Tuesday, March 13, 2012

PHP:Security in PHP programming

Make some PHP applications is pretty easy. Most people grasp the syntax rather quickly and will within short time be able to produce a script that works using tutorials, references, books, and help forum. The problem is that most people forget one of the most important aspects that one must consider when writing PHP applications. Many beginners forget the security aspect of PHP. Generally, your users are nice people, they will do as they are told and you will have no problem with these people whatsoever. However, some people are not quite as nice. Some people are outright malicious and are seeking to do damage on your website. They will scrutinize your application for security flaws and exploit these holes. Many times the beginner programmer did not know that these things would even be a problem and therefore it might be a problem to fix the holes. In this tutorial we will look at some of these issues so you can learn how to deal with them, and better yet, prevent them. Obviously I will not promise you that by following this tutorial you will never get successfully attacked. As you become bigger you will also become a bigger and therefore more interesting target.phpSec is a open-source PHP security library that takes care of the common security tasks a web developer faces.

phpSec is pretty plug and play there are needs some steps to take before you are ready to harness the power of phpSec. The first thing is to include phpSec into your application.


require_once 'phpsec.class.php';

You should be all set to start using phpSec on your application as below

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data';
3    phpsec::init();

Session Handler
All session data is encrypted using a user specific encryption key that is stored in a cookie on the users computer. This key is changed each 30 seconds. The data is saved in the phpSec store, allowing for storage in databases or flat files.
Easy to use

All you have to do to use the phpSec session handler is to add phpSec to your application as described in the getting started page. The session handler is enabled by default.
To disable just set phpsec::$_sessenable to false like this:

1    require_once 'phpsec.class.php';
2    phpsec::$_dsn = 'filesystem:/var/www/phpSec/data'; /* Note the filesystem: before the path. */
3   
4    phpsec::$_sessenable = false; /* Disable phpSec session handler. */    
6    phpsec::init();

Encrypting data in PHP can be done easy with phpSec. phpSec implements symmetric encryption using the mcrypt library, end is extremely easy to use.
for example

1    <?php
2    $data = 'This is some extremely secret information.';
3    /* Encrypt. */
4    $encrypted = phpsecCrypt::encrypt($data, 'secret key');
5    /* Decrypt. */
6    $data = phpsecCrypt::decrypt($encrypted, 'secret key');


Password hashing
To create a salted hash we use the phpsecHash:create() method. It takes just one argument and that is the password you wish to create an hash from.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4   
5    $hash = phpsecHash::create('password');
6    echo $hash;

Validating passwords
When validating password we use the phpsecHash::check() method. This method takes two arguments. The first is the password we want to check, and the second is the hash we created before. phpsecHash::check() will atomatically detect the method used to create the hash.

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4   
5    if(phpsecHash::check($_POST['password'], $hash)) {
6      echo "Valid password";
7    }

Changing hash method
There are several options you could use to tune phpsecHash the way you want it to work.

    phpsecHash::BCRYPT
    phpsecHash::PBKDF2
    phpsecHash::SHA256
    phpsecHash::SHA512

1    <?php
2    require_once 'phpsec.class.php';
3    phpsec::init();
4    phpsecHash::$_method = phpsecHash::BCRYPT;
5   
6    $hash = phpsecHash::make('password');
7    echo $hash;

I think this is the best breakthrough in the field of PHP programming, however it is still in beta release, we will wait for the version that is even better

source: http://phpseclib.com/download
Posted by at 9:25 AM

2 comments:

Emime said...

hey look up this wesite for programmers...www.countcode.com, i worked be myself for 5 months to make it run...you can share and download codes, ask or answer forum questions, and you can count your code lines from your whole life of programming, sincerely Emi

April 11, 2012 at 1:44 AM
Unknown said...

The article of Security in PHP programming is beneficiary for all new programmers.In this article you explained all the safety tips very well.By creating passwords and other codes you can safe your programming.
digital signature certificate

August 11, 2014 at 9:11 PM

Post a Comment

Subscribe to: Post Comments (Atom)