News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
PHP 5.6 and SSL/TLS Getting Better But Will PHP Programmers Actually Use It?
January 31, 2014 @ 11:24:32

In his latest post Pádraic Brady looks at a new addition to PHP (well, to be included in the next release) related to the SSL/TLS handling it provides in streams. He's happy to report that things are improving. This commit integrated an RFC allowing for TLS perr verification in PHP streams.

The RFC reverses PHP's course and provides PHP streams with defaults that enable both peer verification and host verification. The patch implements the RFC and it lets PHP leverage the local system's own certificate stash (e.g. Debian's ca-certificates) where possible to avoid PHP having to distribute a bundle of its own and while also assisting in backwards compatibility. [...] Once we have a PHP streams/sockets system with a passable level of default security, the rest will be left to programmers on the ground to change their practices.

With this new functionality coming in PHP 5.6, he strongly encourages developers to change how they're currently doing things and embrace this new verification to keep their code safer.

0 comments voice your opinion now!
ssl tls php56 programmer peer verification rfc

Link: http://blog.astrumfutura.com/2014/01/php-5-6-and-ssltls-getting-better-but-will-php-programmers-actually-use-it/

Liip Blog:
2-step verification with Google Authenticator and PHP
August 08, 2012 @ 13:12:01

With the recent focus on security (caused by some major issues with large companies) Google has responded by reinforcing their 2-Factor Authentication method. Thankfully, there's a way you can implement that functionality in your applications too using the information in this tutorial (note: the date of posting is older, but it's definitely relevant now).

Many large web services nowadays support 2-step verification to enhance the security for their users. [...] The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens.

They link to this library that can help you implement something similar to Google's Authenticator tool for your application.

0 comments voice your opinion now!
google authenticator twostep verification library


Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
September 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

0 comments voice your opinion now!
ssl certificate api call protect verification


Liip Blog:
2-Step Verification with Google Authenticator and PHP
August 31, 2011 @ 09:53:05

On the Liip blog there's a recent post talking about a tool Google offers to help you authenticate your users, a one-time passcode generator called Google Authenticator. The post talks about a PHP port of the same idea.

The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens. Some banks do that with SMS/Text Messages (Facebook, too), other give you special devices for that (eg. RSA keys) and the last group does it with your smartphone.

At the request of a client, they created a tool that did just this, but for PHP. As a result, they created the GoogleAuthenticator library that makes it easy to implement in your application. There's even an example of it in use. For more information about the Google Authenticator tool, see this page on Google Code.

2 comments voice your opinion now!
google authenticator library port twostep verification user qrcode


Abhinav Singh's Blog:
How to add content verification using hmac in PHP
December 08, 2009 @ 10:39:24

If you've ever wants an easy "drop in" kind of solution for helping to protect a portion of your site, you should check out this new post from Abhinav Singh about using the has_hmac functionality to do just that.

Many times a requirement arises where we are supposed to expose an API for intended users, who can use these API endpoints to GET/POST data on our servers. But how do we verify that only the intended users are using these API's and not any hacker or attacker. In this blog post, I will show you the most elegant way of adding content verification using hash_hmac (Hash-based Message Authentication Code) in PHP. This will allow us to restrict possible misuse of our API by simply issuing an API key for intended users.

You set up a private and public key for each of the users wanting to connect to the resource. They can then use the hmac functionality to set those over to the requesting page as a part of the message (GET/POST) where the public key is used to check the validity of the request and either allow or deny it.

0 comments voice your opinion now!
content verification hmac hash tutorial


NETTUTS.com:
How to Implement Email Verification for New Members
May 19, 2009 @ 09:32:43

On the NETTUTS.com site, a new tutorial has been posted about implementing a system to validate new members/signups for your site via their email.

Have you ever created an account with a website, and were required to check your email and click through a verification link sent by the company in order to activate it? Doing so highly reduces the number of spam accounts. In this lesson, we'll learn how to do this very thing!

The system takes a user's information via the signup page (username and email address), does some checking on the input, inserts the information into a backend MySQL database and sends a validation email to the user's address. The email contains a custom link the user then clicks on that confirms them as a validated account.

0 comments voice your opinion now!
tutorial member verification email


Utah PHP Users Group:
PHP-CAPTCHA
July 13, 2006 @ 05:34:24

On the Utah PHP Users Group website today, there's a quick new tutorial concerning the creation of a CAPTCHA image for your site (using the GD functionality in PHP).

The following article includes code and examples on how to prevent bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

First, they create the form the entire example centers around before even looking at the code. With that laid down and explained, they get into the image creation and addition of the string to make the "humans only" image. Finally, they show how to check the word entered for the CAPTCHA verification against a session variable to see if they're a match.

0 comments voice your opinion now!
captcha image tutorial form verification gd session captcha image tutorial form verification gd session


Nick Silvestro's Blog:
Verification is a Wonderful Thing
June 23, 2006 @ 06:39:48

In the neverending battle against spam comment posts on websites (or just bots in general), CAPTCHA has become one of the favored tools to make things "humans only". There are libraries out there that can help you drop it right into your page, but if you want to really know how it all works, you might check out this new tutorial from Nick Silvestro's blog.

So, as said, I've needed to whip together a user registration system, where the user can simply and easily hop onto a page, fill in a couple of text fields, hit submit and they've got an account, all setup and ready to go. Alot of this was simplified by the database design of the system, but I guess I can cover that in another article.

One of the problems with creating a non-administrated user registration system is verification. I really really don't want bots or anything other than a person that actually wants it registering accounts. It creates unwanted nuisances and erroneous data that I could really live without.

He touches on two methods for preventing these nuisances - varification emails and CAPTCHAs. Obviosuly, he opts to go with the latter, and, before even starting, outlines his requirements. He leads you along, step by step, through code and explainations to help create a small CAPTCHA image with the help of the GD library. In the end, you'll have an image with plently of background noise to fool bots, but clear enough for a human to read. The full code for the script is posted at the end.

1 comment voice your opinion now!
verification captcha gd library class validation verification captcha gd library class validation


PHPBuilder.com:
Visual Verification in PHP
March 03, 2006 @ 06:46:42

In this article from PHPBuilder.com they take a look at how to integrate a "visual verification" system into your web forms to prevent spammers (CAPTCHA).

Many topics on the discussion forums deal with the verification of form data. Often it is checked to determine whether or not the submission is from a user or from a "bot", if the email address entered is a valid address, or if all the information that is required has been entered into the form.

While it's fairly easy to check to see if a form field is empty, determining if the posted information came from a real human is another task altogether. Most forms now include image verification for just this reason. This article will demonstrate how to create a simplified image verification system.

They walk you through the code, explainign each step of the way. They start with the creation of a random string, background, and font color for the CAPTCHA image to use. It's flexible enough to make either a string or just a word, too. Once the string is made, they set up the image to be written to and push each letter into it, rotating it to make it that much more difficult for scripts to try to understand its contents.

0 comments voice your opinion now!
visual verification CAPTCHA image random string colors visual verification CAPTCHA image random string colors



Community Events





Don't see your event here?
Let us know!


update introduction version composer release symfony security tool podcast laravel library install voicesoftheelephpant interview opinion framework series package language community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework