Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.6.30 Released
Jan 23, 2017 @ 11:55:08

The PHP.net site has posted an announcement about the latest release in the PHP 5.6.x series: PHP 5.6.30.

The PHP development team announces the immediate availability of PHP 5.6.30. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

According to our release calendar, this PHP 5.6 version is the last planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of two years. PHP 5.6 users that need further bugfixes are encouraged to upgrade to PHP 7.

If you'd like to view the full list of changes, head over to the Changelog for what was fixed and their related bug entries. As always you can download this latest release from the main downloads page for the source release and windows.php.net for the Windows binaries.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2017-01-19-3

DotDev.co:
Google ReCaptcha integration with Laravel
Jan 10, 2017 @ 09:26:28

On the DotDev.co site they've posted an article from Talevski Igor about integrating Google's ReCaptcha with Laravel for use in verifying forms and protecting them against automated attacks.

Today i have task to create ReCaptcha on contact form with in a Laravel Web page and I like to share the process of making this possible.

He then walks you through the process of getting the configuration you'll need for your domain and using this package to easily integrate it with Laravel and its forms. He adds the routes for both the GET and POST requests along with the matching view and controller. He then uses the env helper function to get the ReCaptcha key from the configuration and places it in the form. He also adds the "g-recaptcha-response" variable to the required values rules and creates a simple Guzzle HTTP client to make the request back to Google to verify the result.

tagged: recaptcha security laravel tutorial form integration package

Link: https://dotdev.co/google-recaptcha-integration-with-laravel-ad0f30b52d7d?gi=ec5b94e26a27#.qdpwauax0

Aidan Woods:
Secure Headers for PHP
Jan 09, 2017 @ 13:14:11

In a recent post to his site Aidan Woods shares information (and code) related to the use of secure headers in PHP applications. He's even created a package to help make it easier to drop them into a new or existing project without too much trouble.

Recently I've been working on a drop in class to manage certain "Secure Headers" in PHP. By "Secure Headers", I'm of course talking about those mentioned in the OWASP Secure Headers Project. The project, SecureHeaders is available on GitHub.

He starts by covering why he created the library and what it can help you with including making things like a CSP policy easier to maintain. The article goes on to talk about the Content-Security-Policy header is and what kind of prevention it applies. He also shares how the package displays errors, modifies cookies to secure them (HTTPOnly and Secure flags) as well as provide a "safe mode" that "place an upper limit on things like HSTS and HPKP, and remove flags like includeSubDomains or preload until the header is manually added as a safe mode exception, or safe mode is disabled."

tagged: header security package project csp https cookies

Link: https://www.aidanwoods.com/blog/secure-headers-for-php

thePHP.cc:
PHP 5: Active Support Ends. Now what?
Jan 02, 2017 @ 12:54:03

The final day of 2016 has come and gone and with it came the end of active support for the PHP 5.6 series of releases. This also marks the end of active support for anything in the PHP 5.x major release and pushing on with PHP 7. In this post to thePHP.cc blog Sebastian Bergmann talks about what this means for you and the tools you use.

The active support by the PHP project for PHP 5.6, the final release series of PHP 5, ends today. What is "active support"? And what does it mean for you? To answer this, you need to understand PHP's release process.

He starts with the release schedule and when it shifted from the "consensus based model" over to an official process, introducing more formality to the whole process (in 2012). He mentions two key terms to the process: "active support" and "security support". PHP 5.6 has moved past active support and is now in the the security support phase with only security fixes to be released from here on out. Sebastian then talks about what this means for your current code and, if you're still running on PHP 5.6, what you should do to come up to speed with PHP 7.x. He lists some of the projects that are moving into the world of PHP 7 only including PhpSpec 4.0, Laravel 5.5 and Symfony 4.

tagged: php5 active support end security php7 migration upgrade

Link: https://thephp.cc/news/2016/12/php-5-active-support-ends-now-what

Medium.com:
The Art of Defensive Programming
Dec 30, 2016 @ 12:59:38

In this post on Medium.com author Diego Mariani talks about the "Art of Defensive Programming" as it relates to the security of the code developers write.

Why don’t developers write secure code ? We’re not talking yet another time about “clean code” here. We’re talking about something more, on a pure practical perspective, software’s safety and security. Yes, because an insecure software is pretty much useless.

[...] Why do I think Defensive Programming is a good approach to issue these problems in certain kind of projects? [...] I personally believe this approach [of continued functionality even in unforeseen circumstances] to be suitable when you’re dealing with a big, long-lived project where many people are involved. Also for instance, with an open source project that requires a lot of extensive maintenance.

He then covers some of what he sees as key tenets of programming defensively:

  • Never trust user input
  • Use database abstraction
  • Don’t reinvent the wheel
  • Don’t trust developers
  • Write SOLID code
  • Write tests

For each item in the list he provides a brief summary of the idea behind it and, in some places, some example code to help illustrate the point. The examples are in PHP but the principles could be applied to just about any language.

tagged: defensive programming tutorial security tenets

Link: https://medium.com/web-engineering-vox/the-art-of-defensive-programming-6789a9743ed4#.u3bzu5xam

TutsPlus.com:
Building Your Startup: Security Basics
Dec 20, 2016 @ 11:55:58

The TutsPlus.com site has continued their "Building Your Startup" tutorial series with this latest article covering the "security basics" you'll need to adequately protect your application. This tutorial touches on both the server-level and code-level security aspects.

In today's episode, we'll dive into the basics of web server security. I'll cover securing the Linux VPS running Meeting Planner and some basic Yii security. In the next episode, I'll dive more into programmatic Yii application security.

The article starts off with the server side of things, introducing hosting options, keeping the server updated, configuring SSH for logins, setting up a firewall and SSL. With that solid base in place, it then starts on the code side covering the built-in functionality used to secure the backend and frontend functionality.

tagged: tutorial series yii2 startup security basics server code

Link: https://code.tutsplus.com/tutorials/building-your-startup-security-basics--cms-26702

PHP.net:
PHP 5.6.29 Released
Dec 09, 2016 @ 11:54:07

On the main PHP.net site there's an announcement about the release of the latest version in the PHP 5.6.x series - PHP 5.6.29:

The PHP development team announces the immediate availability of PHP 5.6.29. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Bugs fixed in this version include changes in the Opcache, OpenSSL, SOAP, SQLite3 Standard libraries. You can view the full list of changes in the Changelog and get the downloads from the usual place: the downloads page for the source packages and windows.php.net for the Windows binary downloads.

tagged: language release bugfix security php56

Link: http://php.net/index.php#id2016-12-08-2

PHP.net:
PHP 5.6.28 Released
Nov 14, 2016 @ 12:12:58

The PHP.net site has posted the official announcement about the latest release in the PHP 5.6.x series: PHP 5.6.28:

The PHP development team announces the immediate availability of PHP 5.6.28. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

Fixes included in this release relate to:

  • core language functionality
  • GD image manipulation
  • fixing an overflow in the IMAP functionality
  • a SQLite issue fetching an integer as a string

As always, you can get this latest release from either the main downloads page (for source packages) or windows.php.net for the Windows binaries. As a reminder, the active support for the PHP 5.6.x series will be ending at the end of 2016 (December 31st) so there's never been a better time to upgrade to PHP 7.

tagged: language release php56 security update download

Link: http://php.net/index.php#id2016-11-10-3

TutsPlus.com:
Programming With Yii2: Security
Nov 09, 2016 @ 12:41:30

The TutsPlus.com site has posted the next article in their "How to Program with Yii2" series of tutorials, this time talking about security covering security tools and functionality already included in the framework.

In this Programming With Yii2 series, I'm guiding readers in use of the Yii2 Framework for PHP. If you're planning to share your application with the public, you'll need it to be secure, and it's best to plan this from the beginning. Fortunately, starting with a framework such as Yii makes this a lot easier than it otherwise would be.

[...] In this tutorial, I'll walk you through the basic security concepts within the Yii application framework. And, if you're interested, future episodes will work to <a href="http://code.tutsplus.com/tutorials/building-your-startup-security-basics--cms-26702>secure the application, Meeting Planner, featured in our startup series, as it approaches alpha release.

The tutorial starts with a look at some of the basics of Yii2's security functionality including authorization tools, password handling and cryptography. Code is included in each section showing the use of the component/functionality. The final point, "Best Practices", links to pages in the Yii2 documentation where you can get more information about preventing vulnerabilities like SQL injection, cross-site scripting and file exposure issues.

tagged: programming yii2 tutorial series framework security controls

Link: https://code.tutsplus.com/tutorials/programming-with-yii2-security--cms-26701

PHP Roundtable:
054: Security: Encryption, Hashing and PHP
Nov 07, 2016 @ 11:16:47

The PHP Roundtable podcast, hosted by Sammy Powers, has posted their latest episode covering Security: Encryption, Hashing and PHP. This time Sammy is joined by guests Scott Arciszewski, Chris Riley and Chris Cornutt.

We chat about security in the the PHP community, encryption & hashing in PHP and a new-hotness crypto library called libsodium.

You can catch this latest episode in a few different ways: either using the in-page audio or video player or you can watch it directly over on YouTube. If you enjoy the show, be sure to subscribe to their feed and follow them on Twitter for updates when new shows are being recorded and released.

tagged: phproundtable podcast video security encryption hashing sammypowers

Link: https://www.phproundtable.com/episode/security-encryption-hashing-and-php