do… Web Application Development and Security

Posts Tagged ‘PHP’

Who Says PHP Security Sucks?

Tuesday, November 24th, 2009

Who would say such a thing? Obviously we can’t let that stand. It’s time to bust some myths while raising our own game to the next level.

(An earlier version was published in php|architect, April 2009)

Aside from the trolls who frequent forums and blogs, it’s mainly the enterprise community which carries the lingering perception, rightly or wrongly, that PHP security sucks. As PHP continues to evolve toward the enterprise, it’s going through a slow and messy collision with enterprise culture, standards and criticism. Naturally, PHP and the community have been absorbing lessons and improving, though one of the least understood aspects of this is security and security perceptions. I hope that by discussing security, PHP’s progress can be made smoother and easier than otherwise.
Continue Reading…

See You at ZendCon 2009

Tuesday, October 6th, 2009

ZendCon 2009 Speaker

I’m looking forward to seeing everyone at ZendCon 2009, “the premier PHP conference”. I was selected to present a session:

Enterprise-Class PHP Security

Oxymoron no more! Learn what high-stakes organizations expect when evaluating the security of PHP applications. We’ll cover formal standards and processes, and tips on how to successfully navigate through the minefield.

“Who Says PHP Security Sucks?” Published in php|architect

Wednesday, April 29th, 2009

You heard right – my first article in print is in the April 2009 issue of php|architect.

The title isn’t just a rhetorical question; I actually describe who would say such a thing about PHP security. I also explain what about this perception is distorted and what isn’t – and how the PHP community can accelerate its growth into a market where it’s just becoming a contender.

If you already read the article, please comment!

DC PHP Conference 2007 – Security Highlights

Monday, November 12th, 2007

This year’s conference had a fairly heavy dose of security.

Chris Shiflett’s keynote, “Security 2.0″, included nice discussions of XSS (cross-site scripting) and CSRF (cross-site request forgery) with an AJAX scenario.

Ed Finkler presented on the PHPSecInfo project, a tool to scan the PHP environment for security issues, and Inspekt, a PHP library to protect applications from the potentially tainted contents of superglobals.

Eli White presented “Help, My Website Has Been Hacked! Now What?” and covered how to prepare for and respond to hacking incidents, based on his experiences at Digg.

Damien Seguy presented on MySQL Security.

While not primarily security-related, Keith Casey included some discussion about security while presenting “Designing REST Web Services”.

Q & A: Risk of Duplicates When Using MD5?

Monday, November 12th, 2007


Update April 27th, 2013 – WARNING – if your intention is to encrypt (hash) passwords, this isn’t the code you’re looking for. Because of massive advances in attacker capabilities the code in the original post is obsolete for that purpose. It’s better to use the built-in password hashing functions or an alternative made with appropriate techniques and expert review.


Yes, MD5 can produce hash collisions in a very small percentage of cases. For many uses this shouldn’t be significant, but for security there are better options.

I prefer the SHA-2 series, referred to as SHA-224/256/384/512, because the algorithms are strong and widely supported.

If you need the hashes to be un-guessable then I’d recommend hashing more than just the input data. A well accepted strategy is to include a secret key in the computation, resulting in a keyed-Hash Message Authentication Code (HMAC), and another useful technique is to concatenate a “salt”, which may or may not be secret, with the input.

PHP versions >= 5.1.2 have the hash_hmac() and hash() functions:

$hmac = hash_hmac('sha256', $data, $key); // hex string output

$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE)); // force binary output before encoding

$hash = hash('sha256', $data . $salt);

PHP versions < 5.3 have the mhash() function:

$hmac = base64_encode(mhash(MHASH_SHA256, $data, $key)); // mhash produces binary output

$hash = bin2hex(mhash(MHASH_SHA256, $data . $salt));

There’s a nice table of algorithms and their properties on Wikipedia.

Original email discussion was on the DC PHP Developers Group list.

DC PHP Conference 2007

Tuesday, November 6th, 2007

I’m going to the DC PHP Conference 2007 in Washington, DC, November 7-9. The keynote will be “Security 2.0″ by Chris Shiflett. Looking forward to seeing the PHP security guru in action, and I’ll probably run into several members of the DC PHP Developers Group.