Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
Slim-Csrf with Slim 3
Aug 25, 2015 @ 09:49:48

In a post to his site Rob Allen shows you how to help secure your Slim 3-based applications with the help of the slim3-csrf package. A CSRF (cross-site request forgery) attack happens when another site requests a page in your application, possibly performing an action.

In addition to the core Slim framework, we also ship a number of add-ons that are useful for specific types of problems. One of these is Slim-Csrf which provides CSRF protection. This is middleware that sets a token in the session for every request that you can then set as an hidden input field on a form. When the form is submitted, the middleware checks that the value in the form field matches the value stored in the session. If they match, then the all is okay, but if they don't then an error is raised.

He shows how to add the middleware to your Slim 3 application and how to add the token to each form. The library generates random values for both the name of the token and the value making it compatible with applications that may involve multiple browser windows. He also shows you how to validate the token, either using the built-in "Guard" handling or manually by deferring the check to the route.

tagged: slim3 csrf token package library install configure validate

Link: http://akrabat.com/slim-csrf-with-slim-3/

Marc Aube:
Design Pattern: Specification
May 25, 2015 @ 12:19:47

Marc Aube has a new post to his site that introduces you to the specification design pattern, a technique that's useful for ensuing the current state of an object is valid.

The specification pattern is a software design pattern used to codify business rules that state something about an object. These simple predicates determine if an object's state satisfies a certain business criteria. They can then be combined to form composite specifications using logical operators. Use a specification to encapsulate a business rule which does not belong inside entities or value objects, but is applied to them.

He suggests a few things the pattern could be useful for like validating the current state or define how an object should be created. He gives a few more "real world" examples and then gets into the code to create a custom specification. In his "CustomerIsPremium" spec he defines a single method on an interface to determine if the Customer given is correct. He then creates a class instance and encapsulates the logic inside its "isSatisfiedBy" method. He also includes a bit more complex example, showing how to create a composite specification for handling grouping like "and", "or" and "not" assertions. Finally he looks at how to build specifications that can be passed in and used as selection criteria. He does point out that this can leak database handling into the specification layer, however, and should really be avoided without a inversion of control method in place.

tagged: specification designpattern pattern example composite select validate

Link: http://marcaube.ca/2015/05/specifications/

Eric Barnes:
How To: Validate an array of form fields with Laravel
Apr 07, 2015 @ 09:48:34

Eric Barnes has a new post to his site showing you how to validate form input in a Laravel application using the form requests feature.

If you’ve used Laravel’s form validation for any length of time, then you know it’s a powerful system. It makes the tedious task of validation very simple while still keeping the door open for complex rules. In this tutorial, I want to show you a simple and easy way of validating forms that contain dynamic fields. A common use case for these types of forms is when you would like to allow a user to add more fields to a form.

His example uses a form with a handful of text fields rendered with a simple "for" loop in the template. He then helps you make a new Request instance (OrderRequest) and adding custom validation rules into its "rules" method. In this case, he sets a rule that the content is required and can be no longer than 255 characters. He also shows how to use the custom messages functionality, defining custom values for each of the form's fields.

tagged: validate form data laravel formrequests example tutorial

Link: http://ericlbarnes.com/laravel-array-validation/

Joshua Thijssen:
Advanced user switching
Feb 25, 2015 @ 09:12:05

Joshua Thijssen has a new post today with a "neat trick" that the Symfony Security component allows - switching (impersonating) another user programatically.

This allows you to login as another user, without supplying their password. Suppose a client of your application has a problem at a certain page which you want to investigate. Sometimes this is not possible under your own account, as you don’t have the same data as the user, so the issue might not even occur in your account. Instead of asking the password from the user itself, which is cumbersome, and not a very safe thing to begin with, you can use the switch-user feature.

He talks about how to enable it, how to use it to switch to another user and, most important, how to restrict its use. He points out that there's no way to define who a user can switch to built-in, so he's come up with a custom "switch listener" to help add in this protection. His "SwitchUserListener" class replicates some of the code in the original handling (well, the whole class) and updates the "attemptSwitchUser" method to check the user they're trying to switch to and see if they have the right role. Finally he shows how to add it to the services configuration and how it overrides the default listener.

tagged: user switching advanced tutorial custom listener role access validate

Link: https://www.adayinthelifeof.nl/2015/02/24/advanced-user-switching/

Rob Allen:
Validating JSON with ZF2's ZendValidator
Dec 09, 2014 @ 10:42:40

Rob Allen has a quick post today showing how to use the ZendValidator component from Zend Framework 2 to handle JSON validation.

Let's say that you have an admin form where the user can enter JSON and you'd like to validate that the JSON parses before allowing the user to submit. To do this, you can use the rather excellent jsonlint project by Jordi Boggiano. Obviously, add it via Compser.

He starts with a quick example of using the "JsonParser" in isolation to validate a JSON string. Then he integrates it into the framework as a custom validator class (extending the AbstractValidator) and enabling the "isValid" call to be made and return a pass/fail result. You can find out more about the ZendValidator component in this page of the Zend Framework manual.

tagged: zendframework2 json validate jslint custom validator

Link: http://akrabat.com/zend-framework-2/validating-json-with-zf2s-zendvalidator/

Master Zend Framework:
How to Use ZFTool Diagnostics To Ensure Your Modules Work
May 13, 2014 @ 10:55:19

The Master Zend Framework site has a new tutorial today showing you how to use the ZFTool diagnostics to make sure your modules are working correctly. The ZFTool is a stand-alone tool that can help with common tasks like working with application configuration and creating module and project skeletons.

Do you want to be sure that when you create Zend Framework 2 modules, that they’ll work in whatever environment they’re used in? At the very least, do you want a simple way for users to check, as well as something that’s self-documenting? If so, you’re in the right place. Last year, I gave a basic introduction to ZFTool, which is a command line tool to manage applications written in Zend Framework 2. [...] In addition to [the included diagnostic checks] we can write our own diagnostic checks, using the Success, Failure and Warning classes. So in today’s tutorial, I’m going to show how to add diagnostics support to a module.

He's broken the rest of the tutorial up into four other parts, each with the code or commands you'll need:

  • Add Diagnostics Support
  • The Diagnostics Function
  • Running Module Diagnostics
  • When Checks Fail

You can find out more about the ZFTool and its usage in with diagnostics in the official manual

tagged: zftool module diagnostic validate zendframework2

Link: http://www.masterzendframework.com/zftool-2/use-zftool-diagnostics-ensure-modules-work

Master Zend Framework:
Using Sessions In Zend Framework 2 - Part 2
May 06, 2014 @ 11:18:26

The Master Zend Framework continues its series about using sessions in Zend Framework 2 applications. In part two of the series he focuses on validators and some of the backend storage options the framework makes possible.

In last week’s tutorial we covered the basics of sessions in Zend Framework 2, looking at how to implement them by making changes to module/Application/Module.php so that they’re available application-wide then how to both set and retrieve information in the session. In this week’s tutorial, we’re going to take last week’s post further, by looking at session validation as well as different backends. These two things will help protect your session data from session hijacking, as well as help you scale your application, by storing the information using a more universal backend, which a filesystem most often times will never be.

He starts off with a bit of background about the structure of an average session in the framework is like, broken out into sections via the "Container" object. Then he starts in on the validators and describes a two of the built-in methods: "HttpUserAgent" and "RemoteAddr". A few code examples are included before he moves on to the backend options (like Cache, DbTable and MongoDB) using a "StorageFactory" object in the configuration.

tagged: session zendframework2 part2 series validate backend

Link: http://www.masterzendframework.com/sessions/using-sessions-zend-framework-2-part-2

Alison Gianotto:
Check User-Submitted URLs for Malware and Phishing in Your Application
Apr 07, 2014 @ 10:01:59

In her latest post Alison Gianotto looks at a few different ways that you can validate any URLs that your users might give you to ensure they're not anything malicious. She looks at two of the major services, the Google SafeBrowsing API and SURBLs, as well as mentioning a few others.

If you write software for the web that allows users to submit or share URLs (comment systems, mail clients, forums, URL shorteners, etc), you may find yourself in a position where you need to filter out malicious links. Fortunately, there are several free options for you to better protect your systems and your users against bad guys, and they’re pretty simple to implement. (My examples are in PHP, but could easily be adapted to whatever language you prefer.)

She starts with an example call to the Google’s SafeBrowsing service, making a curl call and parsing the result. The other service, SURBL, makes use of DNS validation calls complete with code examples. She also talks about Phishtank and VirusTotal as other options. She finishes the post with a few suggestions for working with the rate limit restrictions on these services, including things like only checking on click-through and ensuring failure is handled well.

tagged: malware phishing url validate google safebrowsing surbl tutorial

Link: http://www.snipe.net/2014/04/check-user-submitted-urls-for-malware-and-phishing-in-your-application

Mike Dalisay:
Salt, Hash and Store Passwords Securely with Phpass
Apr 08, 2013 @ 12:16:29

On Mike Dalisay's site there's a recent post showing how to use the Phpass tool to salt, hash and store passowrd data in your application.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

His sample application stores the user data in a MySQL database and does the salting+hashing at the time of the request. It uses a hard-coded salt and a value of 8 for the hashing/stretching. Screenshots of each page in the example application are also included.

tagged: phpass salt hash password mysql tutorial email validate

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html#.UVziYKUm0sc.dzone

PHPMaster.com:
Creating a PHP OAuth Server
Jan 01, 2013 @ 11:56:46

On PHPMaster.com today there's a new tutorial posted about creating your own OAuth server in PHP using the oauth-php package to do the "heavy lifting".

If you’ve ever integrated with another API that requires security (such as Twitter), you’ve probably consumed an OAuth service. In this article, I’ll explore what it takes to create your own three-legged OAuth server allowing you, for example, to create your own secure API which you can release publicly.

They include a visual representation of the OAuth authentication flow (it's not the simplest thing) and the database structure/sample code you'll need to get the server up and listening. Also included is a registration form and how to generate a request token and give back an access token. There's also some sample code showing how to validate the request and it's access token to check for a correct (and allowed) request.

tagged: tutorial oauth server oauthphp flow authentication access validate

Link: