Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

SitePoint PHP Blog:
4 Best Chart Generation Options with PHP Components
Jun 26, 2015 @ 08:30:29

The SitePoint PHP blog has a new article posted sharing four of the best charting libraries they've seen for use in your PHP applications. Options include both server and client side tools, making finding one for your situation easier.

Data is everywhere around us, but it is boring to deal with raw data alone. That’s where visualization comes into the picture. [...] So, if you are dealing with data and are not already using some kind of charting component, there is a good chance that you are going to need one soon. That’s the reason I decided to make a list of libraries that will make the task of visualizing data easier for you.

He starts with a brief comparison of the server side versus client side options, pointing out some high level advantages and disadvantages of each. He then gets into each of the libraries, giving an overview, an output example and some sample code to get you started:

  • Google Charts (Client Side)
  • FusionCharts (Client Side)
  • pChart (Server Side)
  • ChartLogix PHP Graphs (Server Side)

He ends with a wrapup of the options and links to two other possibilities you could also evaluate to find the best fit.

tagged: chart generation option component top4 list example output code

Link: http://www.sitepoint.com/4-best-chart-generation-options-php-components/

SitePoint PHP Blog:
Effective PDF Generation in Drupal
Feb 03, 2015 @ 09:43:53

On the SitePoint PHP blog today there's a new post showing you how to create PDFs in a Drupal-based site making use of the Print module for the creation and formatting.

DF generation takes a slight change of mindset. As web developers, we have spent a lot of time convincing designers from a print background to stop producing pixel perfect designs that will be difficult to reproduce on the web. If you want to introduce PDF generation or any form of high designed print output, then we need to relearn some of our old skills we left behind. The nature of print means that it is precise and often needs pixel (or millimeter) perfect design.

He'd initially thought that the Views PDF module would be the natural choice, but after finding some unwanted dependencies, opted for the Print module instead. The Print module only creates the formatted output, though. This is then passed off to wkhtmltopdf to convert into final PDF form. He walks you through the configuration for the Print module and how to create some of the basic HTML structure for the resulting output. Next up is the addition of some styling and the process for exporting the HTML output over to wkhtmltopdf for handling. Output samples are included to help illustrate the final result.

tagged: pdf generation drupal tutorial views print wkhtmltopdf convert

Link: http://www.sitepoint.com/effective-pdf-generation-drupal/

PHP.net:
PHP Next Generation
May 28, 2014 @ 09:14:05

On the main PHP.net site today there's an announcement posted about the working being done on the next generation of the PHP language based on some recent discussions (and actual development work). The PHPNG branch helps boost the performance of the language to new levels and cleans up some of the core APIs.

When we aren't looking for pictures of kittens on the internet, internals developers are nearly always looking for ways to improve PHP, a few developers have a focus on performance. Over the last year, some research into the possibility of introducing JIT compilation capabilities to PHP has been conducted. During this research, the realization was made that in order to achieve optimal performance from PHP, some internal API's should be changed. This necessitated the birth of the phpng branch, initially authored by Dmitry Stogov, Xinchen Hui, and Nikita Popov.

The post talks about the performance increase of these changes (an average of 20%) and the current progress made on the internal project. This is "only the start" of the work on this new functionality, so keep an eye on the PHP.net site for more upcoming details.

tagged: phpng next generation branch project performance

Link: http://www.php.net/archive/2014.php#id2014-05-27-1

Timoh's Blog:
Secure random numbers for PHP developers
Nov 06, 2013 @ 09:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user’s “initial password”, for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I’m not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

tagged: secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html

Anthony Ferrara:
Preventing CSRF Attacks
Feb 20, 2013 @ 09:36:41

Anthony Ferrara has written up a new post to his site looking at efective use of CSRF tokens and a few different strategies for generating them.

There's been a bit of noise in the past week about the proper way to prevent Cross-Site-Request-Forgery (CSRF) attacks. It seemed to have started with this post. There's been discussion in the comments, and on Twitter about it, and there seems to be several opposing viewpoints on the matter. I want to start off by saying that I agree completely with the post in question. But I figured I'd write a post to explain WHY I agree with it.

He starts with an overview of a few of the common types of request forgery including from a javascript injection, a Man-in-the-Middle attack and a replay attack. He then breaks up the "lines of defense" part of the post into three different sections - adding a hidden token field to forms, changing the token for each request and using random numbers when regenrating them.

tagged: csrf attack prevention overview token generation tutorial

Link:

PHPMaster.com:
Simplifying Test Data Generation with Faker
Feb 19, 2013 @ 12:09:02

In a new post to PHPMaster.com today, Rakhitha Nimesh takes a look at Faker, a tool that can be used to generate random test case data as a part of your workflow.

Testing is an iterative part of the development process that we carry out to ensure the quality of our code. A large portion of this entails writing test cases and testing each unit of our application using random test data. Actual data for our application comes in when we release it to production, but during the development process we need fake data similar to real data for testing purposes. The popular open source library Faker provides us with the ability to generate different data suitable for a wide range of scenarios.

Faker uses built-in data providers like "Person", "Company", "DateTime" and "UserAgent" to give you randomized output from the data sets you define. Code is included showing how to create the provider in your objects, extending the correct provider and making a request for a property. A real-world example is also included about testing an email marketing engine for address, title, name and content. There's also a little bit added at the end showing how you can increase the randomness of the results returned by "seeding" the Faker engine.

tagged: test data generation faker library object provider tutorial

Link:

Kevin Schroeder:
Generating secure cross site request forgery tokens (csrf)
Feb 11, 2013 @ 11:23:10

In this new post to his site Kevin Schroeder has a new post with his take on generating more secure CSRF tokens for use in your site.

In researching the second edition for the IBM i Programmer’s Guide to PHP Jeff and I decided to include a chapter on security since we really didn’t talk much about it in the first edition. I’m talking about cross site request forgeries right now and I wanted to make sure that what I was going to suggest would not break the internet in some way. I did some Google searching to see what other people were recommending.

Most of the examples he saw used md5, uniqid and rand to create a randomized hash. He suggests an alternative - a method using the hash_hmac and openssl_random_pseudo_bytes methods to generate a sha256 hash for use in your page's submissions.

tagged: csrf token generation hmac openssl

Link:

MaltBlue.com:
Zend Form Mastery with Zend_Config - Part 2, Core Form Configuration
May 15, 2012 @ 11:04:01

In his previous post to the MaltBlue.com blog Matt introduced the concept of configuration-driven Zend_Form instances. He's back with a second part to the series, enhancing his original examples by covering some of the base-level form configuration settings.

Ok, this should have been part one, but irrespective, here’s the second installment in zend form mastery with zend config – core form configuration. As the W3c Form spec says, there are 8 attributes applicable to forms.

These attributes, including "action", "name" and "onsubmit", can all be set easily in the XML-based configuration file. He includes an example of the full XML file to show how they all fit together (updated from part 1). You can see an example of the output here and can grab the source for the example from github.

tagged: zendframework zendconfig zendform generation xml tutorial

Link:

NetTuts.com:
Easy Form Generation Using FuelPHP
Mar 14, 2012 @ 10:05:17

On the NetTuts.com site today there's a new tutorial from Sahan Lakshitha about creating forms in FuelPHP, the PHP 5.3-centric framework.

Thanks to FuelPHP’s fieldset class, working with forms couldn’t be easier. With a few lines of code, you can easily generate and validate a form. Today, we’re going to learn how to do just that!

He starts with guiding you through a simple install of the FuelPHP framework and configuring it to connect to a MySQL database. He shows how to set up a model, specify its properties and creating a controller to handle the user interaction. Using the definitions in the model, FuelPHP can automatically generate a form, complete with default options and some validation on the field (things like "required", "valid_url" and "max_length"). There's also code included showing how to edit current posts and listing out the complete post list.

tagged: form generation fuelphp tutorial fieldset framework

Link: