Password encryption using PHP
A recent post on dzone.com linked to a article about “password encryption using PHP” written by Stefan Ashwell on total.php.com. In this article he illustrate a how to save user passwords and authenticating users using the sha1 hashing algorithm.
First of all lets all agree that hashing passwords are basics requirements for a secure web application, but is a simple hashing of the password enough? I do not think so.
Here is the scenario, Someone breaks into your system (not through the web application, but for instance through an ssh connection), they get access to your user database or file where you store user account information. The intruder is now in possession of the password and user name of all your users, but still the passwords are hashed with md5, sha1 or an similar hashing method. If the intruder is determined to get into your system and mess up, he may now try to decrypt the passwords using a dictionary word file and brute force (also known as rainbow tables). This method is quite common and is not advanced at all, all it does is looping through the dictionary file, which contains all words and common password phrases, do a md5 or sha1 hashing of these words and see if it matches up to the hashed password, if it does it has found a match, and the intruder is able to log into the account.
Even though this brute force method might take some time, he will eventually get the passwords and get full access to the users account. There are however methods to complicate this and even make it impossible for the intruder to get the password using brute force method and that is called salting your password.
Example:
-
-
$salt = '2glkpe895';
-
$password = $_POST['password'];
-
-
$encrypted_password = sha1($salt . $password . $salt);
As you can see the salt is an secret string which is only used by your application, it is prepended and appended to the password. You could of course also go the extra mile and split the password in two and add the salt in the middle of the password, but there might not be any point in doing that.
This makes the word not like any word you will find in an dictionary and therefore the brute force method will not find the password.
The point is that if the intruder get a partial access to some of your system, for instance the user database, it will not be enough to get access to the total system because the security system is layered, one layer in your code, and one layer in your user database.
I do not say that this method is a 100 percent secure but it is is way more secure than not using a salted password.
whoisi.com
John Resig posted a note on his blog about whoisi.com, a social network aggregator. The system is ingeniously simple, do a search for the name you are looking for, I did a search for myself :P.
All similar names are listed, if the name is not listed, just add it. To each name you can attach a bunch of links, as for instance facebook, twitter, linkedIn, blogs and so on. Everyone has the possibility to add a person and attach a links.
My page on http://whoisi.com/p/1383
Firefox killing the sound on my Ubuntu box
Tonight I encountered a rather strange problem on my Ubuntu box. While doing nothing special on my machine, just surfing and listening to music and suddenly there are no sound?!?
Doing a quick search on ubuntuforums.org I quickly found the solution. The problem seems to be Firefox, killing the firefox sessions and restarting the alsa-utils did the trick for me, and voila the sound is back 
The howto get the sound back is found here: http://ubuntuforums.org/showthread.php?p=2742327
BTW: starting firefox again did not cause any problems 
PHP Vikinger
I attended the PHP vikinger unconference in Skien on Saturday. Rather than writing my own wrap up of the unconference I choose to link to the wrap up written by Mats Lindh and Derick Rethans
Notes from Mats: http://e-mats.org/2008/06/php-vikinger-notes/
Notes from Derick: http://phpvikinger.org/news/news-2008-05-23
Project managment
Adaptive path has a brilliant article about project management and how to create a center of creativity and productivity.
I’ve had the chance to work with a couple of project managers which had the same philosophy as described in the adaptive path article, and can with certainty say that such an approach does work and give the project members a real boost of creativity and efficency.
I’m looking for a job in Newcastle (UK)
I’ve started to look for a job in Newcastle Upon Tyne since my girlfriend and daugther are moving there in September. I’ve posted my resume and profile on totaljobs.co.uk, monster.co.uk, cwjobs.co.uk and justengineers.net. I’ve also set up a few job mailers which sends me the most recent IT jobs registered on the sites mentioned above.
So far I haven’t found any perfect matches, however, I’ve applied on a few jobs that sounds interesting.
Please take a look at my linkedin profile or resume If you are hiring and looking for a web developer or software engineer, and do not hesitate to contact me.
It is a bit sad that I have to resign from my position in Derdubor AS, because I got a couple of really good colleagues there and I learn a lot working there. However, I’m looking forward to new challenges in Newcastle.
Writing SOA applications with PHP
Lately I’ve been working a lot with data integration between several web applications, and a natural choice for the integration was to use a Service Oriented Architecture (SOA). I’ve built both SOA servers and clients before using the SOAP approach, which is a superb way of transferring data when not knowing who the user of the service is, or when you are a client of such a service. However in this setting I knew who the user was, I knew what the service would be used for, also had the chance to write both the client and server.
The choice fell on a simple implementation using the JSON (JavaScript Object Notation) data structure. This is really easy using the built in json library in php. The server use the json_encode() function and the implemented sub class of the client use the json_decode() function.
To simplify this further I implemented two abstract classes, a ServiceServer class and a ServiceClient class. The service server class contained a very simple displayJSONResult function, which sets the correct header, encode the data as json data and echo the data.
The service client class has two main functions, doGetRequest and doPostRequest, both functions use the cURL library in PHP.
Server
-
<?php
-
-
abstract class ServiceServer
-
{
-
-
public function __construct(){}
-
-
protected function displayJSONResult($data)
-
{
-
header('Content-type: text/plain');
-
-
echo json_encode($data);
-
-
exit();
-
}
-
}
Client
-
<?php
-
-
/**
-
* ServiceClient
-
*
-
*
-
* @author Kristian Lunde
-
*
-
*/
-
-
class ServiceClient
-
{
-
-
public function __construct(){}
-
-
/**
-
* do a post request to a service
-
*
-
* the params parameter must be a string with the format:
-
* key=val&key2=val2&key3=val3
-
*
-
* @param string $url
-
* @param string $params
-
*/
-
protected function doPostRequest($url, $params)
-
{
-
$ch = curl_init($url);
-
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER , false);
-
curl_setopt($ch, CURLOPT_RETURNTRANSFER , true);
-
curl_setopt($ch, CURLOPT_POST , 1);
-
curl_setopt($ch, CURLOPT_POSTFIELDS , $params);
-
$result = curl_exec($ch);
-
curl_close($ch);
-
return $result;
-
}
-
-
/**
-
* do a get request to a service
-
*
-
* @param string $url
-
*
-
* @return mixed
-
*/
-
protected function doGetRequest($url)
-
{
-
$ch = curl_init($url);
-
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER , false);
-
curl_setopt($ch, CURLOPT_RETURNTRANSFER , true);
-
$result = curl_exec($ch);
-
curl_close($ch);
-
return $result;
-
}
-
-
}
Example
To illustrate the easiness and simplicity of this SOA approach I written a small example. In this example the server finds the country of a city using POST parameters or it can find cities using the country as a GET parameter.
Example server
-
<?php
-
-
/**
-
* Example of using the ServiceServer class
-
*
-
* Returns countries or cities
-
*
-
* @author Kristian Lunde
-
*/
-
-
require_once('ServiceServer.php');
-
-
class ExampleServer extends ServiceServer
-
{
-
-
-
-
public function __construct()
-
{
-
$this->countries = array('norway' => array('Oslo',
-
'Trondheim',
-
'Bergen',
-
'Halden',
-
'Sarpsborg',
-
'Hammerfest'),
-
'sweden' => array('Stockholm',
-
'Gothenburg',
-
'Karlstad'),
-
'england' => array('London',
-
'Newcastle',
-
'Bath',
-
'Liverpool'));
-
-
-
if(isset($_GET['country']))
-
{
-
$this->findCitiesByCountry(trim($_GET['country']));
-
}
-
-
if(isset($_POST['city']))
-
{
-
$this->findCountryByCity(trim($_GET['city']));
-
}
-
}
-
-
public function findCitiesByCountry($country)
-
{
-
$cities = 'Not found';
-
$country = strtolower($country);
-
-
if(isset($this->countries[$country]))
-
{
-
$cities = $this->countries[$country];
-
}
-
-
$this->displayJSONResult($cities);
-
}
-
-
public function findCountryByCity($city)
-
{
-
$country = 'Not found';
-
-
$break = false;
-
foreach($this->countries as $key => $val)
-
{
-
for($i = 0, $count = count($val); $i < $count; $i++)
-
{
-
if($city == $val[$i])
-
{
-
$country = $key;
-
$break = true;
-
break;
-
}
-
}
-
-
if($break)
-
{
-
break;
-
}
-
}
-
-
$this->displayJSONResult($country);
-
}
-
}
-
-
$obj = new ExampleServer();
-
?>
Example client
-
<?php
-
/**
-
* Example of using the ServiceClient class
-
*
-
* does a request to the ExampleServer
-
*
-
* @author Kristian Lunde
-
*/
-
-
require_once('ServiceClient.php');
-
-
class ExampleClient extends ServiceClient
-
{
-
public function __construct()
-
{
-
$this->getCities('Norway');
-
$this->getCounty('Bath');
-
}
-
-
public function getCities($country)
-
{
-
$url = 'http://files.klunde.net/files.klunde.net/ExampleServer.php?country=' . $country;
-
echo $this->doGetRequest($url);
-
}
-
-
public function getCountry($city)
-
{
-
$url = 'http://files.klunde.net/files.klunde.net/ExampleServer.php';
-
$params = 'city=' . $city;
-
-
echo $this->doPostRequest($url, $params);
-
}
-
}
-
$obj = new ExampleClient();
-
?>
I’m quite satisfied with this implementation because it is so easy to maintain and even more important, implementing new services and clients for the services is straight forward and supports rapid development.
Download
Using GNU screen
Recently I’ve been the victim of a really unstable internet connection. This lack of stability has made me a great fan of the GNU screen command in unix systems.
GNU Screen is a small piece of software that lets you initiate a number of terminals inside a single terminal window. The great advantage with screen is that if you loose your internet connection, the screen terminals and operations inside these terminals still run on the server, contrary to operations running directly on the terminal window of your external server.
Screen is real simple and in most cases you only need a few important commands:
- starting a session
- listing all running sessions
- attaching to a session
- de attaching from a session
- killing a session
Creating a new screen session
Command: screen
kristian@Saturn:~$ screen
Example:
Listing all active screen sessions
Command: screen -ls
Example:
-
There are screens on:
-
11179.pts-0.Saturn (Detached)
-
11114.pts-0.Saturn (Detached)
-
2 Sockets in /var/run/screen/S-kristian.
Attaching to a session
If only one screen session is active the command below will take you directly to the session. If there are several sessions running the command below will display a list of running sessions. To choose one of them the screen -r command has to be followed by the session name.
Command: screen -r
Example of several screen sessions running:
-
There are several suitable screens on:
-
11179.pts-0.Saturn (Detached)
-
11114.pts-0.Saturn (Detached)
-
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
Example of attaching to a screen session:
kristian@Saturn:~$ screen -r 11179.pts-0.Saturn
De attaching from a session
De attaching from a screen session is real simple just remember the key combinations 
Hold the CTRL key down, press A, then D. Thats it.
Killing a screen session
Killing a session is as simple as de attaching from one, just use the correct key combinations.
Keep the CTRL button down, press A, then K.
Writing exceptions in PHP
Fredrik Johan Holmström has a entry on his blog about writing exceptions in PHP. He points out that several of the large PHP framework assumes that an exception is a fatal error, and that this may be a flaw in the design.
An Exception is not necessarily a fatal error and it should be the responsibility of the code that catches the exception to determine if it is a fatal error or not.
The blog entry got me thinking, and yes I’ve done that mistake a few times myself, I’ll do it right the next time I write an exception in PHP,
URL: http://loveandtheft.org/2008/05/23/exceptions-youre-doing-it-wrong/
123-meming
Mats forwarded the 123-meme to me today, I’m not entirely sure what 123-meming really is but the instructions are:
- Pick up the book closest to you
- Open page 123
- Find the 5th sentence…
- …and publish the next three sentences
- Link to 5 other bloggers and tell who linked you
The book closest to me is: AGILE PROJECT MANAGEMENT WITH SCRUM, on page 123, sentenc nr 5 is:
During this day, the nonfunctional scaling requirements for this particular project are determined and placed in the Product Backlog. For example, if you are scaling the project to use multiple teams, the following nonfunctional requirements should be added to the Product Backlog:
- Decompose business architecture to support clean-interface multi-team development.
- Decompose system architecture to support clean-interface multi-team development.
- If necessary, define and implement a development environment to support multi-team collocated or distributed environments.
I pass this 123-meme on to Erik.