On the "Zend PHP Certification" blog (study notes), there's sort and natsort).

In all the countless hours I've spent with php, I've maybe used three or four of these sorting functions. I really had no idea that there is a total of eleven functions used for sorting arrays. Anyway, I'm betting that it may be useful to have these memorized before I take the Zend PHP Certification Exam so here is a brief overview of each one.

He talks about the various flags that can be used in the sorting (for regular, numeric, string and locale-based string handling) and the parameters to call for normal sorting, "natural" sorting, reverse key sorting and others. You can find specifics on these array sorting methods in the PHP manual.

PHPBuilder.com has a new tutorial posted about interfacing with GitHub in PHP, using their API to hook into and pull down information about users and repositories.

The Git-based project hosting service GitHub is certainly the belle of today's technology ball, having attracted more than 1 million registered users and amassed more than 2 million hosted projects in less than three years. [...] GitHub High Scores and GitHub Badges are two examples of third-party services created using the GitHub API, which is capable of carrying out any task you might wish to perform via GitHub.com. With it you can create, edit and search repositories, learn more about fellow GitHub users, and manage repository issues.

Jason shows how to use the php-github-api library to connect to the API, search repository information, get user details, finding their repositories and accessing restricted resources (things only available for the authenticated user like updating your account or working with your own repositories).

On Reddit.com there's a new post that asks the question, "which framework has the best documentation and community?"

About to dive into MVC and wondering which one has the most wealth in terms of documentation/code comments as well as a decent community.

Suggestions in the comments include both old and new options including:

• Symfony
• CodeIgniter
• Zend Framework
• Yii

Fuel framework users have another option when it comes to user authentication management in their applications. Ando has released Warden, a package that manages logins, password hashing and user ACLs.

Warden is a user database authorization package for the FuelPHP framework that aims to fast track development by handling the work load of uthenticating user's. Built for performance, it comes with a ready-to-use user model and database install script.

The package uses bcrypt for password hashing and also provides features for forgotten passwords, password resets and "remember me" functionality. Installation is as simple as adding it to your "always_load" package list and setting up a few configuration options. Sample code for its features is included. You can get the latest version directly from github.

On the Liip blog there's a recent post talking about a tool Google offers to help you authenticate your users, a one-time passcode generator called Google Authenticator. The post talks about a PHP port of the same idea.

The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens. Some banks do that with SMS/Text Messages (Facebook, too), other give you special devices for that (eg. RSA keys) and the last group does it with your smartphone.

At the request of a client, they created a tool that did just this, but for PHP. As a result, they created the GoogleAuthenticator library that makes it easy to implement in your application. There's even an example of it in use. For more information about the Google Authenticator tool, see this page on Google Code.

If you haven't seen it yet, there's a post over on StackOverflow that's been growing over the past few days about form-based authentication in websites. The author wants to make a definitive resource for people to use when making good, secure user authentication systems.

Please help us create the definitive resource for this topic. We believe that stackoverflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form Based Authentication For Websites" should be a fine topic for such an experiment.

They want to include topics like logins, storing passwords, "forgot password" security, OpenID, browser autocompletion, password strength, email validation and more. They already laid out eight different sections with summaries including:

• How To Remain Logged In - The Infamous "Remember Me" Checkbox
• Using Secret Questions
• Checking Password Strength
• Much More - Or: Preventing Rapid-Fire Login Attempts
• Two-Factor Authentication and Authentication Providers

There's some good feedback from other users with other suggestions and links to external resources that could shed some more light on the topic.

In this new tutorial on DevShed, they walk you through the creation of a secure login script that uses sha256 encryption, a captcha to prevent automated signups, XSS attack protection and several other features.

Recent advancements in PHP offer the developer a variety of tools to improve the security of login systems. [...] This programming tutorial will teach you how to create a simple, yet secure login script utilizing PHP using MySQL and bracing for XSS attack prevention.

Other features include no persistent logins, preventing direct file access, an idle timeout on the user session, protection against session fixation and anti-brute force measures. Full (procedural) code is provided as well as screenshots from phpMyAdmin showing the database table structure. You can grab the code for the project here.

Lorna Mitchell has posted the next part in her series looking at working with OAuth in PHP, showing how to authenticate the user making the connection to your OAuth-enabled web service.

This phase is probably the most familiar to us as developers, as it's simply a login form. The consumer will send the user to us at the URL we provided in the request token, and the user will have the request token key as a parameter. The access control on this page will look the same as on the rest of the website; if the user has a session already then the page is displayed, otherwise they must be logged in to see it.

She talks about verifying the authentication token passed in (from the value already generated and put into a database table), the grant/deny process and the information to update in her sample table when the user falls into the "granted" side of things. She also briefly mentions the optional callback that can be passed to a service like this and how to handle its value.

<> On PHPBuilder.com today there's a new tutorial from Leidago Noabeb showing how you can track your website's users with the help of sessions and cookies, the handling for which are already included in PHP.

So, why can't you maintain state with HTTP? The main reason is because HTTP is a stateless protocol, meaning that it has no built-in way of maintaining state between transactions. For example, when a user requests one page followed by another, HTTP does not provide a way for us to tell which user made the second request. In this article we will look at what maintaining state in PHP applications entails.

They introduce cookies and how they can be used to store information about the user's session on their client for a certain amount of time. This makes it much simpler for the cross-page or cross-session details to persist. There's a bit of code showing how to set and get a cookie and how to do the same with a session.

Josh Adell has a new post to the Everyman Software blog talking about a solution he and his team have developed for logging user sessions across requests with the help of the Zend_Log component and a custom logging formatter.

One way to handle this is to put a request-specific identifier in every log message. But I shouldn't have to remember to append or prepend the identifier to their log messages. I'd rather have it happen automatically, without me or my teammates having to think about it. Here's a method we've been using to try and untangle the mess and retain the usefulness of our logs. The code uses Zend's logging component, but can easily be adapted to other log systems.

Their example sets a custom log format message with placeholders for a timestamp, log ID number and the log message. A unique ID is then generated for the user's session and applied to the Zend_Log object. This data is then automatically applied to the log file's output without any extra hassle. The full sample code (pretty simple, really) is included.