News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
Top 10 Z-Ray Features to Check Out
March 26, 2015 @ 09:50:23

The SitePoint PHP blog has a new post today from Daniel Berman (of Zend) with the top 10 features of Z-Ray to be sure to check out. Disclaimer: Z-Ray is a tool provided by Zend, a part of their Zend Server product.

Necessity is the mother of invention goes the famous saying. For PHP developers, there is no greater need than visibility. But developers today have a tough choice to make as they develop and debug their apps. Either use crude methods such as printing, debugging information, or storing it in a log file, or - use multiple debugging/profiling tools that are awkward and require a lot of work from the developer's side. [...] This article introduces the top 10 features of Z-Ray - an innovative new technology from Zend that makes PHP development a whole lot quicker and easier by giving developers unprecedented insight into their code - and the visibility they need to develop top-notch apps.

Among the items on their Top 10 list are things like:

  • Viewing information about page requests
  • Execution time and memory consumption
  • Showing errors and warnings
  • Viewing functions called during execution
  • Debugging features for mobile apps and APIs

Check out the full post for a list of more features and screenshots/detail on each one.

0 comments voice your opinion now!
zend zray zendserver top10 list features screenshot

Link: http://www.sitepoint.com/top-10-z-ray-features-check/

Anthony Ferrara:
Security Issue Combining Bcrypt With Other Hash Functions
March 13, 2015 @ 09:32:02

Anthony Ferrara has a new post today looking at a potential security issue in PHP applications when using bcrypt with encryption and other hashing functions. His findings have to do with some research he did on long passwords and denial of service attacks they might lead to.

The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe against DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It's a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn't be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

To find out exactly how things are processed he gets down into the C code behind the PHP functionality in the crypt function. He discovers something interesting about the way it determines the length of the input password. It loops over the key, taking one byte at a time but resetting when it comes across a null byte. While this method is safe in itself, he points out the real issue - using pre-hashing before the bcrypt password checking to, possibly, allow for longer passwords.

The problem is that this method could lead to those null bytes and cause issues with the password checking, especially if opting for the use of raw data. He includes a simple script to illustrate this problem, finding a few collisions for his made up key and "random looking" password. Thankfully, he includes a method for checking to ensure the hash doesn't contain a null byte. He points out that not all hashing combinations are at risk and suggests a few alternatives that can keep your application 100% safe.

The underlying problem is that combining cryptographic operators that weren't designed to be combined can be disastrous. Is it possible to do so safely? Yes. Is it a good idea to do it? No. This particular case is just one example where combining operations can be exceedingly dangerous.
0 comments voice your opinion now!
bcrypt hash function combination issue crypt null byte

Link: http://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

Zend Blog:
Developing a Z-Ray Extension
February 25, 2015 @ 11:54:41

Zend recently introduced their Z-Ray inspection tool that allows you to see inside your application and know what's happening in your code, your database and has support for major PHP projects. In this new post to their blog they show you how to develop a custom extension for the Z-Ray system.

One of the coolest features in Z-Ray is the ability to plug in your own extensions. Meaning, you can customize existing Z-Ray panels or add your own personalized Z-Ray panel for displaying information you think is important for developing your specific application. This short tutorial will describe how to write a basic extension for Z-Ray. More specifically, we'll be writing a Z-Ray extension for WordPress that extracts and displays a list of loaded WordPress plugins.

They give you a list of things you'll need to set up before you can get started including a simple WordPress installation on a Zend Server instance. With these in place they help you create the "zray.php" file to define the extension, how to enable it and setting up a "trace" on a function to hook it into the execution. They then dump the WP plugin information and reformat it a bit to show only the list of names and versions in the output panel. As a last touch, they add a logo to the panel to show in the bottom menubar with the WordPress logo.

0 comments voice your opinion now!
zray zend extension custom wordpress tutorial plugin

Link: http://blog.zend.com/2015/02/25/developing-z-ray-extension

Evert Pot:
The problem with password_hash()
February 25, 2015 @ 10:51:04

Evert Pot has shared some of his thoughts about why he has a problem with password_hash (and friends). His thoughts are initially about this particular feature but they're actually wider than that.

The initial introduction and rfc for these functions made me uneasy, and I felt like a lone voice against many in that I thought something bad was happening. I felt that they should not be added to the PHP engine. I think that we should not extend the PHP engine, when it's possible to write the same API in userland, or there are significant benefits to do it in PHP, such as performance. Since the heavy lifting of the password functions is done by underlying libraries that are already exposed to userland-PHP, it didn't make sense to me to expose it as well in the core.

He includes a list of things he sees as drawbacks for new C-based functionality in PHP including the fact that it extends the "PHP specification" and forces other projects to implement it (like HHVM). He does include a few positives, though, such as the increased visibility and legitimacy, but still thinks they don't outweigh the negatives.

0 comments voice your opinion now!
password hash core language c implementation opinion userland

Link: http://evertpot.com/password-hash-ew/

SitePoint PHP Blog:
How to Encrypt Large Messages with Asymmetric Keys and phpseclib
January 20, 2015 @ 11:40:51

On the SitePoint PHP blog today David Brumbaugh shows you how to encrypt large messages with phpseclib and asymmetric keys. phpseclib is a PHP library specifically designed to handle encryption and decryption in an easy-to-use way.

Most of us understand the need to encrypt sensitive data before transmitting it. Encryption is the process of translating plaintext (i.e. normal data) into ciphertext (i.e. secret data). During encryption, plaintext information is translated to ciphertext using a key and an algorithm. To read the data, the ciphertext must be decrypted (i.e. translated back to plaintext) using a key and an algorithm. [...] A core problem to be solved with any encryption algorithm is key distribution. How do you transmit keys to those who need them in order to establish secure communication? The solution to the problem depends on the nature of the keys and algorithms.

He talks some about the difference between symmetric and asymmetric algorithms and some advice about the selection of the right one (or ones) to use in your app. He also talks briefly about the problem with RSA keys, mostly that it has limits on the amount of text it can encrypt. His solution is to "encrypt the message with a symmetric key, then asymmetrically encrypt the key and attach it to the message". He explains the encryption/decryption process step by step and starts in showing the code to make phpseclib do the work. He shows how to generate the keys, build the encrypt function and the decrypt function with about 30 lines of code each.

0 comments voice your opinion now!
encrypt decrypt large message asymetric key phpseclib tutorial

Link: http://www.sitepoint.com/encrypt-large-messages-asymmetric-keys-phpseclib/

Stanislav Malyshev:
Objects as keys
December 15, 2014 @ 09:18:50

In his latest post Stanislav Malyshev looks at a RFC he's proposed to allow array keys to be objects including some of his thoughts behind the proposal and how he sees it being helpful to the language.

I'm going to put to vote soon another of my RFCs, namely one about "objects as keys". So, I want to outline the case for it here and address some criticisms and questions raised while discussing it.

He starts off by answering the "why" question, mentioning specially the introduction of things like GMP numbers and how, despite them seeming to work like numbers, other things can be done with them. He talks about how you'd use this functionality "the right way" and how that'd relate back to value objects. He answers a few other questions about the proposal including why it's better than just using __toString or spl_object_hash instead. He spends the rest of the post looking at some of the implementation problems, disadvantages and some of the possible names (function names) for the handling.

0 comments voice your opinion now!
object array key rfc proposal gmp number

Link: http://php100.wordpress.com/2014/12/14/objects-as-keys/

SitePoint PHP Blog:
How to Create a Unique 64bit Integer from String
August 14, 2014 @ 12:55:33

In the latest post to the SitePoint PHP blog Vova Feldman shows you how to create an integer from a hash string that's both 64 bit and unique each time it's generated.

PHP provides the popular md5() hash function out of the box, which returns 32 a hex character string. It's a great way to generate a fingerprint for any arbitrary length string. But what if you need to generate an integer fingerprint out of a URL?

He describes the real-world situation he was facing - a rating widget that needed a randomized integer based on the page using it - and the two "sub-challenges" that make it up: url canonization and the string to unique 64 bit problem. He tackles each problem and shares code snippets showing the process and how it can be put to use. He also includes some interesting metrics at the end of the post showing the level of hash collisions (hint, it's a very low number).

0 comments voice your opinion now!
unique integer string 64bit tutorial md5 hash

Link: http://www.sitepoint.com/create-unique-64bit-integer-string/

WebLessons.info:
Login with LinkedIn
June 25, 2014 @ 10:47:16

The WebLessons.info site has a new tutorial posted showing you how to use the LinkedIn authentication handling to allow your users to log in with their own account information.

LinkedIn is a business-oriented social networking service. It is mainly used for professional networking. So if you are having an application or website that serves working professionals then its very important for you to implement login with LinkedIn in your application. By this way you can able to access the data of your users like email, work history, education etc. So now let's dive into the coding part.

They walk you through the various steps, providing screenshots or code where applicable:

  • Creating a LinkedIn Application
  • Get the API Key and Secret Key
  • Create the database and set up the PHP configuration to connect
  • finally, the PHP code for the login form and making the request to LinkedIn

A live demo can be found here (but if you're paranoid about your credentials, I wouldn't use it) and you can download all files included in the tutorial.

0 comments voice your opinion now!
linkedin login tutorial application api key secret

Link: http://weblessons.info/2014/06/25/login-with-linkedin-tutorial-php/

The Code of a Ninja:
Salt, Hash and Store Passwords Securely with Phpass
June 16, 2014 @ 11:15:37

In this post to the CodeOfANinjs.com site, they walk you through password hashing, salting and storage using the PHPAss tool from OpenWall. The post itself is a bit older, but the content still provides a good example to teach the basics.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

The tutorial shows you how to use the library and how to store the result in a simple "users" table in a MySQL database. The examples hash the password given from a simple form and use prepared statements (via PDO) to save it to the database. All PHP, HTML and CSS code you'll need - including the login form that checks the username/password - is included. There's also a few screenshots showing what the resulting forms and data should look like.

0 comments voice your opinion now!
phpass tutorial hash salt password storage mysql user

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html

Michael Dowling:
Favor Hash Lookups Over Array Searches
March 21, 2014 @ 10:47:34

Michael Dowling has a recent post to his site comparing the performance of hash lookups versus array searches.

A common programming requirement is to match a string against a set of known strings. For example, let's say you were iterating over the words in a forum post and testing to see if a word is in a list of prohibited words. A common approach to this problem is to create an array of the known prohibited words and then use PHP's in_array() function to test if the string is found in the list. However, there's a simple optimization you can make to significantly improve the performance of the algorithm.

He includes two pieces of sample code - one showing the searching of an array using in_array and the other running an isset to locate a key. He points out that the in_array method is quite a bit slower than the hash (key) lookup and includes a benchmark script to prove it.The results are pretty clear, with the hash lookup coming in about 480% faster than the in_array. He also points out that as the size of the strings you're comparing grows, the performance of in_array drops even more.

0 comments voice your opinion now!
hash lookup search array inarray benchmark

Link: http://mtdowling.com/blog/2014/03/17/hash-lookups-over-array-search/


Community Events

Don't see your event here?
Let us know!


laravel5 language api framework series opinion install extension example laravel podcast php7 introduction community release library unittest voicesoftheelephpant xdebug interview

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework