Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matthew Weier O'Phinney:
On PSR7 and HTTP Headers
Jul 29, 2015 @ 09:47:59

Matthew Weier O'Phinney has a new post to his site talking about PSR-7 and HTTP headers and how they (headers) are handled in the structure of this PHP-FIG specification.

Yesterday, a question tagged #psr7 on Twitter caught my eye: "When I call $request->getHeader('Accept') for example, I was expected that I'll get [an array] but, in reality I got [a string]. Is this correct?" In this post, I'll explain why the behavior observed is correct, as well as shed a light on a few details of header handling in PSR-7.

He talks about the planning that went into PSR-7 and how they had to work around some of the "flexibility" (quirks) in the HTTP specification. This was especially true when it came to repeated headers. He also walks through their thoughts on multiple header handling and that custom header values are allowed. Because of these two things, they decided to treat all headers as collections and, despite there being separators already in the values. Instead they collected headers of the same types into these collections, some containing only one value while others could contain multiple. Back to the question - this explains why the "Accept" header they desired was still in its comma-separated form and not split into the array they expected.

The [...] example provides another good lesson: Complex values should have dedicated parsers. PSR-7 literally only deals with the low-level details of an HTTP message, and provides no interpretation of it. Some header values, such as the Accept header, require dedicated parsers to make sense of the value.
tagged: psr7 http header collection separator multiple single

Link: https://mwop.net/blog/2015-07-28-on-psr7-headers.html

Barry vd. Heuvel:
CSRF Protection in Laravel explained
Feb 23, 2015 @ 11:52:59

Barry vd. Heuvel has a recent post to his site explaining how the Laravel framework has implemented CSRF protection natively. CSRF is short for Cross-site request forgery and is a type of security vulnerability.

In this blog we take a closer look into CSRF protection in Laravel. We compare the difference between the CSRF filter in Laravel 4 and the current VerifyCsrfToken middleware in Laravel 5.

He start with a quick look at why CSRF protection is even needed and what kind of problems it can cause. He shows how the CSRF protection was enabled in the Laravel 4 routing and how, in Laravel 5, the token evaluation was updated to use the hash_equals to prevent timing attacks. He then gets into the details of the middleware and how it handles the protection for you (including detection and use of the X-CSRF-TOKEN header).

tagged: csrf protection laravel laravel5 middleware xcsrftoken header

Link: http://barryvdh.nl/laravel/2015/02/21/csrf-protection-in-laravel-explained/

Qandidate.com Blog:
Using the Accept Header to version your API
Oct 20, 2014 @ 12:56:46

On the Qandidate.com blog today there's a new tutorial talking about the use of the Accept header in REST HTTP requests and, more specifically, working with it in a Symfony-based application.

I investigated different ways to version a REST API. Most of the sources I found, pretty much all said the same thing. To version any resource on the internet, you should not change the URL. The web isn't versioned, and changing the URL would tell a client there is more than 1 resource. [...] Another thing, and probably even more important, you should always try to make sure your changes are backwards compatible. That would mean there is a lot of thinking involved before the actual API is built, but it can also save you from a big, very big headache. [...] Of course there are always occasions where BC breaks are essential in order to move forward. In this case versioning becomes important. The method that I found, which appears to be the most logical, is by requesting a specific API version using the Accept header.

He shows how to create a "match request" method in his custom Router that makes use of the AcceptHeader handling to grab the header data and parse it down into the type and API version requested. He also includes an example of doing something similar in the Symfony configuration file but hard-coding the condition for the API version by endpoint.

tagged: accept header rest api versioning symfony tutorial

Link: http://labs.qandidate.com/blog/2014/10/16/using-the-accept-header-to-version-your-api/

Jason Fox:
Use the Accept Header to Set Your Return Data With Zend Framework 2
Feb 22, 2013 @ 11:42:35

Jason Fox has a recent post to his site about using "Accept" headers in Zend Framework 2 apps to set the format of the return data from a request.

In this article I detail the process by which you can set up your controller actions in Zend Framework 2 to return either the default HTML, or JSON data depending on the “Accept Header” in the request. It incorporates changes related to a security update added since this very helpful article was written, and expands on some of the intricacies of making your web layer objects better “json providers.”

His example uses a "ViewJsonStrategy" and the criteria to look for to determine which version to respond with (HTML or JSON) - the Accept header. It uses the JSON encoder/decoder instead of the built-in PHP one to he could use the included "toJson" method to customize the output of the JSON instead of just returning everything.

tagged: accept http header zendframework2 tutorial json

Link:

PHPMaster.com:
REST - Can You do More than Spell It? Part 4
May 21, 2012 @ 08:44:26

PHPMaster.com has posted the latest tutorial in their series covering RESTful APIS - part four of "REST - Can you do More than Spell it?" In this latest part of the series, they focus on something very key to RESTful services, the HTTP spec (and headers).

We're getting close to the end now, and the only thing remaining is to discuss a little more about the protocol you'll most likely use in any RESTful application that you write. Because HTTP is so often used with REST, that's the protocol I'd like to focus on.

He goes through the structure of a typical (raw) HTTP header and talks about some of the more common headers and what actions/settings they represent. He includes examples of setting headers (with header, naturally) and a curl example showing how to set the request headers. The tutorial is finished off with a brief mention of custom HTTP headers and the the good and bad that comes with them.

tagged: rest api tutorial series http spec protocol status header

Link:

Phil Sturgeon's Blog:
Hijacking Headers to Force Downloads
Mar 29, 2012 @ 11:29:28

Phil Sturgeon shows how you can hijack headers in his latest post to force a download to the client (even on a hosted service like PagodaBox).

The question [I posed on Twitter] was: "How to force a download of any file of any type, not on your server, without Apache tweaking? Images are displaying and need em to download." Essentially, I wanted to be able to link to a file that was not on the server in question and anywhere in the world, which could be of any size, any media type and could be potentially very high traffic.

Answers varied from using readfile to just letting the browser handle it. None of the responses were quick right until he came across one that recommended some settings in an .htaccess file. It uses

tagged: file download force header question htacess

Link:

DashExamples.com:
Add a Content Security Policy(CSP) to your Web Site with PHP
Aug 25, 2011 @ 13:11:36

Related to this other post about content security policies in PHP sites, DashExamples.com has a quick new post about what you'll need to add to your application to implement a policy of your own.

Content Security Policy(CSP) is a mechanism in the browser that restricts what content will be requested and run by the browser. CSP does this by passing in a specific response header that tells the browser what resources (images, javascript, css, frames, etc) can be requested and accepted to execute. There are multiple ways to setup CSP for your web site, you can use your web server configuration like I showed in a previous example or use a dynamic scripting language like PHP.

What it really boils down to is setting a header, either X-Content-Security-Policy or X-Content-Security-Policy-Report-Only, to tell the browser what security policy to use and how to honor it. You can find out more about content security policies from this page on the Mozilla wiki. CSPs allow you to define how your site's content interacts and help to prevent issues like XSS and data injection.

tagged: content security policy tutorial header

Link:

DreamInCode.com:
Preventing PHP Mail(...) Header Injections
Apr 22, 2011 @ 11:06:23

On the Dream In Code forums there's a recent post showing you how to prevent mail() header injections when taking user input, like from a form.

PHP's mail() function is a very useful and powerful function, even to the point that it is very easy to exploit. A way hackers exploit this function is a method called email header injection. [...] I'm sure most of you can already tell that's not going to be pretty since we didn't check the user input and so forth. PHP provides us with functions such as filter_var which will validate user input and either return false if the validation fails or return the filtered data.

He includes an example of using this filtering methods to check the user input for malicious information - validating that the "to" address is a valid email (FILTER_VALIDATE_EMAIL) and a sanitize() method that removes things like newlines, carriage returns and a few other characters.

tagged: prevent mail header injection tutorial filtervar sanitize

Link:

Artur Ejsmont's Blog:
HTTP response splitting and mail headers splitting attacks
Nov 15, 2010 @ 10:57:16

In a recent post to his blog Artur Ejsmont looks at an attack that could potentially leave a hole open in your PHP-based application for a cross-site scripting (XSS) attack - HTTP response splitting (mail headers too).

There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it. HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.

He gives some examples of how it might work via the header function so that superglobals might be abused (like adding information on the URL to inject into $_GET). To prevent the attack, you just have to ensure that no special characters make it into the headers or cookies. He also mentions that the Suhosin patch takes care of the issue automatically.

tagged: http response header split example attack

Link:

Lorna Mitchell's Blog:
Missing pcre.h when installing pecl_oauth
Sep 27, 2010 @ 12:58:50

If you've ever come up against an error when trying to compile the pecl_oauth package (from the PECL repository), you might take a look at this new post from Lorna Mitchell on how she solved the issue and got the compile running smoothly again.

When I tried to install from PECL, it grabbed the files, ran the configure step but stopped with an error status during make. [...] Closer inspection showed this line around the point things started to go wrong: Error [...] pcre.h: No such file or directory. I didn't have the header files for pcre installed - in ubuntu the headers are in the -dev packages.

A quick call to "aptitude" to grab and install those development libraries and she was back up and running. She's running Ubuntu, but this tip is cross-distribution - you'll just have to use the package manager (and package name) of your distribution's choice.

tagged: pecloauth install compile pecl oauth pcre header

Link: