Development

Whats new in phpSec 0.3-beta

I'm still trying out stuff with phpSec, that's why I call it a beta. I made a promise to my self not tho break stuff for anyone using it after the first beta release. And I still plan to keep that promise.
Last night I did some work on the password hashing methods and ended up deciding to rewrite the whole thing. And I did. But instead of rewriting the old class, i added a new one that I have called phpsecSuperPasswordHashingClass. That's why I haven't committed it yet. Still trying to figure out what to call it.

phpSec 0.2-beta released

I'm happy to announce that phpSec 0.2-beta has made it to the download page. It features mySQL support, better Yubikey integration and general awesomeness out of the box. So head on to the download page to get your own cup of security.

Escaping field and table names in PDO statements

PDO is Chuck Norris (or whomever you believe in as the divine force that created earth) gift to PHP developers. It takes the hassle of securing your sql queries against sql injections and other nasty stuff.

But it has one weakness. It has no method of escaping table and field names. So how do we do it? The only solution I see is to quote table names (or field names) with backquote (`) and then disallow backslash, backquote and the nul character:

Mysql: change column order

The order of columns is usually not important, but sometimes it annoys me. So, how to change it?

Lets Write Some Tests with Testify.php

Testify is a micro testing framework for PHP, released under the GPL license. It aims to be elegant and easy to use. Testify takes advantage of PHP 5.3′s anonymous function syntax to make defining tests almost JavaScript-like.

Read full article on Tutorialzine.

Encrypting data with PHP using the phpSec library

Encryption is a easy and secure way of protection your data. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.


$data = 'This is some extremely secret information.';
$encrypted = phpsecCrypt::encrypt($data, 'secret key');


The above code will encrypt the $data string, using the "secret key". Note that you can also pass arrays to encrypt.
$encrypted will contain something like:

{
  "cdata":"qLUmR1giVp01tVslDexNn4wKSFGTOD+v2PV1MuPs\/eL26IuUvM8+jQ==",

phpSec alpha-0.0.3 released

phpSec alpha-0.0.3 was released today.
It can be downloaded here: https://github.com/xqus/phpSec/downloads

For more information about phpSec visit http://phpsec.xqus.com

- [#21] Use of phpSec session handler is now optional.
- [#17] phpsec::pwHash() now returns a JSON encoded array.
- Added Yubikey integration. See https://github.com/xqus/phpSec/wiki/Yubikey
- Added &type variables to phpsec::f().
- Many minor fixes..

Changing PHPs User-Agent using stream_context_create()

While working on a Yubikey integration for my PHP security library (phpSec) i stumbled upon the stream_context_create() function. While changing the user-agent isn't the primary goal for this function it's possible do to, as I have done in phpSec.

Here is an example on how I did it.

Protect your PHP application from CSRF using phpSec

Cross Site Request Forgery (CSRF) is a attack method where the victim already has authenticated to a site, and the attacker uses this valid session to trick the user into making a request without his knowledge.
...
To protect your application from CSRF attacks you can use phpSec to generate a one-time token that you include in a hidden field in your forms. When a user submits a form this token should be validated before the action requested by the user is performed.

Read more at the phpSec wiki.

Password hashing the smart way

Simple password hashing using md5() has been used by PHP developers for a long time. However as rainbow tables is getting more and more widely available new methods of protecting a users password is needed. Therefore salting of the password is getting more and more common.

phpSec (a PHP security library) enables you to easily hash passwords in a secure way. Read more in the phpSec manual.