News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Joseph Scott:
Stateless CSRF Tokens
August 02, 2013 @ 11:16:44

Joseph Scott has a recent post to his site looking at the idea of stateless CSRF tokens and how to create them while avoiding the typical "store them in a session" mentality.

This is all fine and good until you want to avoid using PHP sessions. Perhaps you have several web servers and don't want to deal with shared session storage. Or have servers in multiple data centers and don't want to try and sync state across them. What ever the reason, popping a token into $_SESSION isn't an option in this case. In short you want some sort of stateless CSRF token.

He looks at two methods to help get around this issue. The first method is based on known values that won't change very frequently (say, maybe 24 hours). His second method, however, has a bit more strength to it. His idea uses a combination of a key, the current time, a timeout and a known string of data - all base64 encoded.

0 comments voice your opinion now!
csrf token stateless tutorial session base64 timeout microtime

Link: https://josephscott.org/archives/2013/07/stateless-csrf-tokens

Marcus Bointon's Blog:
PHP Base-62 Encoding
August 11, 2011 @ 11:28:46

In a recent post Marcus Bointon looks at a hashing method that's not one as commonly used by developers as the usual base64 - base-62 encoding that plays a bit nicer with things like URLs and emails due to the character set it allows.

There's a really horrible bug (though they won't call it that!) in Apache's mod_rewrite that means that urlencoded inputs in rewrites get unescaped in their transformation to output patterns. The bug actually remains unfixed, though a workaround first appeared in Apache 2.2.12. [...] Base-62 is interesting as it can be made safe for use in URLs, DNS, email addresses and pathnames, unlike any available encoding of base-64, as it only includes [0-9A-Za-z].

He originally wrote his own parser, but notes that now the BCMath and gmp extensions make it much simpler, just a call to gmp_strval with gmp_init. This method works, but it's still not quite all he wanted so he created his own encoder to do the job.

0 comments voice your opinion now!
base62 base64 encode gmp mcmath extension hash


Evert Pot's Blog:
Creating Streams from Strings in PHP
February 02, 2009 @ 12:58:50

Evert Pot has a quick post on a handy little topic - making streams from strings with PHP (see some of it in action on Davey Shafik's blog).

There are situations where a string instead needs to be used, and for these purposes the data: stream wrapper is used. Initially I thought it was only possible to encode the actual string in base64, which I didn't like because of the added footprint. [...] Quickly checking out the rfc, it turns out that ';base64' can be omitted to just pass along the raw data, which makes a lot more sense in the context of PHP.

His example takes in an example string and pushes it back out the other side after base64 encoding and decoding it. Davey Shafik found a use for it in avoiding an eval call.

0 comments voice your opinion now!
stream string tutorial base64 streamgetcontents eval


Davey Shafik's Blog:
Avoiding EVAL()
February 02, 2009 @ 11:15:24

Davey Shafik has a helpful hint for avoiding one of the worst functions to use in PHP - eval.

There are a shed-load of ways to "eval()" code without actually calling the eval() function '" usually done simply to avoid the use of the dreaded "evil()" function, but often times because the system has eval() disabled using "disable_functions" in php.ini. Here is another simple way to avoid eval() without writing out files to the filesystem

His example uses the streams wrapper to natively execute the code from a string variable as a data element, base64 decoded. It's more of a proof-of-concept than anything else, but its an interesting solution to a tough problem to solve at times.

0 comments voice your opinion now!
eval evil avoid streams wrapper data base64 execute


Cyberlot's Blog:
Funny little php "virus" floating around
February 12, 2007 @ 09:58:00

Richard Thomas comments on a "funny little PHP 'virus'" that he's noticed coming to him via emails:

Got an email that claimed to be from my host, it used a generic return address and talked about security upgrades and such and how due to new policy to help keep a secure data center I was required to upload and run 1 of 2 files in a zip attachment, the first was a php file the other was an asp file.

Of course, it wasn't from the host, so he investigated a little further to find out exactly what was going on with the file. Basically, it was a modified nsTView file with some added emailing and password discovery code. The code was "hidden" though - through a base64_encode call on one side and then decoded it on the other to cause the server to execute the code. He even posts and example of what the base64ed code might look like.

0 comments voice your opinion now!
virus upload base64 encode decode email nstview virus upload base64 encode decode email nstview


PHP Security Blog:
PHP 5.2.0 and allow_url_include
November 03, 2006 @ 09:41:23

On the PHP Security Blog, Stefan Esser has posted some of his own opinions on the latest PHP release - version 5.2 - and some of the security implications of it.

Often users have requested that PHP allows disabling URL support for include and require statements while allowing it for the other filesystem functions. Because of this it was planned to have allow_url_include in PHP 6. After some discussion the feature was backported to the PHP 5.2.0 tree.

He also notes that, unfortunately, this functionality only protects against the http(s) and ftp(s) kinds of URLs and not some of the new data URLs included in the functionality of PHP 5.2. He gives two code examples of this kind of issue - one using the "pph://input" and the other using a base64 encoded value.

8 comments voice your opinion now!
security php5 allowurlfopen phpini setting input base64 security php5 allowurlfopen phpini setting input base64



Community Events





Don't see your event here?
Let us know!


tips release series language opinion laravel introduction framework deployment api library package zendserver interview install community update unittest symfony podcast

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework