Will Bond › Comments

"I haven't taken the time to write an article about an introduction to OO programming in PHP, however I think it would be good to point out some parts of the article that should be taken with a grain of salt. The article starts off with an incorrect statement that OO programming was first adapted by video game designers. The Wikipedia page about OO has some history if you are interested: http://en.wikipedia.org/wiki.... The articles goes on to use confusing terminology saying that private members can't be accessed via instances (objects), however that isn't really the case. Private members can be accessed via instances as long as that is done in instance or static methods of the class. The examples of various Animal classes switch from a private $_color to a public one, whereas the final Animal class should really use a protected $_color to allow access in the child classes without allowing access outside of the classes. Stylistically the code examples aren't..." - Will Bond

"There are a lot of PHP frameworks out there. It would be beneficial to potential users if they tried to highlight some focuses, strengths and features of their implementation. Some developers release code as open source since the effort to write it has already been exerted, however I'm talking more about those who take the time to write decent documentation and promote the project. Obviously there needs to be more substance than “writing less code” or “making programming fun again.” It would be great if they talked about the architectural patterns that were used throughout the code, supported databases, the ORM implementation, configuration methodology, security, etc. This could allow for evaluation without having to read through lots of documentation or even implementing a small site with it." - Will Bond

Looks pretty slick - Will Bond

"vim is one of the most user friendly pieces of software I have ever used" <- LOL - Will Bond

"Bcrypt is a blowfish-based hashing algorithm that includes an expensive key setup, which was picked on purpose to make the algorithm take longer. Mcrypt is a Unix library (and corresponding PHP extension) for performing encryption and decryption of data. Bcrypt is available via the http://php.net/crypt function on certain OSes in PHP <= 5.2 and all OSes in PHP 5.3. Mcrypt is available as a PHP extension - http://php.net/mcrypt." - Will Bond

"Yes, actually speed has everything to do with it. The speed at which the algorithm runs affects the speed at which your password can be cracked. You can read about it at http://www.securityfocus.com/blogs...." - Will Bond

"But that only works once, not repeatedly, because the user gets redirected to the form action URL." - Will Bond

"I agree, regenerating the session id on every request is overkill. Definitely do it right after a user logs in or changes permission levels." - Will Bond

"Good points. Preventing XSS and SQL injection are paramount. Otherwise attackers can insert whatever code they want into your site. For people who are interested, I have a fairly extensive PHP security page I wrote up for an open source project I run. It gives an overview all of the general security concerns when building sites with PHP. http://flourishlib.com/docs..." - Will Bond

"A really good read about password hashing is http://www.securityfocus.com/blogs.... In short, bcrypt is better because it is slower, and can be made even slower as computers get faster. And yes, it is a (one-way) hash function. PHP supports it on compatible OSes in PHP <= 5.2 and all OSes in PHP 5.3. See http://php.net/crypt for details." - Will Bond

"A really good read about password hashing is http://www.securityfocus.com/blogs.... In short, bcrypt is better because it is slower, and can be made even slower as computers get faster. And yes, it is a (one-way) hash function. PHP supports it on compatible OSes in PHP <= 5.2 and all OSes in PHP 5.3. See http://php.net/crypt for details." - Will Bond

"That makes sense, I just found that the archive.org is broken (for me)." - Will Bond

"There isn't any way to perform automated POST actions across domains in modern browsers, so it won't add any protection. The key is to ensure it only accepts POST and not GET. With GET, JS could be used to create img elements on the fly with the login URL as the src attribute." - Will Bond

"This is not one of the most secure login systems because it only uses md5 instead of bcrypt. CSRF tokens are useless in a login system. If someone enters their password into another site, the attacker will just take the password instead of sending it to your site. Simply requiring the user POST to (instead of GET) the login page is all that is needed. The one good thing this article recommends is regenerating the session id after a successful login to prevent session fixation." - Will Bond

"CSRF tokens are only useful on a login system if the user is liable to type their password into some other site. If this is the case, they will suffer a phishing attack very quickly and the attacker won't bother to send the password to your site, they'll just record it. CSRF tokens should be used in conjunction with only allowing constructive/destructive actions via the HTTP POST method on all other parts of a site behind a login." - Will Bond

"Here is a working link to Thomas Ptacek's blog: http://www.securityfocus.com/blogs... Bcrypt is available via the http://php.net/crypt function depending on your OS in PHP 5.2 and under. PHP 5.3 contains a native bcrypt implementation fallback, so it is always available." - Will Bond

"The only way you could regenerate the password hash on every page load is to have the original password in plaintext in the session or database. This is bad, don't do it. Regenerating the password hash on each login does nothing. As soon as an attacker gets a single version of the hashed password they can crack it. Changing the salt doesn't change the password, so as soon as they crack one salt, they are all set. Instead of doing either of these things, use a password hashing algorithm that is slow. The standard is bcrypt. http://www.securityfocus.com/blogs..." - Will Bond

"1. Use SSL for at least the login (or if applicable the whole site and use the ini setting session.cookie_secure to prevent the session id cookie from being transmitted over a non-secure connection) 2. Regenerate the session ID after login to prevent session fixation attacks 3. Use bcrypt for your password hashing, MD5 is too fast (http://www.securityfocus.com/blogs...) 4. Only allow logins via POST to prevent malicious sites from hitting the login page via GET 3 times and locking out a user 5. Don't use the $_REQUEST superglobal since it is vulnerable to request value fixation via cookies" - Will Bond

"Your advice to not store the salt is very dangerous. If you aren't storing a salt, but instead using a deterministic modification of the password, your schema is now susceptible to a custom rainbow table. For instance, trying running your algorithm for "password" twice. You always get the same result. This is very bad. The code would be: $hash = hash('sha256', md5("password") . "password"); This will always output: be4296045a168d1c2a484b625bf67477dcf748c86de3f2a94a14ba9eefb53669 Because of this, I can generate a rainbow table with this custom algorithm using RainbowCrack and obtain a large number of the passwords in your user database. If you used a unique salt per password, generating a custom rainbow table would not be possible. Instead I would know the salt for each user, but I would have to brute force each one. As I mentioned in reply to another comment on this page, the best thing you can do to make the hashes more secure is to use a cryptographically slow algorithm. You..." - Will Bond

"Unfortunately your functions do nothing but "hide" the salt in the hash, they don't actually provide any extra security. Checking the hash has to be deterministic, otherwise it would not be possible to check it. It does not matter if you hide the salt or not, with any reasonably secure salt, the hash will not be available by a rainbow table and thus the password needs to be brute forced. If you want to provide more secure hashes, you need to make the calculation of the hash slower. A simple approach is to loop through sha1 1000 (or 10,000) times with the result of the last iteration and the salt going into the next. A more complex, but generally considered more secure solution, is to use bcrypt. See http://php.net/crypt. As of PHP 5.3, bundled algorithms are included to allow use of bcrypt even if the OS does not provide it." - Will Bond

I dunno if I would exactly call them "micro"payments, but $0.05 + 5% is better than $0.29 + 2.9% - Will Bond

Ouch - Will Bond

Interesting little language - Will Bond

"Exactly. Spending a little time in a profiler will very quickly show you simple ways to increase your performance on a couple of orders of magnitude more than worrying about only ever using single quotes. Some things that spring to mind include duplicate filesystem access, lots of calls to time(), lots of individual database calls instead of one or two larger ones, retrieving unnecessary data from the database, using unqualified paths for include()/require(), using include_once()/require_once(), using an opcode cache. Rasmus's DrupalCon 2008 talk has some solid information about improving the performance of PHP scripts. http://talks.php.net/show..." - Will Bond

The HN comments have a great back-and-forth between tptacek and cperciva - Will Bond

"If you are interested in something on the more modular side that doesn't enforce MVC, I built [Flourish](http://flourishlib.com). It is focused on being smallish, with good portability and compatibility, and a number of security features. There's pretty extensive documentation and a decent community is forming, although there aren't many tutorials yet." - Will Bond

Shudder - Will Bond

They just added Boston - at $99 I am kind of tempted to go - Will Bond

Similar to what Jeff shared a month or so ago, but with some stats - Will Bond

The second comment on the actual blog post is a nice perspective you don't see much online. - Will Bond

This seems like it has some pretty nice usage of decorators for routing - Will Bond

Yea. Looks really great on the surface. - Jeff