Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

NetTuts.com:
When You're Hacked in WordPress: Staying Safe Later On
Feb 20, 2015 @ 14:19:00

NetTuts.com has posted the second part in their "When You're Hacked - WordPress" tutorial series today with this new article showing you how to stay safe once you've recovered from the initial attack.

n the first part of this series, we went through what to do when your website gets hacked. In this second part, we're going to learn about staying safe and being able to act quickly when another unpleasant incident happens.

They start by answering the overarching question everyone wants to know about WordPress (as it relates to security) - "is it safe?" They follow this with some recommendations to help keep your install safe including:

  • Staying Up to Date
  • Using Safe Plugins & Themes
  • Using a Security-Related WordPress Plugin

Check out the rest of the article for the full list and a quick summary of each, some with links to the actual tools and plugins to help you protect your installation.

tagged: wordpress hack stay safe tutorial series part2 recommendation

Link: http://code.tutsplus.com/tutorials/when-youre-hacked-in-wordpress-staying-safe-later-on--cms-22748

Johannes Schlüter's Blog:
Testing persistent connection and thread-safety features in PHP
Mar 22, 2012 @ 09:51:58

In this recent post to his blog Johannes Schlüter he talks about a way that he's come up with to test functionality that uses persistent connections (and an module he created to help).

In a few rare cases this is not what people like, for that PHP introduced "persistent connections" of different kinds. Testing those is a bit annoying as you have to configure a webserver and ensure to hit the same instance over the course of a test and then use a load generator, probably one which can detect a failure. Additionally by having a webserver in the game there is more code being executed, which might mean an additional source for trouble while debugging. An alternative might be using FastCGI, while that adds it's own issues for such a test. To solve this for myself I, some time ago, wrote a PHP SAPI module called pconn and pushed it to github.

The extension provides a way to emulate requests by executing a script multiple times automatically, making it easier to test things that require checking against multiple things simultaneously. While the built-in webserver (PHP 5.4) can be used to test some of these things too, Johannes' extension can also be compiled to help with testing of threading in applications as well.

tagged: testing persistent threat safe extension sapi module webserver

Link:

DevShed:
Null and Empty Strings
Dec 03, 2008 @ 11:16:51

On DevShed today, there's a new tutorial posted looking at two things that can cause headaches for PHP developers (especially when evaluating and comparing values) - nulls and empty strings.

Anyone who has programmed for any length of time has encountered the concepts of null and empty strings. They are not the same, and confusing the two can cause some serious problems. This article deals with these concepts in the context of PHP and MySQL.

They start with a bit of a quiz before getting into how to handle them correctly - making null "safe" and working with it correctly in a MySQL context. SQL statements and table structures are included for their examples.

tagged: null empty string tutorial mysql handle safe

Link:

Mike Lively's Blog:
Late Static Binding (LSB) forward_static_call()
Apr 09, 2008 @ 11:24:19

On his blog, Mike Lively has posted a look at some of the work he's been doing on patches for the late static binding functionality to be included in PHP, including an example of the updates in action.

This weekend I wrapped up a few small tests and sent the patch in and it was subsequently pushed to php 5.3 and php 6.0. Now, this is not at all the way I wanted things to work, in all honesty I think the patch is pretty hokey but unfortunately nobody really spoke up in support of the changes I wanted to make to parent:: in regards to LSB.

His example shows how to override a static method and push that new method's execution to the parent class (in two ways - safe using forward_static_call and the not so safe calling itself with a parent:: override).

tagged: latestaticbinding php5 php6 patch safe unsafe parent forwardstaticcall

Link:

Andrei Zmievski's Blog:
50% There
Dec 20, 2006 @ 08:08:02

Andrei Zmievski has posted an encouraging note on his blog about the progress of PHP6 concerning the number of functions that have been correctly converted to support Unicode.

Well, PHP boys and girls, this feels like quite a milestone: 50% of the 3084 functions that are bundled with PHP 6 have been upgraded to support and work safely with Unicode.

He includes a small chart beside the post as well showing where things are currently at like the safe vs unsafe functions.

tagged: unicode conversion function safe half unicode conversion function safe half

Link:

Andrei Zmievski's Blog:
50% There
Dec 20, 2006 @ 08:08:02

Andrei Zmievski has posted an encouraging note on his blog about the progress of PHP6 concerning the number of functions that have been correctly converted to support Unicode.

Well, PHP boys and girls, this feels like quite a milestone: 50% of the 3084 functions that are bundled with PHP 6 have been upgraded to support and work safely with Unicode.

He includes a small chart beside the post as well showing where things are currently at like the safe vs unsafe functions.

tagged: unicode conversion function safe half unicode conversion function safe half

Link:

Pierre-Alain Joye's Blog:
Windows fixes release for Zip, fopen(,"rb") may not be binary safe
Nov 28, 2006 @ 07:13:09

A new release of the Zip PECL package has been made according to this post on Pierre-Alain Joye's blog today. The main update in this release is to counteract a Windows bug that's interfering with binary file opens.

The issue is actually a windows bug. No matter if I give or not the "b" flag to fopen, the write operations are not binary safe. It seems to be a known issue as many projects use the same trick.

The problem comes up when PHP forces the binary mode in SAPI and CLI, making the binary writes to a file non-binary safe no matter what. Pierre is also asking for help from anyone out there with any information/bug reports/references about this issue that would yield something useful.

tagged: fopen binary safe windows force mode bug sapi cli fopen binary safe windows force mode bug sapi cli

Link:

Pierre-Alain Joye's Blog:
Windows fixes release for Zip, fopen(,"rb") may not be binary safe
Nov 28, 2006 @ 07:13:09

A new release of the Zip PECL package has been made according to this post on Pierre-Alain Joye's blog today. The main update in this release is to counteract a Windows bug that's interfering with binary file opens.

The issue is actually a windows bug. No matter if I give or not the "b" flag to fopen, the write operations are not binary safe. It seems to be a known issue as many projects use the same trick.

The problem comes up when PHP forces the binary mode in SAPI and CLI, making the binary writes to a file non-binary safe no matter what. Pierre is also asking for help from anyone out there with any information/bug reports/references about this issue that would yield something useful.

tagged: fopen binary safe windows force mode bug sapi cli fopen binary safe windows force mode bug sapi cli

Link:

SitePoint PHP Blog:
How to tell when PHP 5 is safe to use...
Dec 08, 2005 @ 08:36:40

On the SitePoint PHP blog today, there's Harry's opinion on telling "when PHP5 is safe to use".

The answer is very simple - watch John.

When John migrates, to me it means two things in particular;

  • If there is a performance hit vs. the older PHP version, it will be an acceptable one.
  • There are no show-stopping bugs.
Don't believe me? Well the short proof is John's company have their future riding on it. A longer proof is to take a deep look at the code in adodb which is a great way to grasp John's mindset / experience. Otherwise browse the phpeverywhere archives...

It's an interesting standard to set for the adoption of something as beneficial as the move from PHP4 to PHP5, but it is one way to judge the effectiveness. When you see the major applications tailoring their setups for PHP5 environments, it might be time to consider jumping ship yourself...

tagged: php5 safe to use tell php5 safe to use tell

Link: