includes some sample code of how to use it to generate random numbers, tokens and sets of bytes. You can find the full source over on github.

0 comments voice your opinion now!
random number generation library phpcryptlib library predictability bias


MySQL Performance Blog:
Sample datasets for benchmarking and testing
February 09, 2011 @ 13:19:28

In a recent post to the MySQL Performance Blog, there's a pointer to a few resources you can use if you need some sample datasets to run your application against - everything from airline flight information to energy usage data.

Sometimes you just need some data to test and stress things. But randomly generated data is awful - it doesn't have realistic distributions, and it isn't easy to understand whether your results are meaningful and correct. Real or quasi-real data is best. Whether you're looking for a couple of megabytes or many terabytes, the following sources of data might help you benchmark and test under more realistic conditions.

The sample data sets vary from fake movie information to sample site traffic data to the large data sets that Amazon provides (including the Human Genome and US Census data). Some of the comments also link to other sources.

0 comments voice your opinion now!
sample dataset application random source



Community Events





Don't see your event here?
Let us know!


conference version laravel release list community voicesoftheelephpant language podcast composer tool library opinion interview series introduction symfony artisanfiles framework security

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework