Security

30
Dec
2011
xqus

Whats new in phpSec 0.3-beta

I'm still trying out stuff with phpSec, that's why I call it a beta. I made a promise to my self not tho break stuff for anyone using it after the first beta release. And I still plan to keep that promise.
Last night I did some work on the password hashing methods and ended up deciding to rewrite the whole thing. And I did. But instead of rewriting the old class, i added a new one that I have called phpsecSuperPasswordHashingClass. That's why I haven't committed it yet. Still trying to figure out what to call it.

21
Dec
2011
xqus

phpSec 0.2-beta released

I'm happy to announce that phpSec 0.2-beta has made it to the download page. It features mySQL support, better Yubikey integration and general awesomeness out of the box. So head on to the download page to get your own cup of security.

20
Dec
2011
xqus

Escaping field and table names in PDO statements

PDO is Chuck Norris (or whomever you believe in as the divine force that created earth) gift to PHP developers. It takes the hassle of securing your sql queries against sql injections and other nasty stuff.

But it has one weakness. It has no method of escaping table and field names. So how do we do it? The only solution I see is to quote table names (or field names) with backquote (`) and then disallow backslash, backquote and the nul character:

14
Aug
2011
xqus

Password salting

For a long time most PHP developers protected passwords only with the md5() function. Then people started using salting to protect their users passwords from rainbow tables and other naughty stuff.
The way salting works is that you generate a random string of data, and add this to the password before you pass it to the md5() function. The salt is stored in the database, and when you want to verify a password you fetch the salt and add it to the supplied password.
The most common way to add the salt to the password is something like this:

$hash = md5($salt.$password);

11
Jul
2011
xqus

Encrypting data with PHP using the phpSec library

Encryption is a easy and secure way of protection your data. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.


$data = 'This is some extremely secret information.';
$encrypted = phpsecCrypt::encrypt($data, 'secret key');

The above code will encrypt the $data string, using the "secret key". Note that you can also pass arrays to encrypt.
$encrypted will contain something like:

{
  "cdata":"qLUmR1giVp01tVslDexNn4wKSFGTOD+v2PV1MuPs\/eL26IuUvM8+jQ==",
10
Jul
2011
xqus

Effective key size

Creating keys for use with encryption is not as easy as the guys writing the PHP manual thinks it is. The following example on the mcrypt_module_open() page shows just that. To generate a key they use the following example:

/* Create key */
$key = substr(md5('very secret key'), 0, $ks);

Already in 2006 "Mon" comments:

In the text example:
$key = substr(md5('very secret key'), 0, $ks);
Builds a key of $ks/2 effective bytes.

09
Mar
2011
xqus

phpSec alpha-0.0.3 released

phpSec alpha-0.0.3 was released today.
It can be downloaded here: https://github.com/xqus/phpSec/downloads

For more information about phpSec visit http://phpsec.xqus.com

- [#21] Use of phpSec session handler is now optional.
- [#17] phpsec::pwHash() now returns a JSON encoded array.
- Added Yubikey integration. See https://github.com/xqus/phpSec/wiki/Yubikey
- Added &type variables to phpsec::f().
- Many minor fixes..

09
Feb
2011
xqus

Protect your PHP application from CSRF using phpSec

Cross Site Request Forgery (CSRF) is a attack method where the victim already has authenticated to a site, and the attacker uses this valid session to trick the user into making a request without his knowledge.
...
To protect your application from CSRF attacks you can use phpSec to generate a one-time token that you include in a hidden field in your forms. When a user submits a form this token should be validated before the action requested by the user is performed.

Read more at the phpSec wiki.

31
Jan
2011
xqus

Password hashing the smart way

Simple password hashing using md5() has been used by PHP developers for a long time. However as rainbow tables is getting more and more widely available new methods of protecting a users password is needed. Therefore salting of the password is getting more and more common.

phpSec (a PHP security library) enables you to easily hash passwords in a secure way. Read more in the phpSec manual.

Syndicate content