The Zend Framework team recently released versions 2.0.8 and 2.1.4 to address a number of potential security issues including advisory ZF2013-02 "Potential Information Disclosure and Insufficient Entropy vulnerabilities in ZendMathRand and ZendValidateCsrf Components". Quite the mouthful! In short, Zend Framework used the mt_rand() function to generate random numbers in situations where neither openssl_pseudo_random_bytes() nor mcrypt_create_iv() were available. This is possible when the openssl and mcrypt extensions are not installed/compiled with PHP.

He talks some about the mt_rand function and how it generates its "random numbers" (designed for speed, not ultimate randomness). He notes that all of PHP's internal randomization functions use the concept of "seeds" to prime the random number/string generation. Unfortunately, the seeding method is known inside PHP, so it is possible - if the method of generation is weak, as it is with mt_rand - that an attacker could brtute force their way into a correct value. You can find more about randomness in PHP in this chapter of his PHP security handbook including a mention of Anthony Ferrara's randomness library.

With OS X 10.8, Apple continues to ship PHP 5.3 with Xdebug, PEAR, GD and PDO_MYSQL. This is how to set it up from a clean install of 10.8.

He's broken it up into a few sections including the MySQL setup, Apache configuration , updating the main php.ini and setting up PHPUnit ("and friends") for your testing. He also includes setup instructions for the mcrypt and the PECL OAuth extensions.

With OS X 10.7, Apple continues to ship PHP 5.3 with PEAR, GD and PDO_MYSQL out of the box. This is how to set it up from a clean install of 10.7.

He goes through each of the pieces of software and talks about where to download the latest from and what configuration steps are needed:

• MySQL
• Apache
• the php.ini
• Xdebug
• PEAR
• PHPUnit (and friends)
• PECL OAuth
• mcrypt

You probably know SSH at least by its name. It's a of secure telnet replacement which also allows many other things such as port forwarding, remote file management (with sftp) and more. With PHP I could write a fully working SSH server in only 3 days. [...] My goal when writing this was to provide a replacement for the FTP protocol for the customers of my hosting service.

He lists the extensions used to create the extension - OpenSSL, mcrypt, hash and (the most important) GMP as well as a link to the source if you'd like to try it out yourself.

Following up on "Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.

His script example shows how to use the md5 hashing function to compare passwords with the ones in the database as well as a modification that uses the mcrypt libraries to encrypt some sample text.

The ability to encrypt and safeguard data is an essential ability that every serious web developer should have in their arsenal. In this article we'll explore encrypting data with PHP and MCrypt (libmcrypt), storing it in a database, retrieving it from a database and decrypting it for use.

He works through what mcrypt is, where it can be downloaded from, a simple usage example and a more in-depth look at what its doing (making an IV, encrypting) and how to store the resulting encrypted information into a MySQL database table.

Cryptography is just one piece of the security puzzle, along with SSL/TLS, certificates, digital signatures, and so on. This article explains how to use PHP to implement the most common cryptographic algorithms. In addition to describing PHP's default encryption functions, you'll see how to use a wide variety of cryptographic libraries and packages.

They start with a look at some of the built-in functions like md5, sh1 and crypt as well as a table detailing the different encryption methods (like mcrypt, mhash or crypt_blowfish). They follow this up with examples of some of them including a method for making secret keys with the Crypt_DiffieHellman PEAR Package.

For each of the three topics covered, they include a few code examples on their use - an HTML form with the filter extension, user authentication with the PEAR Auth, and encrypting data to be used in a more secure cookie.

The article is excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman.