Pádraic Brady has a new post to his site about "randomness" in PHP and how, depending on the method used, you might not be as random as you think.

The Zend Framework team recently released versions 2.0.8 and 2.1.4 to address a number of potential security issues including advisory ZF2013-02 "Potential Information Disclosure and Insufficient Entropy vulnerabilities in ZendMathRand and ZendValidateCsrf Components". Quite the mouthful! In short, Zend Framework used the mt_rand() function to generate random numbers in situations where neither openssl_pseudo_random_bytes() nor mcrypt_create_iv() were available. This is possible when the openssl and mcrypt extensions are not installed/compiled with PHP.

He talks some about the mt_rand function and how it generates its "random numbers" (designed for speed, not ultimate randomness). He notes that all of PHP's internal randomization functions use the concept of "seeds" to prime the random number/string generation. Unfortunately, the seeding method is known inside PHP, so it is possible - if the method of generation is weak, as it is with mt_rand - that an attacker could brtute force their way into a correct value. You can find more about randomness in PHP in this chapter of his PHP security handbook including a mention of Anthony Ferrara's randomness library.

Rob Allen has posted some notes to his site helping you get PHP set up on OSX Lion (10.8) successfully.

With OS X 10.8, Apple continues to ship PHP 5.3 with Xdebug, PEAR, GD and PDO_MYSQL. This is how to set it up from a clean install of 10.8.

He's broken it up into a few sections including the MySQL setup, Apache configuration , updating the main php.ini and setting up PHPUnit ("and friends") for your testing. He also includes setup instructions for the mcrypt and the PECL OAuth extensions.

Rob Allen has posted his own guide to getting PHP 5.3 set up on OS X 10.7 Lion, the just-released update for Apple's operating system. It comes with a bundled set of PHP-related tools but you might want to set them up your own way. This is where the guide comes in.

With OS X 10.7, Apple continues to ship PHP 5.3 with PEAR, GD and PDO_MYSQL out of the box. This is how to set it up from a clean install of 10.7.

He goes through each of the pieces of software and talks about where to download the latest from and what configuration steps are needed:

• MySQL
• Apache
• the php.ini
• Xdebug
• PEAR
• PHPUnit (and friends)
• PECL OAuth
• mcrypt

In an effort to just about everything he can with PHP Mark Karpeles has posted an article about how he created a SSH server in PHP with most (not quite all) of the functionality of some of its counterparts.

You probably know SSH at least by its name. It's a of secure telnet replacement which also allows many other things such as port forwarding, remote file management (with sftp) and more. With PHP I could write a fully working SSH server in only 3 days. [...] My goal when writing this was to provide a replacement for the FTP protocol for the customers of my hosting service.

He lists the extensions used to create the extension - OpenSSL, mcrypt, hash and (the most important) GMP as well as a link to the source if you'd like to try it out yourself.

New on WebReference.com there's a follow up article that talks about using encryption built into PHP to handle login information and authentication.

Following up on "Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.

His script example shows how to use the md5 hashing function to compare passwords with the ones in the database as well as a modification that uses the mcrypt libraries to encrypt some sample text.

On the ITNewb.com site there's a recent tutorial that's been posted by Andrew Johnson about using the mcrypt library in your PHP apps for a simple level of data protection.

The ability to encrypt and safeguard data is an essential ability that every serious web developer should have in their arsenal. In this article we'll explore encrypting data with PHP and MCrypt (libmcrypt), storing it in a database, retrieving it from a database and decrypting it for use.

He works through what mcrypt is, where it can be downloaded from, a simple usage example and a more in-depth look at what its doing (making an IV, encrypting) and how to store the resulting encrypted information into a MySQL database table.

The DevX.com site has posted an introductory guide to using cryptography in PHP, showing how to use the various packages the language has to offer.

Cryptography is just one piece of the security puzzle, along with SSL/TLS, certificates, digital signatures, and so on. This article explains how to use PHP to implement the most common cryptographic algorithms. In addition to describing PHP's default encryption functions, you'll see how to use a wide variety of cryptographic libraries and packages.

They start with a look at some of the built-in functions like md5, sh1 and crypt as well as a table detailing the different encryption methods (like mcrypt, mhash or crypt_blowfish). They follow this up with examples of some of them including a method for making secret keys with the Crypt_DiffieHellman PEAR Package.

WebReference.com has posted part two in their series looking at security techniques in PHP. This time they focus on the use of a few things - the PECL filter, the PEAR Auth module and mcrypt.

For each of the three topics covered, they include a few code examples on their use - an HTML form with the filter extension, user authentication with the PEAR Auth, and encrypting data to be used in a more secure cookie.

The article is excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman.