Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
Migrating to password_verify
Dec 05, 2018 @ 15:08:01

In a new post to his site, Rob Allen walks through the process of migrating an older site to use the password hashing functions in PHP instead of the previous custom implementation.

I’ve recently been updating a website that was written a long time ago that has not been touched in a meaningful way in many years. In addition to the actual work I was asked to do, I took the opportunity to update the password hashing routines.

This site is so old that the passwords are stored using MD5 hashes and that’s not really good enough today, so I included updating to bcrypt hashing with password_hash() and password_verify() in my statement of work.

I’ve done this process before, but don’t seem to have documented it, so thought I’d write it the steps I took in case it helps anyone else.

He starts off by taking all of the current passwords (not plain-text, already hashed) and migrating them all to their bcrypt-ed version. He then updates the login functionality to select the account by email and check the record's password value with the password_verify function. Finally, he updates the system to rehash the plain-text password value (received from the user and verified) with bcrypt and save that back to the database and updated the password hashing method on user account creation.

tagged: migrate password hashing verify tutorial

Link: https://akrabat.com/migrating-to-password_verify/

TJ Miller:
Verifying Laravel Version Compatibility
Sep 24, 2018 @ 15:45:58

TJ Miller has written up a post for his site sharing a method he's created to verify the compatibility of a package in Laravel based on the version of Laravel installed.

I’ve been working with Honeybadger to build a new set of PHP integrations. I would like to write more about that soon, however, I feel like I’ve stumbled across something that could be useful to others. I wanted to share it as soon as I could.

For the Laravel package, I was aiming for Laravel 5.5 and newer support as it is the latest LTS version. [...] In hindsight, I don’t think that I actually ever tested it against a 5.5 install. I relied on the CI process to make those verifications for me.

[...] As Laravel 5.7 is now out, I needed to add support to both the package’s composer configuration and verification in CI. [...] Now that I am supporting three versions I felt that I needed a more specific way of verifying compatibility with different versions of Laravel.

He shares his initial version of his Travis-CI configuration, running tests on PHP 7.1 and 7.2 with the prefer-lowest flag. In order to make it easier, he updated this based on what he'd seen in other packages: adding a matrix that runs PHP 7.1 through 7.3 against versions 5.5.x, 5.6.x and 5.7.x to ensure compatibility across all variations. His resulting build looks something like this.

tagged: verify laravel version compatibility travisci multiple language framework

Link: https://blog.tjmiller.me/verifying-laravel-version-compatibility

iBuildings Blog:
Verifying out software with OWASP ASVS
Apr 02, 2013 @ 17:20:19

On the iBuildings blog today there's a post from Boy Baukema about the use of the OWASP ASVS to help provide a framework of questions to ask about your application to help find any application security "pain points."

When a customer commissions Ibuildings for a new application, he usually has plenty of functional demands. [...] And maybe some thoughts have been given to performance metrics, but security? Well… it “needs to be secure”. [...] It is said, conveniently enough mostly by software engineers, that building software is perhaps the most complex activity humans have ever undertaken.

He notes that "security is not a checkbox, it's a dropdown" and should be continuously considered continuously through out development. The OWASP ASVS provides a structure that a development group can follow to test the security of their application. It defines 4 types of testing/validation and fourteen other topics to consider.

While ASVS is a wonderful addition, it has it’s issues: verification and reporting can take a significant amount of time and validation rules are not specific enough to use the tools and techniques.
tagged: owasp verify software asvs standard questions security application

Link:

WebProNews.com:
Form Checking - Verifying Name Using PHP Ereg
Jun 23, 2006 @ 12:40:01

On WebProNews.com, there's a brief tutorial on using regular expressions, specifically for filtering "names" entered by users.

One important use of Regular Expressions (Regex) is to verify fields submitted via a form. In this article, we attempt to write an expression that is able to verify the user's first name, middle name, last name or just names in general.

The expression should allow names such as "Mary", "Mr. James Smith" and "Mrs O'Shea" for example. So the challenge here is to allow spaces, periods and single quotation marks in the name field and reject any other characters.

Their examples use the preg_* functions in PHP to work, first looking for any invalid characters in the string(s), then amending it to ensure that there aren't any numbers involved either. The few lines of code it takes are included as well.

tagged: regular expression form checking verify preg regular expression form checking verify preg

Link:

WebProNews.com:
Form Checking - Verifying Name Using PHP Ereg
Jun 23, 2006 @ 12:40:01

On WebProNews.com, there's a brief tutorial on using regular expressions, specifically for filtering "names" entered by users.

One important use of Regular Expressions (Regex) is to verify fields submitted via a form. In this article, we attempt to write an expression that is able to verify the user's first name, middle name, last name or just names in general.

The expression should allow names such as "Mary", "Mr. James Smith" and "Mrs O'Shea" for example. So the challenge here is to allow spaces, periods and single quotation marks in the name field and reject any other characters.

Their examples use the preg_* functions in PHP to work, first looking for any invalid characters in the string(s), then amending it to ensure that there aren't any numbers involved either. The few lines of code it takes are included as well.

tagged: regular expression form checking verify preg regular expression form checking verify preg

Link:

GoodPHPTutorials.com:
SQL Injections in PHP with MySQL
Mar 20, 2006 @ 13:42:59

On GoodPHPTutorials.com, there's this helpful tutorial that anyone working with any sort of website that has a database backend should look into - a brief look at SQL injections with PHP and MySQL.

SQL injections are a major security risk in many PHP applications. Injections are caused when a web developer allows the end-user to manipulate a variable that is being inserted into a database query string, generally through the $_GET, $_POST or $_SESSION superglobals. When a value isn't verified, major problems can occur. Since MySQL is the most commonly used database platform for PHP applications, it seemed appropriate to write an article specifically related to that.

They cover different topics that you'll need to protect yourself against a basic level of SQL injections - the key is the validation of your data. They have code examples to help you along and explain each step, including outputting the data to the page (where things like cross-site scripting issues can occur).

tagged: tutorial SQL injection mysql verify input data tutorial SQL injection mysql verify input data

Link:

GoodPHPTutorials.com:
SQL Injections in PHP with MySQL
Mar 20, 2006 @ 13:42:59

On GoodPHPTutorials.com, there's this helpful tutorial that anyone working with any sort of website that has a database backend should look into - a brief look at SQL injections with PHP and MySQL.

SQL injections are a major security risk in many PHP applications. Injections are caused when a web developer allows the end-user to manipulate a variable that is being inserted into a database query string, generally through the $_GET, $_POST or $_SESSION superglobals. When a value isn't verified, major problems can occur. Since MySQL is the most commonly used database platform for PHP applications, it seemed appropriate to write an article specifically related to that.

They cover different topics that you'll need to protect yourself against a basic level of SQL injections - the key is the validation of your data. They have code examples to help you along and explain each step, including outputting the data to the page (where things like cross-site scripting issues can occur).

tagged: tutorial SQL injection mysql verify input data tutorial SQL injection mysql verify input data

Link:


Trending Topics: