Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
PHP Package Signing: My Current Thoughts
Mar 10, 2014 @ 11:57:49

Pádraic Brady has a new post sharing some of his ideas around PHP package signing and a few possible ways to approach (and possibly solve) the problem.

We figured out how to write good code. We figured out how to write good code in a reusable way...for the most part. We figured out how to distribute and mix all that good reusable code in a sensible fashion. Can we now figure out how to do it all securely? [...] The problem with package signing from my perspective is tied up in a phrase most of you would know: The needs of the many outweigh the needs of the few. Thank you, Spock.

He compares two different alternatives, Public-key infrastructure (PKI) vs (Pretty Good Privacy) GPG, and how the idea of trust fits into the picture. He also points out an unfortunate fact when it comes to the initial adoption of package signing methods - people are lazy (and cheap). They want to get things done and not have extra steps. Signing their packages would be one of these steps. He suggests an alternative, though, using double signatures to verify the integrity and validity of its contents. He also talks about the role that metadata plays in the overall package ecosystem and how signing it as well could be part of the solution.

tagged: package signature signing metadata packagist composer

Link: http://blog.astrumfutura.com/2014/03/php-package-signing-my-current-thoughts

Jeremy Kendall:
API Query Authentication With Query Auth
Aug 15, 2013 @ 09:41:46

Jerermy Kendall has written up a post for his site showing the use of his QueryAuth library for API authentication, complete with plenty of examples. The library makes it simple to sign and verify requests based on a key, secret and parameters given.

Most APIs require some sort of query authentication: a method of signing API requests with an API key and signature. The signature is usually generated using a shared secret. When you’re consuming an API, there are (hopefully) easy to follow steps to create signatures. When you’re writing your own API, you have to whip up both server-side signature validation and a client-side signature creation strategy. Query Auth endeavors to handle both of those tasks; signature creation and signature validation.

He includes code examples showing how to create a signed request, validate the signature from an incoming request and generate randomized keys and secrets. He's also created a sample implementation as a Vagrant box that sets up a Slim framework based application and uses Guzzle to make requests. He briefly looks at some of the code that makes it work and what the raw HTTP request and response look like for the result.

tagged: queryauth api authentication signature parameter key secret tutorial

Link: http://jeremykendall.net/2013/08/13/api-query-authentication-with-query-auth

Mike Purcell's Blog:
PHP - Reflection Class - Determine Parent Method Signature
Jul 05, 2012 @ 10:12:04

In this recent post to his blog Mike Purcell shares a method he found to discover the parameters required by a method in a class' parent via reflection.

According to PHP docs regarding the Memcached::get() method, there are three arguments which which must be added to my extended signature, which I added, but kept getting “...should be compatible with that of Memcached::get()” errors. I tried looking for the method signature via source code but didn’t glean anything useful from the PECL documentation, so I turned to PHP's RelectionClass.

He includes a quick snippet of code showing how the check works and the handy output it produces - a set containing the parameter name, if it's require or optional and it's definition.

tagged: reflection parent method signature tutorial

Link:

Sameer Borate's Blog:
Source Code Signatures in PHP
Nov 10, 2011 @ 13:11:17

In this new post to his blog Sameer Borate applies an interesting method of discovery of structure in unfamiliar code - generating code signatures.

One method [Ward Cunningham] suggests is that of summarizing on a single line select punctuation characters from each source file. He calls this the file’s "signature". This will help the developer gauge the complexity of the code base.

He includes a few examples from files in WordPress - looking for the structure of curly braces and semicolons as delimiters for chunks of functionality. Included are a few lines of code to help you generate a signature from any file and an example of a result. It's an interesting idea, but I'm not sure how practical it is. It could be a helpful reference for how complicated the file is, though.

tagged: sourcecode signature wordpress complexity

Link:

DevShed:
Error Handling for Dynamic Twitter Signature Images with PHP
Aug 26, 2009 @ 07:55:45

DevShed has posted the third part of their series looking at the creation of dynamic twitter signatures. These signatures are the sort of badges you'd see on a site with the user's latest tweet and their photo.

In the third installment in this series, I will be demonstrating how to add proper object-oriented error handling to the SignatureImage class.

They've built up the class to take in a twitter username and, via a cURL request pull in both the account's avatar and latest tweets. If something goes wrong, though, the class needs to be modified to handle it. They show how to add in try/catch handling with an error handler method in the class to work with the error's result.

tagged: error handling twitter tutorial signature

Link:

DevShed:
Enhancing Dynamic Twitter Signature Images with PHP
Aug 14, 2009 @ 08:27:17

In this second part of their "dynamic twitter signature" series DevShed expands on the previous part and adds in code to work with the GD libraries to make the image.

In my last article we began putting together a solution that will allow us to display dynamic Twitter signature images in forum posts and emails. In this article we’ll continue where we left off by adding the functions that will harness the power of GD to create the actual image.

They review the previous code - a simple class that makes a request to the twitter servers for the latest statuses from the user - and adds on the fetching of the user's avatar and to push the text content into the generated image.

tagged: enhance twitter tutorial signature image

Link:

PHPFreaks.com:
PHP Add Text To Image
Jan 26, 2009 @ 12:04:06

This new tutorial from the PHPFreaks.com website shows how to add text into a custom created image (they go with an Arial font in a PNG image).

One of the standard features of a message board is allowing members to have a signature, which is appended to the bottom of each post they make. Posters can put whatever they want into the signature (within forum settings). Putting quotes in one's signature is one of the more popular things to do. [...] Soon afterwards, I started receiving messages on a fairly regular basis asking me "What kind of sorcery is this?? How do I do that??" You know, I think it's kind of funny people should ask, because this is really nothing new.

His code (the full script is here) sets up the font size, the font face (Arial) and the quotes to be randomly pulled from first. The image manipulation comes next - making a PNG resource, adding a few colors and shapes, and dropping in the text.

Each line of the code is covered in detail so you'll understand exactly what's going on. The end result is a script that makes a simple image and can be easily expanded to work with other sources (like databases or flat text files).

tagged: tutorial image dynamic gd text signature forum random

Link:

ThinkPHP Blog:
Improving Usability on "My Chorizo" page: the host signature file
Jul 31, 2006 @ 05:59:21

The guys over at the ThinkPHP blog are already improving their Chorizo security scanner software with refreshed usability for their "My Chorizo" page inside the utility.

In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host's document root. Some of our users had trouble uploading it into the docroot, some accidently put it into the wrong directory.

Their enhancement makes it easy to tell which of the products have their signature files in place and while don't at a glance.

tagged: chorizo web scanner usability update signature chorizo web scanner usability update signature

Link:

ThinkPHP Blog:
Improving Usability on "My Chorizo" page: the host signature file
Jul 31, 2006 @ 05:59:21

The guys over at the ThinkPHP blog are already improving their Chorizo security scanner software with refreshed usability for their "My Chorizo" page inside the utility.

In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host's document root. Some of our users had trouble uploading it into the docroot, some accidently put it into the wrong directory.

Their enhancement makes it easy to tell which of the products have their signature files in place and while don't at a glance.

tagged: chorizo web scanner usability update signature chorizo web scanner usability update signature

Link: