News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Master Zend Framework:
How to Use ZFTool Diagnostics To Ensure Your Modules Work
May 13, 2014 @ 10:55:19

The Master Zend Framework site has a new tutorial today showing you how to use the ZFTool diagnostics to make sure your modules are working correctly. The ZFTool is a stand-alone tool that can help with common tasks like working with application configuration and creating module and project skeletons.

Do you want to be sure that when you create Zend Framework 2 modules, that they'll work in whatever environment they're used in? At the very least, do you want a simple way for users to check, as well as something that's self-documenting? If so, you're in the right place. Last year, I gave a basic introduction to ZFTool, which is a command line tool to manage applications written in Zend Framework 2. [...] In addition to [the included diagnostic checks] we can write our own diagnostic checks, using the Success, Failure and Warning classes. So in today's tutorial, I'm going to show how to add diagnostics support to a module.

He's broken the rest of the tutorial up into four other parts, each with the code or commands you'll need:

  • Add Diagnostics Support
  • The Diagnostics Function
  • Running Module Diagnostics
  • When Checks Fail

You can find out more about the ZFTool and its usage in with diagnostics in the official manual

0 comments voice your opinion now!
zftool module diagnostic validate zendframework2

Link: http://www.masterzendframework.com/zftool-2/use-zftool-diagnostics-ensure-modules-work

Master Zend Framework:
Using Sessions In Zend Framework 2 - Part 2
May 06, 2014 @ 11:18:26

The Master Zend Framework continues its series about using sessions in Zend Framework 2 applications. In part two of the series he focuses on validators and some of the backend storage options the framework makes possible.

In last week's tutorial we covered the basics of sessions in Zend Framework 2, looking at how to implement them by making changes to module/Application/Module.php so that they're available application-wide then how to both set and retrieve information in the session. In this week's tutorial, we're going to take last week's post further, by looking at session validation as well as different backends. These two things will help protect your session data from session hijacking, as well as help you scale your application, by storing the information using a more universal backend, which a filesystem most often times will never be.

He starts off with a bit of background about the structure of an average session in the framework is like, broken out into sections via the "Container" object. Then he starts in on the validators and describes a two of the built-in methods: "HttpUserAgent" and "RemoteAddr". A few code examples are included before he moves on to the backend options (like Cache, DbTable and MongoDB) using a "StorageFactory" object in the configuration.

0 comments voice your opinion now!
session zendframework2 part2 series validate backend

Link: http://www.masterzendframework.com/sessions/using-sessions-zend-framework-2-part-2

Alison Gianotto:
Check User-Submitted URLs for Malware and Phishing in Your Application
April 07, 2014 @ 10:01:59

In her latest post Alison Gianotto looks at a few different ways that you can validate any URLs that your users might give you to ensure they're not anything malicious. She looks at two of the major services, the Google SafeBrowsing API and SURBLs, as well as mentioning a few others.

If you write software for the web that allows users to submit or share URLs (comment systems, mail clients, forums, URL shorteners, etc), you may find yourself in a position where you need to filter out malicious links. Fortunately, there are several free options for you to better protect your systems and your users against bad guys, and they're pretty simple to implement. (My examples are in PHP, but could easily be adapted to whatever language you prefer.)

She starts with an example call to the Google's SafeBrowsing service, making a curl call and parsing the result. The other service, SURBL, makes use of DNS validation calls complete with code examples. She also talks about Phishtank and VirusTotal as other options. She finishes the post with a few suggestions for working with the rate limit restrictions on these services, including things like only checking on click-through and ensuring failure is handled well.

0 comments voice your opinion now!
malware phishing url validate google safebrowsing surbl tutorial

Link: http://www.snipe.net/2014/04/check-user-submitted-urls-for-malware-and-phishing-in-your-application

Mike Dalisay:
Salt, Hash and Store Passwords Securely with Phpass
April 08, 2013 @ 12:16:29

On Mike Dalisay's site there's a recent post showing how to use the Phpass tool to salt, hash and store passowrd data in your application.

I think the main reason why we have to hash passwords is to prevent passwords from being stolen or compromised. You see, even if someone steal your database, they will never read your actual or cleartext password. I know that some PHP frameworks or CMS already provide this functionality, but I believe that it is important for us to know how its implementation can be made.

His sample application stores the user data in a MySQL database and does the salting+hashing at the time of the request. It uses a hard-coded salt and a value of 8 for the hashing/stretching. Screenshots of each page in the example application are also included.

0 comments voice your opinion now!
phpass salt hash password mysql tutorial email validate

Link: http://www.codeofaninja.com/2013/03/php-hash-password.html#.UVziYKUm0sc.dzone

PHPMaster.com:
Creating a PHP OAuth Server
January 01, 2013 @ 11:56:46

On PHPMaster.com today there's a new tutorial posted about creating your own OAuth server in PHP using the oauth-php package to do the "heavy lifting".

If you've ever integrated with another API that requires security (such as Twitter), you've probably consumed an OAuth service. In this article, I'll explore what it takes to create your own three-legged OAuth server allowing you, for example, to create your own secure API which you can release publicly.

They include a visual representation of the OAuth authentication flow (it's not the simplest thing) and the database structure/sample code you'll need to get the server up and listening. Also included is a registration form and how to generate a request token and give back an access token. There's also some sample code showing how to validate the request and it's access token to check for a correct (and allowed) request.

0 comments voice your opinion now!
tutorial oauth server oauthphp flow authentication access validate


Reddit.com:
Protecting against attack?
May 18, 2012 @ 10:19:35

In this recent post to Reddit.com, the question of application security is asked - the poster wants recommendations on how he should keep his app safe from would-be attackers:

I can code fairly well in PHP these days, but my security isn't so hot. Is there a tutorial or plugin you guys can recommend as to how I should be protecting my php pages/inputs? I want to avoid common attacks like XSS, inputs with NULL or DROP TABLE etc?

Responses on the post include recommendations related to:

  • Using the Chorizo scanner to find common issues in your code
  • Using PDO for database connections (with bound parameters)
  • Not trusting "$_SERVER"
  • Data sanitization

There's also links to a few other resources with more details.

0 comments voice your opinion now!
security attack opinion xss pdo validate filter


PHPMaster.com:
PHP Security Cross-Site Scripting Attacks (XSS)
May 01, 2012 @ 11:59:28

PHPMaster.com has a new tutorial posted today (by George Fekete) about preventing cross-site scripting attacks in your PHP-based applications.

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

0 comments voice your opinion now!
tutorial security xss filter validate data output cheatsheet


Stuart Herbert's Blog:
ContractLib - An Introduction & Comparing it to PHP's Assert
January 17, 2012 @ 10:58:38

Stuart Herbert has two new posts to his blog showing how to use the ContractLib tool he's created to define programming "contracts". In the first he shows some sample usage of the tool and in the second he compares the functionality of ContractLib's features and PHP's own "assert" method.

ContractLib is a simple-to-use PHP component for easily enforcing programming contracts throughout your PHP components. These programming contracts can go a long way to helping you, and the users of your components, develop more robust code.

In his example tests he shows how to set a pre-condition on a method's input ensuring that it will always be the correct datatype (array). In his comparison with PHP's "assert", he lists out some of the features that either one has and notes that ContractLib allows you to be much more flexible with your checking than just simple statements.

0 comments voice your opinion now!
contractlib contract programming validate assert compare


DeveloperDrive.com:
What Web Developers Need to Know About Cross-Site Scripting
October 17, 2011 @ 13:39:23

On the DeveloperDrive.com site there's a recent post anyone wondering about cross-site scripting should give a read. They introduce you to the basic concept and two things you can do to help prevent them.

This little fable describes the most common vulnerability found in web sites, the Cross Site Scripting (XSS) attack. According to a report from WhiteHat Security 83 percent of websites they tested have had at least one serious vulnerability and 66 percent of all websites with vulnerabilities are susceptible to XSS attacks making it the most common vulnerability web developers face. To fix this, it takes 67 days on average. Tools like WebScarab and Paros Proxy can be used to scan sites for possible vulnerabilities.

They offer two simple pieces of advice that it's all too easy to forget when developing applications - validate all user input to ensure it's what it should be and escape any untrusted output (even sometimes your own!) before pushing it out to the page.

0 comments voice your opinion now!
crosssitescripting xss introduction validate filter input output advice


SkyTechGeek.com:
10 Exceptional Tools For Website Testing
August 23, 2011 @ 13:25:22

Sometimes a little (external) testing of your website is in order and Gagan Chhatwal has posted his list of ten tools you can use to check everything from how much load the site can take to what can be done to optimize the load time.

When maintaining or running a website , Webmasters need to keep in mind that one of the pertinent issues they will need to focus on is :Website Testing, which is not only vital for the website itself but for the user as well and one should not overlook its importance. [We have] collected some vital and free website testing tools which will help Webmasters in testing their sites thus saving users to conduct time consuming needless searches in finding the best resources pertaining to Web related tools and info.

Among the tools on the list are services like:

Most of these resources are free services, if not then they have a trial where you can see if it's a good fit.

0 comments voice your opinion now!
testing external service load validate speed monitor



Community Events





Don't see your event here?
Let us know!


language podcast release tips deployment symfony introduction update package zendserver install api library framework interview opinion community list series laravel

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework