Whats new in phpSec 0.3-beta

I'm still trying out stuff with phpSec, that's why I call it a beta. I made a promise to my self not tho break stuff for anyone using it after the first beta release. And I still plan to keep that promise.
Last night I did some work on the password hashing methods and ended up deciding to rewrite the whole thing. And I did. But instead of rewriting the old class, i added a new one that I have called phpsecSuperPasswordHashingClass. That's why I haven't committed it yet. Still trying to figure out what to call it.

phpSec 0.2-beta released

I'm happy to announce that phpSec 0.2-beta has made it to the download page. It features mySQL support, better Yubikey integration and general awesomeness out of the box. So head on to the download page to get your own cup of security.

Escaping field and table names in PDO statements

PDO is Chuck Norris (or whomever you believe in as the divine force that created earth) gift to PHP developers. It takes the hassle of securing your sql queries against sql injections and other nasty stuff.

But it has one weakness. It has no method of escaping table and field names. So how do we do it? The only solution I see is to quote table names (or field names) with backquote (`) and then disallow backslash, backquote and the nul character:

Mysql: change column order

The order of columns is usually not important, but sometimes it annoys me. So, how to change it?

Lets Write Some Tests with Testify.php

Testify is a micro testing framework for PHP, released under the GPL license. It aims to be elegant and easy to use. Testify takes advantage of PHP 5.3′s anonymous function syntax to make defining tests almost JavaScript-like.

Read full article on Tutorialzine.

Password salting

For a long time most PHP developers protected passwords only with the md5() function. Then people started using salting to protect their users passwords from rainbow tables and other naughty stuff.
The way salting works is that you generate a random string of data, and add this to the password before you pass it to the md5() function. The salt is stored in the database, and when you want to verify a password you fetch the salt and add it to the supplied password.
The most common way to add the salt to the password is something like this:

$hash = md5($salt.$password);

Encrypting data with PHP using the phpSec library

Encryption is a easy and secure way of protection your data. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.


$data = 'This is some extremely secret information.';
$encrypted = phpsecCrypt::encrypt($data, 'secret key');


The above code will encrypt the $data string, using the "secret key". Note that you can also pass arrays to encrypt.
$encrypted will contain something like:

{
  "cdata":"qLUmR1giVp01tVslDexNn4wKSFGTOD+v2PV1MuPs\/eL26IuUvM8+jQ==",

Effective key size

Creating keys for use with encryption is not as easy as the guys writing the PHP manual thinks it is. The following example on the mcrypt_module_open() page shows just that. To generate a key they use the following example:

/* Create key */
$key = substr(md5('very secret key'), 0, $ks);


Already in 2006 "Mon" comments:

In the text example:
$key = substr(md5('very secret key'), 0, $ks);
Builds a key of $ks/2 effective bytes.

phpSec alpha-0.0.3 released

phpSec alpha-0.0.3 was released today.
It can be downloaded here: https://github.com/xqus/phpSec/downloads

For more information about phpSec visit http://phpsec.xqus.com

- [#21] Use of phpSec session handler is now optional.
- [#17] phpsec::pwHash() now returns a JSON encoded array.
- Added Yubikey integration. See https://github.com/xqus/phpSec/wiki/Yubikey
- Added &type variables to phpsec::f().
- Many minor fixes..

Changing PHPs User-Agent using stream_context_create()

While working on a Yubikey integration for my PHP security library (phpSec) i stumbled upon the stream_context_create() function. While changing the user-agent isn't the primary goal for this function it's possible do to, as I have done in phpSec.

Here is an example on how I did it.