Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hackernoon.com:
How to Use Queue in Laravel 5.4 For Email Verification
Mar 30, 2017 @ 13:40:41

The Hackernoon.com site has a tutorial posted from Cloudways showing you how to use the queue handling for email verification in a Laravel 5.4 application. The tutorial walks you through the updates and additions you'll need to make to the user signup process to verify their email.

Today, I will demonstrate how you can use Queue in Laravel 5.4 for email verification by using integrated auth RegisterController. In addition, I will also show you how to add the email sending process to a queue to make your app processes faster.

In this article, I am going to use a database for the queue jobs. However, you can use Redis or any other drivers, as defined in the official docs.

The updates assume you've created the authentication/authorization system with Laravel's make:auth command. Once you've run that and the code is generated you can then make the changes:

  • updating the users table to store the email token
  • adding a table for the queue records
  • migrating the tables
  • updating the .env file with queue and mail information

They then go through the functionality to add to the app including the EmailVerification class, the email template and a SendVerficationEmail queue job. The last updates are to the auth registration process to push the sending of the verification email to the background and send another email when the email is confirmed.

tagged: verification email laravel queue tutorial

Link: https://hackernoon.com/how-to-use-queue-in-laravel-5-4-for-email-verification-3617527a7dbf

Rob Allen:
Using Phive to manage PHPUnit
Jan 05, 2017 @ 10:36:41

Rob Allen has a new post to his site sharing the work he's done to get PHPUnit managed with Phive, an "installation and verification environment" that is used in the installation of Phar archives.

I recently came across the Phive project and have had a play with it. Phive is part of phar.io and is intended to manage development tools such as PHPUnit in preference to using Composer's dev dependencies. The main advantages of Phive are that it uses the phar file of the tool and only keeps one copy of each version rather than downloading a new copy into each project.

He starts off talking briefly about how the tool works and what it's doing behind the scenes to download the phar archives requested. He shows how to define a target directory, install for global use and explains how GPG signatures work into the installation process.

tagged: phive install phar manage gpg signature verification environment phpunit tutorial

Link: https://akrabat.com/using-phive-to-manage-phpunit/

Pádraic Brady:
PHP 5.6 and SSL/TLS: Getting Better But Will PHP Programmers Actually Use It?
Jan 31, 2014 @ 11:24:32

In his latest post Pádraic Brady looks at a new addition to PHP (well, to be included in the next release) related to the SSL/TLS handling it provides in streams. He's happy to report that things are improving. This commit integrated an RFC allowing for TLS perr verification in PHP streams.

The RFC reverses PHP’s course and provides PHP streams with defaults that enable both peer verification and host verification. The patch implements the RFC and it lets PHP leverage the local system’s own certificate stash (e.g. Debian’s ca-certificates) where possible to avoid PHP having to distribute a bundle of its own and while also assisting in backwards compatibility. [...] Once we have a PHP streams/sockets system with a passable level of default security, the rest will be left to programmers on the ground to change their practices.

With this new functionality coming in PHP 5.6, he strongly encourages developers to change how they're currently doing things and embrace this new verification to keep their code safer.

tagged: ssl tls php56 programmer peer verification rfc

Link: http://blog.astrumfutura.com/2014/01/php-5-6-and-ssltls-getting-better-but-will-php-programmers-actually-use-it/

Liip Blog:
2-step verification with Google Authenticator and PHP
Aug 08, 2012 @ 13:12:01

With the recent focus on security (caused by some major issues with large companies) Google has responded by reinforcing their 2-Factor Authentication method. Thankfully, there's a way you can implement that functionality in your applications too using the information in this tutorial (note: the date of posting is older, but it's definitely relevant now).

Many large web services nowadays support 2-step verification to enhance the security for their users. [...] The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens.

They link to this library that can help you implement something similar to Google's Authenticator tool for your application.

tagged: google authenticator twostep verification library

Link:

Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
Sep 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

tagged: ssl certificate api call protect verification

Link:

Liip Blog:
2-Step Verification with Google Authenticator and PHP
Aug 31, 2011 @ 09:53:05

On the Liip blog there's a recent post talking about a tool Google offers to help you authenticate your users, a one-time passcode generator called Google Authenticator. The post talks about a PHP port of the same idea.

The main point about 2-step verification is that something else than your computer provides that token. If it's on your computer and that one gets stolen (or hacked into), it won't help much for the additional security. That's why you need a second device for those tokens. Some banks do that with SMS/Text Messages (Facebook, too), other give you special devices for that (eg. RSA keys) and the last group does it with your smartphone.

At the request of a client, they created a tool that did just this, but for PHP. As a result, they created the GoogleAuthenticator library that makes it easy to implement in your application. There's even an example of it in use. For more information about the Google Authenticator tool, see this page on Google Code.

tagged: google authenticator library port twostep verification user qrcode

Link:

Abhinav Singh's Blog:
How to add content verification using hmac in PHP
Dec 08, 2009 @ 10:39:24

If you've ever wants an easy "drop in" kind of solution for helping to protect a portion of your site, you should check out this new post from Abhinav Singh about using the has_hmac functionality to do just that.

Many times a requirement arises where we are supposed to expose an API for intended users, who can use these API endpoints to GET/POST data on our servers. But how do we verify that only the intended users are using these API's and not any hacker or attacker. In this blog post, I will show you the most elegant way of adding content verification using hash_hmac (Hash-based Message Authentication Code) in PHP. This will allow us to restrict possible misuse of our API by simply issuing an API key for intended users.

You set up a private and public key for each of the users wanting to connect to the resource. They can then use the hmac functionality to set those over to the requesting page as a part of the message (GET/POST) where the public key is used to check the validity of the request and either allow or deny it.

tagged: content verification hmac hash tutorial

Link:

NETTUTS.com:
How to Implement Email Verification for New Members
May 19, 2009 @ 09:32:43

On the NETTUTS.com site, a new tutorial has been posted about implementing a system to validate new members/signups for your site via their email.

Have you ever created an account with a website, and were required to check your email and click through a verification link sent by the company in order to activate it? Doing so highly reduces the number of spam accounts. In this lesson, we'll learn how to do this very thing!

The system takes a user's information via the signup page (username and email address), does some checking on the input, inserts the information into a backend MySQL database and sends a validation email to the user's address. The email contains a custom link the user then clicks on that confirms them as a validated account.

tagged: tutorial member verification email

Link:

Utah PHP Users Group:
PHP-CAPTCHA
Jul 13, 2006 @ 05:34:24

On the Utah PHP Users Group website today, there's a quick new tutorial concerning the creation of a CAPTCHA image for your site (using the GD functionality in PHP).

The following article includes code and examples on how to prevent bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

First, they create the form the entire example centers around before even looking at the code. With that laid down and explained, they get into the image creation and addition of the string to make the "humans only" image. Finally, they show how to check the word entered for the CAPTCHA verification against a session variable to see if they're a match.

tagged: captcha image tutorial form verification gd session captcha image tutorial form verification gd session

Link:

Utah PHP Users Group:
PHP-CAPTCHA
Jul 13, 2006 @ 05:34:24

On the Utah PHP Users Group website today, there's a quick new tutorial concerning the creation of a CAPTCHA image for your site (using the GD functionality in PHP).

The following article includes code and examples on how to prevent bots from taking part in online polls, registering for free email accounts, more recently, preventing bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered [implemented in Yahoo]. They have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites.

First, they create the form the entire example centers around before even looking at the code. With that laid down and explained, they get into the image creation and addition of the string to make the "humans only" image. Finally, they show how to check the word entered for the CAPTCHA verification against a session variable to see if they're a match.

tagged: captcha image tutorial form verification gd session captcha image tutorial form verification gd session

Link: