News Feed
Jobs Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Timoh's Blog:
Aggressive password stretching - A solution to the low-entropy keys problem?
November 29, 2013 @ 10:15:30

While not specifically related to PHP, this new post from Timoh looks at the idea of "aggressive password stretching" to help with a common problem in password-based systems - the poor choice of passwords from the application's users.

Practically speaking, "weak" means a user generated password will not contain enough guessing entropy to resist an adversary who managed to gain the user database dump, and who is able to run efficient offline attack against leaked hashes. Here comes in the need to make adversary's job harder, which is achieved by using the above-named algorithms.

He doesn't talk much about the actual password hashing itself, instead focusing on how the password stretching - the addition of more information not from the user (usually an automated source) to increase it password entropy. He goes through some of the math about how much extra work is required for an attacker with this method and some of the problems that can come with it. He talks about how much time should be spent in the hashing of the passwords and suggests that it's "a matter of finding a sweet spot between you and attacker's patience and the security gain" and not just about the security.

A bit more on the PHP-specific side, he briefly looks at the password_hash function and some of the defaults the more current frameworks use (hint: bcrypt all the things).

Proper password hashing is clearly not enough to make sure the password hashes are not weak. The other half of the job is a good password policy. No algorithm or setting will save passwords like "password" or "12345" etc. This is why we need to make sure the user's password will initially contain enough entropy itself.
0 comments voice your opinion now!
password stretching hashing aggressive entropy solution

Link: http://timoh6.github.io/2013/11/26/Aggressive-password-stretching.html

Anthony Ferrara:
Reinvent The Wheel!
August 06, 2012 @ 09:03:19

In this recent post to his site, Anthony Ferrara takes an the phrase "reinventing the wheel" and wonders if, maybe, it's not such a bad thing sometimes.

"Don't Reinvent The Wheel" is a phrase that we hear used all the time in software development. Usually it's used in the context where a library exists to do what the user wants, but they are writing their own. While the sentiment is usually correct, I can't stand the implication of the phrase. Therefore, I can't stand it when people use that phrase without understanding what it really means. Let me explain...

He notes that, while there might be things out there that do something well, it doesn't mean that the "wheel is perfect" and you shouldn't venture out and try something new. He points out two places where it could be good - when a general solution doesn't work and for education/research.

Even as a senior developer, if you never try to reinvent the wheel from time to time, you'll never push your capabilities. You'll never expand your conceptual model of problems. And if you never do that, the world will blow past you.
0 comments voice your opinion now!
reinvent wheel opinion development education solution


Anthony Ferrara:
Is Autoloading A Good Solution?
July 20, 2012 @ 15:56:30

In his most recent post Anthony Ferrara takes a look at autoloading - mostly asking the question of whether the problems it has really outweigh the benefits.

The real problem that autoloaders solve is to load dependencies. [...] The normal logic that's used to justify autoloading over manual dependency loading in production is that it only loads the classes you need. Therefore you save the parsing costs of classes that you don't need. But surely that additional run-time loading has costs. So I decided to setup a test to see how expensive that additional run-time loading costs us, and to prove whether or not autoloading is worth it in production.

He gives an example of the two methods - using the spl_autoload_register method to define a loader and loading them with a defined file path instead. He found the autoloading version slower than the hard-coded (by quite a bit) but how, when the number of files is reduced, the performance gets much closer. He also briefly looks at two other pieces of file-related functionality: file_exists and require_once.

0 comments voice your opinion now!
autoload solution performance static path fileexists requireonce


Lukas Smith's Blog:
Query parameter handling in Symfony2
May 14, 2012 @ 11:56:37

Lukas Smith is looking for feedback about a question that's been in his mind a lot lately - can the handling of query parameters be made better for the Symfony2 framework (and even easier to use).

Obviously you can already access query parameters today already but it could be easier. Essentially what I want is a way for developers to easily configure what query parameters they expect and what values they expect. This is useful for several things like easier reading and validating of query parameters, self documenting API both for API docs for humans but also for machines.

He's asking for feedback and ideas from the community on a proposed solution that could make things more flexible. He also briefly mentions the route matching and how qurey parameters could cause them not to match:

For one I don't think that a mismatch on a route requirement of a query parameter cause the route to not match. However then it can quickly become confusing for the end user or it would require adding more and more syntax to handle all the different cases.
0 comments voice your opinion now!
symfony2 query parameter handling solution routing match


PHPClasses.org:
Lately in PHP podcast episode 13 - Dedicated PHP in Cloud Solution with PHPFog
June 30, 2011 @ 10:58:40

PHPClasses.org has posted the latest episode of their "Lately In PHP" podcast series, a look at the cloud hosting PHPFog now offers including an interview with Lucas Carlson, CEO of PHPFog.

On the Lately in PHP podcast episode 13, Manuel Lemos and Ernani Joppert interview Lucas Carlson, founder and CEO of PHPFog, to tell us about the advantages of using a Cloud Hosting service that is optimized to address needs that are specific to PHP Web sites and applications. They also comment on the PHP 5.3.6 forked version released by Robert Eisele and the PHP features being voted for inclusion in version 5.4.

You can listen to this latest episode in a few different ways - either via the in-page player, by downloading the mp3 or by subscribing to their feed.

0 comments voice your opinion now!
phpfog cloud offering solution interview lucascarlson fork release


Cal Evans' Blog:
Six ways to be a better client for your developer - Point 3
January 19, 2011 @ 12:53:24

Cal Evans has posted his third tip for clients wanting to have a better relationship with the developers on their project. This new tip talks about the balance between suggestions and "being sold" on technologies.

To balance Point 2, make sure your developer fully understands the problem and has put thought into it before actually proposing a solution. If, in the first meeting they propose a solution, especially a pre-packaged solution like WordPress, Joomla or Drupal, exit the building in a calm and orderly manner. In these cases they are selling you the solution they know, not the solution you need.

He suggests that you tread carefully when it comes to software choices and don't blindly follow the suggestions handed to you. A little research is all it takes to see if their proposal is actually a good fit. Ask a lot of questions and really think about the answers before moving on.

0 comments voice your opinion now!
client developer opinion sold solution


Chris Hartjes' Blog:
"U R Doin It Wrong" - Adventures with flexible forms in Zend Framework
March 23, 2010 @ 08:58:40

In a recent post to his blog Chris Hartjes has written about his (mis)adventures with Zend_Form, a powerful but sometimes difficult to use component of the Zend Framework.

Zend_Form is a super-powerful, force-of-nature tool. By force-of-nature I mean it does all this crazy stuff, and you can see it doing it, but I am not alone in admitting that taming it sometimes is very difficult. When building tools to make form programatically you either severely limit peoples options or make it so flexible that there are multiple ways to get something done.

Because the Zend Framework "treats you like an adult" it can be difficult to get just what you want from it (ease of use isn't quite top of the list). In this case, Chris wanted a relatively simple form that did some checking before it successfully submitted. Over and over the form passed without him being able to tell why - the solution was a pretty simple one, though - be sure to create all form elements before you do validation.

He includes some same code - a "before" and "after" for the solution.

0 comments voice your opinion now!
zendframework issue zendform solution


Rob Allen's Blog:
UTF8, PHP and MySQL
March 19, 2009 @ 08:43:19

Rob Allen had a problem - he needed to get the "pound" (as in the British monetary unit) into his MySQL database. His database didn't seem to want to comply:

Everyone else probably already knows this stuff, but I hit an issue today to that took a while to sort out. Fortunately, some kind folks on IRC helped me, but as it's embarrassing to ask for help on the same issue twice, I'm writing down what I've learned! The problem: Get a £ character stored to MySQL, retrieved and then displayed without any weird characters in front of it using UTF8.

His solution? Make sure you're using UTF-8 everywhere, not just when trying to insert into the database - in the broser's headers (both going in and coming out) and in the MySQL database insert. He gives code examples for each including database examples for PDO and the Zend_Db component of the Zend Framework.

0 comments voice your opinion now!
utf8 mysql insert pound character example problem solution


Stuart Herbert's Blog:
PHP's Built-In Solutions For Shared Hosting
November 27, 2007 @ 10:25:00

Following up on a previous article, Stuart Herbert has posted some of the things that PHP can do to help solve the previously mentioned shared hosting problems.

The challenge is to secure the box not just from outside attack (something you have to do anyway, and which I'll cover later in this series), but also to make sure that code running on one website can't steal confidential data like MySQL passwords from any of the other websites.

It's not just a problem that PHP has, but it does, thankfully, have several settings and things that you can do to help. Among those on the list are things like: safe_mode, open_basedir and how PHP 6 will effect both of these. He's included settings for both of them to get you started.

0 comments voice your opinion now!
shared hosting solution safemode openbasedir shared hosting solution safemode openbasedir


Arnold Daniels' Blog:
Migrating from PHP4 to PHP5 A strategy for hosts
September 05, 2007 @ 09:45:00

One of the biggest problems facing PHP web hosting companies is the big move to PHP5 that that end-of-life announcement. Arnold Daniels has one idea for a solution to help ease the problems - providing customers with a testing environment they can try out their code in.

A few months ago I've posted an article about running multiple Apache instances with different PHP versions. In that article I showed how to make multiple configurations running Apache on different IP addresses. By using different ports instead of different IP addresses, we can give our customers a way to check their site before it goes live.

He modifies the settings in that tutorial with a few updates he includes to make two different apache configurations - one for PHP4 and the other for PHP5. When used together, they can run two different PHP versions on the same code, just on different ports.

0 comments voice your opinion now!
migrate php4 php5 solution testing environment hosting provider migrate php4 php5 solution testing environment hosting provider



Community Events











Don't see your event here?
Let us know!


code unittest podcast release package composer introduction security opinion hhvm application facebook language install component framework overview example hack symfony2

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework