info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-12 00:33:58 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #786 from paragonie-scott/security

Browse Source 
First round of security section enhancements. (Redux)
This commit is contained in:
Josh Lockhart
2018-06-20 10:39:49 -04:00
committed by GitHub
parent b9724ad57b b4e964f178
commit a49a0b885d
2 changed files with 47 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
_posts/10-02-01-Web-Application-Security.md
View File

@@ -5,6 +5,25 @@ anchor: web_application_security
## Web Application Security {#web_application_security_title}
It is very important for every PHP developer to learn [the basics of web application security][4], which can be broken
down into a handful of broad topics:
1. Code-data separation.
* When data is executed as code, you get SQL Injection, Cross-Site Scripting, Local/Remote File Inclusion, etc.
* When code is printed as data, you get information leaks (source code disclosure or, in the case of C programs,
enough information to bypass [ASLR][5]).
2. Application logic.
* Missing authentication or authorization controls.
* Input validation.
3. Operating environment.
* PHP versions.
* Third party libraries.
* The operating system.
4. Cryptography weaknesses.
* [Weak random numbers][6].
* [Chosen-ciphertext attacks][7].
* [Side-channel information leaks][8].
There are bad people ready and willing to exploit your web application. It is important that you take necessary
precautions to harden your web application's security. Luckily, the fine folks at
[The Open Web Application Security Project][1] (OWASP) have compiled a comprehensive list of known security issues and
@@ -16,3 +35,9 @@ methods to protect yourself against them. This is a must read for the security-c
[1]: https://www.owasp.org/
[2]: https://www.owasp.org/index.php/Guide_Table_of_Contents
[3]: https://phpsecurity.readthedocs.io/en/latest/index.html
[4]: https://paragonie.com/blog/2015/08/gentle-introduction-application-security
[5]: http://searchsecurity.techtarget.com/definition/address-space-layout-randomization-ASLR
[6]: https://paragonie.com/blog/2016/01/on-design-and-implementation-stealth-backdoor-for-web-applications
[7]: https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly
[8]: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

27
_posts/10-03-01-Password-Hashing.md
View File

@@ -8,16 +8,30 @@ anchor: password_hashing
Eventually everyone builds a PHP application that relies on user login. Usernames and passwords are stored in a
database and later used to authenticate users upon login.
It is important that you properly [_hash_][3] passwords before storing them. Password hashing is an irreversible,
one-way function performed against the user's password. This produces a fixed-length string that cannot be feasibly
reversed. This means you can compare a hash against another to determine if they both came from the same source string,
but you cannot determine the original string. If passwords are not hashed and your database is accessed by an
unauthorized third-party, all user accounts are now compromised.
It is important that you properly [_hash_][3] passwords before storing them. Hashing and encrypting are [two very different things][7]
that often get confused.
Hashing is an irreversible, one-way function. This produces a fixed-length string that cannot be feasibly reversed.
This means you can compare a hash against another to determine if they both came from the same source string, but you
cannot determine the original string. If passwords are not hashed and your database is accessed by an unauthorized
third-party, all user accounts are now compromised.
Unlike hashing, encryption is reversible (provided you have the key). Encryption is useful in other areas, but is a poor
strategy for securely storing passwords.
Passwords should also be individually [_salted_][5] by adding a random string to each password before hashing. This prevents dictionary attacks and the use of "rainbow tables" (a reverse list of crytographic hashes for common passwords.)
Hashing and salting are vital as often users use the same password for multiple services and password quality can be poor.
Additionally, you should use [a specialized _password hashing_ algoithm][6] rather than fast, general-purpose
cryptographic hash function (e.g. SHA256). The short list of acceptable password hashing algorithms (as of June 2018)
to use are:
* Argon2 (available in PHP 7.2 and newer)
* Scrypt
* **Bcrypt** (PHP provides this one for you; see below)
* PBKDF2 with HMAC-SHA256 or HMAC-SHA512
Fortunately, nowadays PHP makes this easy.
**Hashing passwords with `password_hash`**
@@ -56,3 +70,6 @@ if (password_verify('bad-password', $passwordHash)) {
[3]: https://wikipedia.org/wiki/Cryptographic_hash_function
[4]: https://wiki.php.net/rfc/password_hash
[5]: https://wikipedia.org/wiki/Salt_(cryptography)
[6]: https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
[7]: https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded