Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matt Trask:
Looking at Ramsey UUID
Aug 24, 2016 @ 09:16:56

Matt Trask has put together a new post spotlighting a handy library that's widely used across the PHP ecosystem for generating UUIDs: ramsey/uuid.

Welcome to the first installment in my 2113918230981 part series, "Better know a Package!". Tonight's package: the famous/infamous Uuid package that that taught us all what Ramsey is in Scottish, Rhumsaa. Created to give PHP a library to generate Universal Unique Identifiers, this library has been a stallwort in the community. Ben Ramsey created it first under the Rhumsaa namesapce before moving it to the Ramsey namespace, saving us all from learning more Scottish then we needed to ever learn.

[...] A UUID, or Universally Unique Identifier, will generate a 128 bite unique key in different series based on the version you asked for. RFC-4122 dictates how Uuids should be generated, and recommends 4 types.

Matt then goes on to describe each of the different UUID types and provides some code examples as illustration:

  • Version 1: Time and MAC addressed based Uuid
  • Version 2: DCE-based
  • Version 3: UUIDs based on a namespace and then it is MD5 hashed
  • Version 4: Random generation (based on the output of random_bytes

He also includes examples of the UUIDs output by each method (not much difference there as the structure of the resulting UUID is all the same).

tagged: uuid ramsey library introduction types namespace random mac time tutorial

Link: http://matthewtrask.net/blog/Looking-At-Ramsey-Uuid/

Creating a password-less, Medium-style, email-only authentication system in Laravel
Mar 14, 2016 @ 09:29:55

On the Tighten.co blog Matt Stauffer shows how to make a password-less authentication system similar to what the popular site Medium uses centered around emails sent to the account for the user.

Recently I was working on a project where one of our major pain points was users' passwords. Users were added to the application by administrators, so they didn't have passwords when they were first added, and forcing them to set and remember passwords was a big hitch on the project's usability.

So, we decided to try out a Medium/Slack-inspired password-less login. If you've never had the chance to work with this, the login system works like this: enter your email address on the login page, get emailed a login link, click the link, and now you're logged in. Access to your email address proves your identity without the need for a password.

He walks you through the process of disabling the current password-based flow by creating and modifying the default "make:auth" results. When the user comes to the site, they're asked to log in via sending an email. This email contains a unique token attached to a link that matches one on the server side related to the user. He shows how to build out this relation table, the matching model and the endpoint used to verify the hash once the user clicks on the link.

tagged: laravel password email login medium link random hash tutorial

Link: http://blog.tighten.co/creating-a-password-less-medium-style-email-only-authentication-system-in-laravel

SitePoint PHP Blog:
Randomness in PHP – Do You Feel Lucky?
Oct 29, 2015 @ 13:52:24

The SitePoint PHP blog has a post from author Nicola Pietroluongo talking about randomness in PHP. In the tutorial he talks about randomness, how it relates to cryptography and what's coming in PHP 7 to help.

This article analyzes problems related to random number generation used for cryptography purposes. PHP 5 does not provide an easy mechanism for generating cryptographically strong random numbers, while PHP 7 solves this by introducing a couple of CSPRNG functions.

He starts off by talking about what a CSPRNG (cryptographically secure pseudorandom number generator) is and some of the things it could be used for. He then moves on to the functionality coming in PHP 7 with the addition of the random_* functions for getting random bytes and random integer values. He talks briefly about what's going on "behind the scenes" of the generation and provides a simple code example with a randomized "dice roll" and the resulting numbers. He ends the post mentioning the random_compat library that can be installed for pre-PHP 7 applications that provides the same functionality just without those two functions defined.

tagged: random generation csprng number generator tutorial php7 php5 randomcompat

Link: http://www.sitepoint.com/well-do-ya-punk/

Paragon Initiative:
Coming to WordPress 4.4: CSPRNG
Oct 12, 2015 @ 12:52:42

The Paragon Initiative blog has a post from Scott Arciszewski about a new feature coming to upcoming WordPress versions - the use of a cryptographically security random number generator starting in version 4.4.0.

At Paragon Initiative Enterprises, we believe that security should be the default state of affairs, not something only in the reach of security experts. That is why [...] our team spends a great deal of time working to improve the security of popular free and open source software.

Today, we're pleased to announce an exciting security enhancement coming to WordPress in the next major version. Starting in 4.4.0, wp_rand() is cryptographically secure on all platforms.

He walks the reader through the "road" that's lead to the introduction of this support and the work he did in the past to help push the project (and others) towards it. Given that the WordPress project has a lot of emphasis on backwards compatibility, effort need to be put into a method that would work across new and old PHP versions. The random_compat library was created and was adopted not only by WordPress but also by several other major PHP projects.

Our part in this long and crazy journey has reached its end. In the course of fixing the same flaw in two distinct projects, the PHP community banded together to identify and expunge a bug in the PHP core, create a new feature in PHP 7, and in some small way helped to secure the CMS that powers more than 20% of websites on the Internet.
tagged: wordpress csprng random number generator cryptography security

Link: https://paragonie.com/blog/2015/10/coming-wordpress-4-4-csprng

Paragon Initiative:
How to Safely Generate Random Strings and Integers in PHP
Jul 08, 2015 @ 12:49:51

The Paragon Initiative blog has posted a guide to what they see as a way to safely generate random strings and integers in PHP applications.

Generating useful random data is a fairly common task for a developer to implement, but also one that developers rarely get right. [...] It's generally not okay to use a weak random number generator unless both of the following two conditions are met: the security of your application does not depend in any way on the value you generate being unpredictable or there is no requirement for each value to be unique (up to a reasonable probability).

He gives some examples of places where it's a must to use a "cryptographically secure pseudo-random number generator" including generating random passwords, encryption keys or IVs for data in CBC mode. The article goes on to talk about some of the problems that could come from using weak generators. It then gets into the process for generating random values and the use of the random_* functions in PHP (or using this polyfill) to more safely generate the numbers. Included is code showing the process and some advice around converting random bytes to both strings and integers.

tagged: safe generation random string integer php7 randomcompat security

Link: https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

Giorgio Sironi:
Property-based testing primer
Jun 19, 2015 @ 12:15:29

Giorgio Sironi has a new post to his site today talking about a method (and tool) around a different sort of testing practice: property-based testing. The difference is that, instead of hard-coding values and evaluating them post-processing, you're generating random values and ensuring they match against a set of properties, not values.

I'm a great advocate of automated testing and of finding out your code does not work on your machine, 30 seconds after having written it, instead of in production after it has caused a monetary loss and some repair work to be performed. [...] However, classic test suites written with xUnit and BDD styles have some scaling problems they hit when you want to exercise more than some happy paths. [...] Property-based testing is an approach to testing coming from the functional programming world.

He helps to make the point a bit more clear with an example of testing the "sort" function and its results. He talks about how to test it using normal data, empty data, etc. but notes that this kind of testing can become "boring and error-prone". Instead he proposes the property-based testing of the results. He generates random values to feed into the method and checks to ensure the results are sorting by comparing them to each other. He expands this with a bit more complex example, showing how to test some DateTime handling and evaluating the result with logic in a closure. To help make this kind of testing easier, he's created a library (Eris) that extends PHPUnit and provides the methods seen in his examples.

tagged: property testing unittest phpunit extension random datetime sort eris

Link: http://www.giorgiosironi.com/2015/06/property-based-testing-primer.html

Building With the Twitter API: Repeating Tweets From a Group
Jan 19, 2015 @ 11:18:45

NetTuts.com has continued their series about constructing a Twitter application as a Yii framework-based application. In this latest tutorial they expand on the previous post's "tweet storm" functionality and instead posts random updates based on pre-defined content. If you need to catch up, you can find the other parts of the series here.

The nature of the Twitter stream makes repetition useful, within reason; overdoing it is spammy and annoying.[...] This automates the task of repeating and creating variation over time to increase the likelihood that your Twitter followers will engage with your content. Keep in mind that the Twitter API has limits on repetitive content. You'll be more successful if you offer a wide variety of variations and run the service on an account that you also use manually to share other content.

They start with a short list of features the application needs to support including the main goal of posting the randomized, recurring tweets. They start by creating the Group model and table to allow for the grouping of tweets. Then they use Yii's scaffolding to create a form for creating new groups. Next up is the controller code to handle the group submission and an update to link a tweet to a group. Finally they include the code to push the tweets out to Twitter and mark the tweets as sent. The post ends with an example of a timeline with the resulting posts.

tagged: tutorial series twitter api repeat tweets group random

Link: http://code.tutsplus.com/tutorials/building-with-the-twitter-api-repeating-tweets-from-a-group--cms-22490

Three Devs & A Maybe Podcast:
Episode #51: Midweek Random Rambles
Dec 10, 2014 @ 10:53:28

The Three Devs & A Maybe podcast, hosted by Michael Budd, Fraser Hart, Lewis Cains and Edd Mann, has posted their latest episode - Episode #51: Midweek Random Rambles.

In our 51st podcast we temporarily revert to a midweek recording of the show. This essentially means we were all a bit tired and delirious, leading to some fantastic randomness, none more than Lew's 'different' introduction to the show. We will let you be judges of that! Following our usual discussion of how things are panning out in our working week, we then move on to discuss some of the interesting security issues cropping up on Michael's university course. Also, Fraser has landed an exciting new job in London, Lew has found front-end dependency bliss with Bower and Edd is doing some exciting stuff at work too. We also talk about asset file compression/concatenation and issues we've encountered with those too. So... plenty to discuss, in fact too much to cram in to our usual hour so we will continue the theme next time. Enjoy folks, and as ever, thanks for listening and for your feedback.

Other topics mentioned in this episode include the Google no CAPTCHA reCAPTCHA, the Gitminutes podcast and new book covering domain driven design in PHP. You can listen to this latest episode either through the in-page audio player or by downloading the mp3. If you enjoy the show, be sure to subscribe to their feed too!

tagged: threedevsandamaybe podcast ep51 midwekk random ramblings

Link: http://threedevsandamaybe.com/midweek-random-rambles/

Pádraic Brady:
Composer: Downloading Random Code Is Not A Security Vulnerability?
Feb 21, 2014 @ 10:04:52

In his latest post Pádraic Bradyhas posted a response to a recent post stating that in issue in Composer where the wrong package could be installed is not a security issue. Pádraic disagrees, here's why:

The problem here is quite simple. A user defines a composer.json file that requires the package bloggs/framework. Someone else creates a package on Packagist.org called evil/framework whose own composer.json states that it replaces bloggs/framework. Next, a group of poor random victims, potentially thousands, use composer to install applications with a dependency on bloggs/framework. Composer does some internal wizardry and installs evil/framework when certain conditions are met. The victims didn’t request evil/framework but they get it anyway.

He suggests that this is a kind of remote file inclusion and possibly a remote code execution vulnerabilities. He points out that the manual steps suggested in the post aren't listed in the Composer documentation and fixes for it are still pending work.

Saying one thing, but acting like it’s the other thing you don’t want people to call it, makes me think it really is the other thing. Probably because it is. Users can fall victim to a replace and it’s called “unintuitive”, but if a package states that it replaces something that might lead to the unintuitive behaviour, it’s an abuse.
tagged: composer random code vulnerability security package

Link: http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

Timoh's Blog:
Secure random numbers for PHP developers
Nov 06, 2013 @ 09:20:55

Timoh has posted a look at random number generation to his site, focusing on one of the many methods to produce truly random number - using /dev/(u)random (available on Unix-based filesystems).

How would you gather cryptographically secure random bytes in your PHP application? This is actually quite a good question. It used to be, and seems, it still is not that uncommon to just simply call mt_rand() function to get the job done creating user’s “initial password”, for example. A bit more experienced reader will notice there is a security bug. [...] But actually only a few [functions to get random values] can be recommended for security sensitive purposes. And now I’m not talking about openssl_random_pseudo_bytes().

He starts with a look at openssl_random_pseudo_bytes and why there might be something wrong with its use - mainly that OpenSSL has had its own share of security issues in the past. Of the two random resources he recommends /dev/urandom as it's less blocking and more useful for web applications. He recommends the RandomCompat library if you need to take this random data and transform it into integers (with one caveat).

tagged: secure random number generation devurandom urandom openssl

Link: http://timoh6.github.io/2013/11/05/Secure-random-numbers-for-PHP-developers.html