Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

SitePoint PHP Blog:
How to Create a Unique 64bit Integer from String
Aug 14, 2014 @ 12:55:33

In the latest post to the SitePoint PHP blog Vova Feldman shows you how to create an integer from a hash string that's both 64 bit and unique each time it's generated.

PHP provides the popular md5() hash function out of the box, which returns 32 a hex character string. It’s a great way to generate a fingerprint for any arbitrary length string. But what if you need to generate an integer fingerprint out of a URL?

He describes the real-world situation he was facing - a rating widget that needed a randomized integer based on the page using it - and the two "sub-challenges" that make it up: url canonization and the string to unique 64 bit problem. He tackles each problem and shares code snippets showing the process and how it can be put to use. He also includes some interesting metrics at the end of the post showing the level of hash collisions (hint, it's a very low number).

tagged: unique integer string 64bit tutorial md5 hash

Link: http://www.sitepoint.com/create-unique-64bit-integer-string/

Lorna Mitchell's Blog:
PHP Returning Numeric Values in JSON
Jul 12, 2011 @ 08:41:39

Lorna Mitchell has a quick reminder about an issue in the new joind.in API version - everything was being returned as strings, even integers.

A few weeks later (my inbox is a black hole and it takes a while to process these things) I fell over a throwaway comment to an undocumented constant JSON_NUMERIC_CHECK, and I added the constant name to my todo list. In the time it took for me to actually get around to googling for this, some wonderful person updated the PHP manual page (this is why I love PHP) to include it as a documented option, and someone else had added a user contributed note about using it.

This option, JSON_NUMERIC_CHECK, tells the json_encode function to property consider numbers in its encoding process. It applies globally, so if there's an instance where you don't want something assigned as a number, you might need to go with another, more flexible JSON encoding option. You can find information about this and other possible options json_encode can take on its manual page.

tagged: jsonencode numeric integer string return encode jsonnumericcheck

Link:

XPertDeveloper.com:
Is Your PHP Application Affected by the Y2K38?
May 16, 2011 @ 09:22:18

On the XpertDeveloper.com site there's a post reminding you of an date could cause all sorts of problems with your PHP application - the effects of the Y2K38 bug.

Y2K38, or the Unix Millennium Bug, affects PHP and many other languages and systems which use a signed 32-bit integer to signify dates as the number of seconds since 00:00:00 UTC on 1 January 1970. The furthest date which can be stored is 03:14:07 UTC on 19 January 2038. Beyond that, the left-most bit is set and the integer becomes a negative decimal number or a time prior to the epoch.

If you're worried about your application's support for date and time handling, there's a pretty simple fix - replace your current handling with the DateTime functionality. This handles them correctly.

tagged: application y2k38 bug datetime integer date

Link:

SitePoint PHP Blog:
Is Your PHP Application Affected by the Y2K38 Bug?
Aug 24, 2010 @ 10:12:23

On the SitePoint PHP blog today they pose a question to all PHP developers out there - is your application affected by the Y2K38 bug?

I don't want to be too alarmist, but try running the [given] PHP code on your system. [...] With luck, you'll see "Wednesday 1 February 2040 00:00" displayed in your browser. If you're seeing a date in the late 60's or early 70's, your PHP application may be at risk from the Y2K38 bug!

The bug, caused by a 32-bit operating system, can be helped by running the application on a 64-bit platform (it's due to the limitation of integer size), but there is another option - the DateTime class that handles dates and times differently than the just using the local time settings.

tagged: y2k38 bug datetime integer 32bit 64bit

Link:

Brian Moon's Blog:
Short Array Syntax for PHP
May 29, 2008 @ 11:13:00

There's been some talk floating around about a proposed additional syntax for creating arrays in PHP. Brian Moon sums it up nicely in a new post to his blog.

So, I was asked in IRC today about the proposed short array syntax for PHP. For those that don't know, I mean the same syntax that other languages (javascript, perl, python, ruby) all have. [...] It just feels like a good addition to the language. It is common among web languages and therefore users coming into PHP from other languages may find it more comfortable.

He compares it with other data type creation in PHP (you don't call int() to make an integer, so why call array() to make an array). However, according to a post from the internals mailing list, we might not be seeing this any time soon.

tagged: short syntax array function integer string language construct

Link:

Job Posting:
The Integer Group Seeks Web Developer (Lakewood, CO)
Feb 18, 2008 @ 16:22:50

Company The Integer Group
Location Lakewood, Colorado
Title Web Developer
Summary

At The Integer Group, we've created an environment based on the beliefs that there are no challenges that can’t be met, no problems that can’t be solved, and no conventions that can’t be broken. Our drive and determination create energy – electricity that courses through every brainstorming session and into every project and that manifests itself not only in the work we produce but in our surroundings.

Creating groundbreaking work that drives sales and wins awards is what we strive for on every project, for every brand and every client. We’ve produced great work for some of the biggest brands in the world and for some that you’ve probably never heard of. But no matter the size of the client, they always know what to expect from our agency: innovative thinking, big ideas, and an all-consuming passion. For the business. For the brands. For the future.

What can you bring to Integer?

We are currently seeking a Web Developer in our Lakewood, Colorado agency. This position works directly with the IT Manager on continuing development, customization, and maintenance of the company Intranet. Duties include developing internal applications using PHP programming language; administer database structures of MySQL backend databases, perform special programming and database projects as requested and provide assistance with integrating our Intranet with our other systems.

Qualified candidates will have:

  • Minimum 3-5 years PHP development and web programming language
  • Minimum 3-5 years MySQL and SQL experience and administration
  • Experienced in HTML, XML, and UNIX.
  • Prefer experience in JavaScript, AJAX, CSS PHP5, and Mambo
  • Strong written and verbal communication skills
  • Attention to detail including ability to work with numbers
  • Ability to handle changing priorities in a deadline driven environment
  • Ability to manage multiple projects
  • Strong communications skills and the ability to explain corrective procedures to non-technical users
  • Practical problem solving and troubleshooting skills
  • Ability to work overtime with little advanced notice

Interested? Please apply online at jobs.integer.com.

Still not convinced? Feel free to explore our website at www.integer.com

The Integer Group is one of the nation's leading promotional advertising and marketing agencies. Founded in 1993, the agency has offices in Denver, Dallas, and Des Moines and a network of field offices from coast to coast. The Integer Group is part of Omnicom Group, Inc., a leading global-marketing and corporate-communications company. Omnicom’s branded networks and numerous specialty firms provide advertising, strategic media planning and buying, direct mail, promotional marketing, public relations, and other specialty communication services to more than 5,000 clients in over 100 countries.

The Integer Group Denver was named 8th best Medium-sized company to work for in the USA in 2007 by the Great Place to Work Institute Inc. For more information on Great Place to Work, check out: www.greatplacetowork.com

Link More Information
tagged: job post integer group lakewood co developer

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

Secunia.com:
PHP Integer Overflow Vulnerability and Security Bypass
Jun 01, 2007 @ 11:33:00

Secunia has released an advisory for PHP today related to an issue caused by an integer overflow that could allow for bypassing of security of an application.

A weakness and a vulnerability have been reported in PHP 5, where the vulnerability has unknown impact and the weakness can be exploited by malicious, local users to bypass certain security restrictions.

The issue is caused by issues with the chunk_split and realpath functions that can lead to a bypass of the open_basedir restriction on a server.

The issue is marked as "moderately critical" and it is suggested that users update to PHP 5.2.3 to correct the issue.

tagged: integer overflow vulnerability security bypass openbasedir integer overflow vulnerability security bypass openbasedir

Link:

MySQL Performance Blog:
Integers in PHP, running with scissors, and portability
Mar 29, 2007 @ 09:30:00

According to this new post on the MySQL Performance Blog, PHP has a bit of an issue when it comes to working with integers.

Until recently I thought that currently popular scripting languages, which mostly evolved over last 10 years or something, must allow for easier portability across different platforms compared to ye good olde C/C++.

However, PHP just brought me a new definition of "portable" - and that was when working with... integers.

He points out that PHP isn't able to correctly handle unsigned integers ("and converts values over 2^31 to signed"). He goes on to talk about how this differs between platforms too (32 vs 64 bit) and some of the research he did to find out just what was going on (including some code examples to illustrate the point).

tagged: integer pertability unsigned convert research example integer pertability unsigned convert research example

Link: