News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Kevin Schroeder:
Generating secure cross site request forgery tokens (csrf)
February 11, 2013 @ 11:23:10

In this new post to his site Kevin Schroeder has a new post with his take on generating more secure CSRF tokens for use in your site.

In researching the second edition for the IBM i Programmer's Guide to PHP Jeff and I decided to include a chapter on security since we really didn't talk much about it in the first edition. I'm talking about cross site request forgeries right now and I wanted to make sure that what I was going to suggest would not break the internet in some way. I did some Google searching to see what other people were recommending.

Most of the examples he saw used md5, uniqid and rand to create a randomized hash. He suggests an alternative - a method using the hash_hmac and openssl_random_pseudo_bytes methods to generate a sha256 hash for use in your page's submissions.

0 comments voice your opinion now!
csrf token generation hmac openssl


Abhinav Singh's Blog:
How to add content verification using hmac in PHP
December 08, 2009 @ 10:39:24

If you've ever wants an easy "drop in" kind of solution for helping to protect a portion of your site, you should check out this new post from Abhinav Singh about using the has_hmac functionality to do just that.

Many times a requirement arises where we are supposed to expose an API for intended users, who can use these API endpoints to GET/POST data on our servers. But how do we verify that only the intended users are using these API's and not any hacker or attacker. In this blog post, I will show you the most elegant way of adding content verification using hash_hmac (Hash-based Message Authentication Code) in PHP. This will allow us to restrict possible misuse of our API by simply issuing an API key for intended users.

You set up a private and public key for each of the users wanting to connect to the resource. They can then use the hmac functionality to set those over to the requesting page as a part of the message (GET/POST) where the public key is used to check the validity of the request and either allow or deny it.

0 comments voice your opinion now!
content verification hmac hash tutorial


DevX.com:
A Guide to Cryptography in PHP
May 06, 2008 @ 13:47:22

The DevX.com site has posted an introductory guide to using cryptography in PHP, showing how to use the various packages the language has to offer.

Cryptography is just one piece of the security puzzle, along with SSL/TLS, certificates, digital signatures, and so on. This article explains how to use PHP to implement the most common cryptographic algorithms. In addition to describing PHP's default encryption functions, you'll see how to use a wide variety of cryptographic libraries and packages.

They start with a look at some of the built-in functions like md5, sh1 and crypt as well as a table detailing the different encryption methods (like mcrypt, mhash or crypt_blowfish). They follow this up with examples of some of them including a method for making secret keys with the Crypt_DiffieHellman PEAR Package.

0 comments voice your opinion now!
cryptography mcrypt mhash blowfish rsa hmac diffiehellman



Community Events





Don't see your event here?
Let us know!


deployment opinion install language framework laravel tips package list voicesoftheelephpant release bugfix podcast api symfony library introduction community series interview

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework