ElbertF Blog

How to store passwords safely with PHP and MySQL

First, let me tell you how not to store passwords and why.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Read more…

Swiftlet 1.1 Stable

I released a new stable version of Swiftlet a few days ago together with a new web page at swiftlet.org. Swiftlet is a light-weight framework written in PHP aimed to make website development faster and easier.

Version 1.1 comes with a few new plugins that bring CMS-like features to Swiftlet. See the changelog for the full list of changes.

The documentation has also been updated and can now be found at swiftlet.org/docs. If you need support or have any requests, feel free to start a thread at swiftlet.org/community.

Safer web forms with security tokens

A common issue with many web applications is their vulnerability for Cross-Site Request Forgery, or XSRF. It allows a hacker to send a malicious request to a website with an other user’s privileges. Here’s how it works:

• A hacker creates a page with a form that submits data to example.com.
• An administrator from example.com is tricked into visiting the page, the form is submitted using JavaScript.
• The data is handled by example.com as if it came from the administrator (because it did).

This allows a hacker to perform administrative tasks on example.com like editing pages or deleting users.

Read more…

Using Internet Explorer 8 for IE6 and IE7 testing

I personally don’t care what my websites look like in IE6 or 7 (or 8) but for those who do there is neat little trick to test your site for these browsers.

The hard way

If you’re on Windows XP or older you can use a standalone version of IE6. If you’re on Windows 7 (not the beta though), you can use Microsoft’s free “IE Application Compatibility VPC Image” to run XP with IE6 or 7 in a virtual machine. If you’re on any other operating system (Windows Vista, Mac OS, Linux) and have a Windows XP license you can run it using a VM like VirtualBox.

The easy way

If you’re already running IE8 there is an easier way. Compatibility View will render pages as IE7, and a missing doctype will cause pages to be rendered as IE6 in quirks mode.

You can simply remove the doctype from your pages when you’re testing for IE6 or ― if you’re using PHP ― add a simple switch:

<?php if ( !isset($_GET['ie6']) ): ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<?php endif ?>

Now you can simply add “?ie6” to the URL in IE8 to see what your page looks like in IE6. You can even keep several tabs open to make sure it works with all versions.

Swiftlet documentation update

The documentation for Swiftlet 1.0, a light-weight PHP framework I’ve been working on, is now pretty much complete.

I’ve already begun working on Swiftlet 1.1 which is now in Alpha (unstable and not suited for live environments).

Automated direct messages on Twitter

I’m a bit over the amount of spam I receive through Twitter’s messaging system. I get a fair number of direct messages every day and most of them are automated. I do read them all in case someone sends me a genuine message.

It shouldn’t be to hard for Twitter to detect automated messages, they could give me an option to block messages that have been send out more then ten times by a single user (I could create an application to do this myself but simply don’t have the bandwidth to handle that many messages, it would need thousands of active users to be effective).

Instead, I created a Twitter app to report users who send auto DMs to. Just tweet “@stopautodm @username” and they will be placed on the Hall of Shame. Perhaps at some point I could add an option to automatically unfollow the most reported users.

Website: elbertf.com/stopautodm
Twitter: @stopautodm

IE6ify Bookmarklet

Today I created yet another utterly useless (but hopefully mildly entertaining) application; IE6ify.

It’s a bookmarklet that brings the joy of browsing the web with Microsoft Internet Explorer 6 to modern browsers. For almost a decade IE6 has managed to intrigue me by breaking standards-compliant websites in the most unpredictable ways. Whatever you did to fix a problem only made things worst, like an ugly dragon that grows two heads every time you cut one off.

Since it’s not possible to run IE6 natively on Windows Vista or 7 and IE6 in Linux Wine is a nightmare, I figured a lot of you would miss the old days. With IE6ify you can break any website in true IE6 fashion.

Website: elbertf.com/ie6ify.

JavaScript Tetris

Because I have nothing better to do with my time I wrote a Tetris game in JavaScript. I know there are plenty out there already but it was fun to make and it brought back some memories (I wrote my first Tetris game in DOS when I was 14). Coincidentally, Tetris just turned 25.

I released it under GPL, feel free to grab the code from the source and do whatever you like with it.

Play the game at elbertf.com/tetris

Object Oriented CSS

Okay, there is no such thing as object oriented CSS. But there are advantages in OO programming that we can use in CSS.

p {
    margin: 0;
}
 
#content p {
    margin: 1em 0;
}

In this example p would be a class and #content p would be an instance of that class. Let’s say the margin set in p is a method and we got the basic concepts of OOP.

Read more…

Swiftlet 1.0.0 Stable

Swiftlet, the light-weight PHP framework that I’ve been working on for a while, is now stable.

Feature-wise not much has changed since the Beta and Release Candidate cycles but the code has been thoroughly tested and improved where possible. If you’re planning on building a PHP website, give Swiftlet a try.

I moved the project page and documentation away from Google Code, if you go to swiftlet.org you’ll find the new page. It’s powered by a documentation system that I custom coded (dubbed Pintail). If there is any interest I will release the code behind it as Open-Source as well.