On NETTUTS.com today there's a new post by Dustin Blake with a few simple tips and helpful techniques to locking down and protecting your website with some simple PHP scripts.

One crucial part of PHP development practice is always keeping in mind that security is not something you can simply buy off the shelf at your local convenient store. Ensuring the security of your web applications is a process, which over time, needs to be constantly evaluated, monitored, and hardened.

He shows a few methods you can use to secure things - generating random values, making random passwords to give to your users, creating salted passwords, obfuscation and an overview of cryptography in PHP. Complete source code is included.

New on the ITNewb.com site today is this new tutorial looking at generating session ID numbers and random passwords for your application using functions like mt_rand and mt_srand.

Whether it's session ids, passwords or tokens in general, in the world of web development the ability to generate random alpha-numeric strings is a necessity. In this article I present a few simple yet effective PHP functions that can be used to generate strong alpha, numeric and/or special character tokens and passwords.

He gives examples of generating tokens and generating passwords, each with a custom function which he explains and gives a usage example for.

On the Zend Developer Zone, a recently posted tutorial looks at fetching multiple random rows from a database table (in a MySQL database).

As a follow up to my earlier article about fetching a single random row from MySQL I will tell you today, how you can fetch multiple random rows from a table without any hassle. Compared to the solution with fetching a single random row, fetching multiple random rows requires some tricks.

The tutorial walks you through the creation of some sample tables, making a simple trigger to keep a "random ID" column in a value range of one to the number of rows (gapless) and a bit of PHP code to select some IDs from the table and the SQL to get their information.

Be sure to check out the comments for mentions of the number of table reads and how optimized certain parts of the queries might be.

WebReference.com continues their look at user personalization with the second part of the series - how to validate that the users signing up for your site are valid. (Here's part one, the introduction).

In this article, we will be looking at user authentication. User authentication simply means verifying that a particular user has the right to access a part of our application. Because our application deals with user preferences, access control is even more pertinent especially since multiple users are going to try to access this application at any given time.

As a part of this user validation and customization, they need to create a form that non-human scripts have a harder time using (hopefully weeding them out and getting better user information). The article steps you through a few lines of code that you can use to create a simple image of a four-digit number whose value is placed in a session variable so it can be validated on submission of the form.

This new tutorial from the PHPFreaks.com website shows how to add text into a custom created image (they go with an Arial font in a PNG image).

One of the standard features of a message board is allowing members to have a signature, which is appended to the bottom of each post they make. Posters can put whatever they want into the signature (within forum settings). Putting quotes in one's signature is one of the more popular things to do. [...] Soon afterwards, I started receiving messages on a fairly regular basis asking me "What kind of sorcery is this?? How do I do that??" You know, I think it's kind of funny people should ask, because this is really nothing new.

His code (the full script is here) sets up the font size, the font face (Arial) and the quotes to be randomly pulled from first. The image manipulation comes next - making a PNG resource, adding a few colors and shapes, and dropping in the text.

Each line of the code is covered in detail so you'll understand exactly what's going on. The end result is a script that makes a simple image and can be easily expanded to work with other sources (like databases or flat text files).

To help alleviate some recent complaints about the pseudo-random nature of the random functions in PHP, Scott MacVicar has proposed an alternate solution:

With all these potential different ways to get some pseudo random data it would be hard to do this in native PHP. Now we could do this in C and implement all the code ourselves but why risk implementing our own random functions and potentially making a mistake? The answer is OpenSSL, we already have an OpenSSL module and obviously they have some random functionality built in for when you go to generate SSL certificates.

You can make a call to the openssl_random_pseudo_bytes (in PHP 5.3) to grab the number of bytes you need and pass in a "strong" value to get a more cryptographically secure value.

New on the SitePoint "Web Tech" blog today is a post by Craig Anderson about friendlier passwords.

One aspect of web applications which is almost always overlooked when it comes to accessibility is how easy any randomly generated string might be to read. If you're lucky enough to have near perfect vision and have no learning or cognitive disabilities such as dyslexia, you mightn't suffer from any problems reading randomly generated strings, but for many users distinguishing between zero and upper-case Os, ones and lower-case Ls, and even the letters b and d can be difficult.

He includes a simple little PHP script that pulls letters and numbers from a pre-defined "friendly" array that can be read more easily by those with some sort of visual issue. Obviously, the results would be less secure than some other methods (only so many to go around) but its still a wide enough range for most common uses (around 17 million passwords).

In his latest post Paul Reinheimer looks at cross-site request forgeries and, despite the best efforts of the PHP security community, how developers still just miss the point in protecting their own code.

So, cross site request forgeries are a pretty common topic these days; they're in almost every security talk, book, site etc. This is okay; they're important [...] Most of the sites, and all of the books I've read demonstrate things correctly, but when it comes to actual implementation, time and time again, I see code that's just wrong.

He looks at two of the "essentials" when it comes to protecting you and your application - comparison (not taking other values of variables into account) and the unpredictable token (not making tokens, like md5 hashes of information, random enough).

Rob Allen has posted this look at using hooks inside of action helpers (a follow-up from his previous article on action helpers):

Hooks are a feature of action helpers that allow you to automatically run code at certain points in the dispatch cycle. Specially, there are two hook functions available for action helpers: preDispatch and postDispatch. These allow you to ensure that some functionality is always run for each request.

He creates a simple action helper that grabs a random quote from an array and drops it into a property of the helper. By defining a preDispatch method inside of the helper, the HelperBroker knows to pull the method in an execute it immediate before the rest of the actions are executed. A calls to addHelper with the hooks defined is all it takes to glue it together with the execution.

Stefan Esser has released a new update (really two, but one is the latest) to his Suhosin patch for PHP - version 0.9.27.

The previous update (0.9.26) updated the utility with an improved randomness fixing a few issues with an ini setting and the uploadprogress extension as well as adding in a few new settings and updates to the randomizing functions that come included in PHP.

The 0.9.27 update (the most current) updates the patch with a lazy loading change that allows it to work correctly on systems that have it disabled by default (causing the previous patch to not work).

You can grab this latest release, 0.9.27, from the suhosin website.