Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Do not use MD5

Storing password hashes is a step in the right direction. Cryptographic hashing functions like MD5 are irreversible which makes it difficult to figure out the original password. To validate a hashed password, simply hash the password again when a user logs in and compare the hashes.

<?php
$password = 'swordfish';
 
$hash = md5($password); // Value: 15b29ffdce66e10527a65bc6d71ad94d
?>

Note that this makes it impossible to retrieve a password from the database. If a user forgets his password, simply generate a new one.

So why not MD5? It is quite easy to make a list of millions of hashed passwords (a rainbow table) and compare the hashes to find the original passwords (the same goes for other hashing functions like SHA-1).

MD5 is also prone to brute forcing (trying out all combinations with an automated script) because of collisions. This means that different passwords can have the same hash, making it even easier to find one that works.

MD5 collision demo: mscs.dal.ca/~selinger/md5collision

Do not use a single site-wide salt

A salt is a string that is hashed together with a password so that most rainbow tables (or dictionary attacks) won’t work.

<?php
$password = 'swordfish';
$salt = 'something random';
 
$hash = md5($salt . $password); // Value: db4968a3db5f6ed2f60073c747bb4fb5
?>

This is better then using just MD5 but someone with access to your code can find the salt a generate a new rainbow table.

What you should do

• Use a cryptographically strong hashing function like SHA-1 or even SHA-256 (see PHP’s hash() function).
• Use a long and random salt for each password.
• Use a slow hashing algorithm to make brute force attacks near impossible.
• Regenerate the hash every time a users logs in.

<?php
$username = 'Admin';
$password = 'gf45_gdf#4hg';
 
// Create a 256 bit (64 characters) long random salt
// Let's add 'something random' and the username
// to the salt as well for added security
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
 
// Prefix the password with the salt
$hash = $salt . $password;
 
// Hash the salted password a bunch of times
for ( $i = 0; $i < 100000; $i ++ )
{
    $hash = hash('sha256', $hash);
}
 
// Prefix the hash with the salt so we can find it back later
$hash = $salt . $hash;
 
/* Value:
 * e31f453ab964ec17e1e68faacbb64f05bccceb179858b4c482c1b182ff1e440e
 * f1e10feb5b86c6d367e4eb8f90f2cde5648a7db3df8526878f20a77eed00c703
 */
 
?>

In the above example we turned a reasonably strong password into a 128 characters long hash that we can store in a database. The next time the user logs in we can validate the password as follows:

<?php
$username = 'Admin';
$password = 'gf45_gdf#4hg';
 
$sql = '
    SELECT
        `hash`
    FROM `users`
        WHERE `username` = "' . mysql_real_escape_string($username) . '"
    LIMIT 1
    ;';
 
$r = mysql_fetch_assoc(mysql_query($sql));
 
// The first 64 characters of the hash is the salt
$salt = substr($r['hash'], 0, 64);
 
$hash = $salt . $password;
 
// Hash the password as we did before
for ( $i = 0; $i < 100000; $i ++ )
{
    $hash = hash('sha256', $hash);
}
 
$hash = $salt . $hash;
 
if ( $hash == $r['hash'] )
{
    // Ok!
}
?>

A few additional tips to prevent user accounts from being hacked:

• Limit the number of failed login attempts.
• Require strong passwords.
• Do not limit passwords to a certain length (remember, you’re only storing a hash so length doesn’t matter).
• Allow special characters in passwords, there is no reason not to.

That’s it, happy coding!

Version 1.1 comes with a few new plugins that bring CMS-like features to Swiftlet. See the changelog for the full list of changes.

The documentation has also been updated and can now be found at swiftlet.org/docs. If you need support or have any requests, feel free to start a thread at swiftlet.org/community.

• A hacker creates a page with a form that submits data to example.com.
• An administrator from example.com is tricked into visiting the page, the form is submitted using JavaScript.
• The data is handled by example.com as if it came from the administrator (because it did).

This allows a hacker to perform administrative tasks on example.com like editing pages or deleting users.

Solution

Probably the best solution to this problem is using a security token. This is a code (usually a hash) that is send with the form in a hidden field and is only valid for a specific user and a certain period of time.

I recommend using a SHA1 hash created from these components:

• Information about the user (IP address, user agent, username).
• Information about the server (hostname, software version).
• Information about the website (database name, table prefix).
• Information that expires (user’s session id).

This will result in an unpredictable and seemingly random hash that is still verifiable by the server and difficult to fake.

After the form is submitted the hash is re-created and compared to the token that was send with the form. Only if the hashes match the form is processed, otherwise an error message is displayed. This way even if a hacker manages to find the user’s token the request will fail.

Example (PHP/HTML):

<?php
$authToken = sha1(
  session_id() .
  phpversion() .
  $dbName .
  $_SERVER['REMOTE_ADDR'] .
  $_SERVER['HTTP_USER_AGENT']
  );
 
if ( isset($_POST['submit']) )
{
  if ( isset($_POST['auth_token']) && $_POST['auth_token'] == $authToken )
  {
    // Process form
  }
  else
  {
    // Display error message
  }
}
?>
 
<form id="form" method="post" action="./">
  <fieldset>
    <label for="name">Name:</label>
    <input type="text" name="name" id="name" value=""/>
  </fieldset>
  <fieldset>
    <input type="hidden" name="auth_token" value="<?php echo $authToken ?>"/>
 
    <input type="submit" name="submit" value="Submit"/>
  </fieldset>
</form>

Note that this only really works for POST requests. For this reason GET (regular links) should never be used to pass information that is used for administrative tasks. AJAX requests should also always use POST.

The hard way

If you’re on Windows XP or older you can use a standalone version of IE6. If you’re on Windows 7 (not the beta though), you can use Microsoft’s free “IE Application Compatibility VPC Image” to run XP with IE6 or 7 in a virtual machine. If you’re on any other operating system (Windows Vista, Mac OS, Linux) and have a Windows XP license you can run it using a VM like VirtualBox.

The easy way

If you’re already running IE8 there is an easier way. Compatibility View will render pages as IE7, and a missing doctype will cause pages to be rendered as IE6 in quirks mode.

You can simply remove the doctype from your pages when you’re testing for IE6 or ― if you’re using PHP ― add a simple switch:

<?php if ( !isset($_GET['ie6']) ): ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<?php endif ?>

Now you can simply add “?ie6” to the URL in IE8 to see what your page looks like in IE6. You can even keep several tabs open to make sure it works with all versions.

I’ve already begun working on Swiftlet 1.1 which is now in Alpha (unstable and not suited for live environments).

It shouldn’t be to hard for Twitter to detect automated messages, they could give me an option to block messages that have been send out more then ten times by a single user (I could create an application to do this myself but simply don’t have the bandwidth to handle that many messages, it would need thousands of active users to be effective).

Instead, I created a Twitter app to report users who send auto DMs to. Just tweet “@stopautodm @username” and they will be placed on the Hall of Shame. Perhaps at some point I could add an option to automatically unfollow the most reported users.

Website: elbertf.com/stopautodm
Twitter: @stopautodm

It’s a bookmarklet that brings the joy of browsing the web with Microsoft Internet Explorer 6 to modern browsers. For almost a decade IE6 has managed to intrigue me by breaking standards-compliant websites in the most unpredictable ways. Whatever you did to fix a problem only made things worst, like an ugly dragon that grows two heads every time you cut one off.

Since it’s not possible to run IE6 natively on Windows Vista or 7 and IE6 in Linux Wine is a nightmare, I figured a lot of you would miss the old days. With IE6ify you can break any website in true IE6 fashion.

Website: elbertf.com/ie6ify.

I released it under GPL, feel free to grab the code from the source and do whatever you like with it.

Play the game at elbertf.com/tetris

p {
    margin: 0;
}
 
#content p {
    margin: 1em 0;
}

In this example p would be a class and #content p would be an instance of that class. Let’s say the margin set in p is a method and we got the basic concepts of OOP.

Practicle example

A single HTML element can serve different purposes on a page. A list element for example can be used as a navigational menu (styled horizontally) and as a regular list in content (styled vertically). Sometimes it’s difficult to change one without changing the other.

li {
    list-style: none inside;
}
 
#menu li {
    display: block;
    float: left;
}
 
#content li {
    /* We only want bullets if a list appears in content */
    list-style: outside disc;
}

Here I created two instances of the li object. If you change either one it won’t effect the other.

CSS Reset

It’s useful to reset all style properties first using a CSS reset. In the above example I simply applied list-style: none inside; to the li element so you won’t see bullets (•) unless you specify it. It’s easier to just reset everything at once, like this:

* {
	background-color: transparent;
	border: none;
	font-size: 1em;
	font-weight: inherit;
	font-family: 'Trebuchet MS', Verdana, Arial;
	line-height: 1.4em;
	list-style: none inside;
	margin: 0;
	padding: 0;
	text-align: inherit;
	text-decoration: none;
}

Adding this code on top of your CSS file will give you full control over your code.

As a bonus this will probably solve a lot of your cross-browser compatibility problems. This is because every browser applies different default CSS to elements.

Feature-wise not much has changed since the Beta and Release Candidate cycles but the code has been thoroughly tested and improved where possible. If you’re planning on building a PHP website, give Swiftlet a try.

I moved the project page and documentation away from Google Code, if you go to swiftlet.org you’ll find the new page. It’s powered by a documentation system that I custom coded (dubbed Pintail). If there is any interest I will release the code behind it as Open-Source as well.

One of the most important recently added features is the plug-in installer. It checks for compatibility with the core code and creates and populates database tables with a click of the mouse. Plug-ins that don’t require a database connection don’t need to be installed; they’re plug-and-play (and Swiftlet runs fine without a database).

I also added plug-ins to handle user sessions and authorization. This should make it easy to create a website that requires a login system.

Download: code.google.com/p/swiftlet/downloads/list

It’s targeted at developers who want to built simple websites that don’t require large and complex frameworks, but do want a solid base to work from. Swiftlet provides basic security features such as user input sanitizing, is highly extensible thanks to the deeply integrated hook system, completely Object Oriented and separates logic from design (MVC).

Even the most basic features such as connecting to a database and output buffering are implemented as plug-ins. This means they can be modified, extended and removed without hacking into the core code.

Website: http://swiftlet.org

6S Marketing made a bold move supporting Twitchance by being the first sponsor. The concept was unproven and perhaps a bit controversial but they were curious and decided is was worth a try. I encourage you to follow them on Twitter.

The next draw is on April 20, this time sponsored by Hover who provided another $500 and 20 smaller prizes.

We decided to make a small concept change: instead of randomly selecting a winner the sponsor and I pick the most creative message on Twitter and award the author with the prize.

To join, simply follow the instructions on the Twitchance website.

If you ever want to combine frameworks you may discover that they use similar names for some variables and functions. This can lead to unexpected output and security holes. If you’re planning on writing a framework of your own, consider wrapping it in an object.

In PHP5 it’s possible to pass objects by reference which means you can send an instance of a class to another class. This way you can nest classes and access the parent.

core.php:

class core
{
    public
        $var = 'This is a global variable.';
 
    const
        CONST_VAR = 'This is a constant.';
 
    // This function is executed when core is initialized.
    function __construct()
    {
        include('classes/foo.php');
 
        $this->foo = new foo($this);
    }
 
    // All the main functions go here.
}

foo.php:

class foo
{
    private $core;
 
    function __construct($core)
    {
        // Reference to the core object.
        $this->core = $core;
    }
 
    function hello_world()
    {
        echo $this->core->var;
    }
}

In this example “core” is the site’s main object containing global variables and functions. When we create an instance of class “foo”, we send a reference to the core object (“$this”) as a parameter. On a regular page the classes, variables and function can be accessed like this:

page.php

include('classes/core.php');
 
$core = new core();
 
echo $core->var; // output: This is a global variable.
echo core::CONST_VAR; // output: This is a constant.
 
$core->foo->hello_world(); // output: This is a global variable.

This way there is only one variable in the global scope: $core. Another advantage is that all variables declared in core are global and accessible throughout the whole program.

1. Drop braces

Braces aren’t required in control structures with only one expression. Sometimes it makes sense to drop them. It’s very easy to make mistakes if you ever add code to the structure, I recommend only to do this when the expression is short and fits on a single line.

Long:

if ( $module == TRUE )
{
    load($module);
}
else
{
    error('No module');
}

Short:

if ( $module ) load($module);
else           error('No module');

2. Use ternary operators

The above example can be made even more compact using ternary operators:

$module ? load($module) : error('No module');

3. Use “OR” instead of “IF”

“OR” is the same as “or” and ”||”.

Long:

if ( $foo )
{
   echo $foo;
}
else
{
   echo $bar;
}

Short:

echo $foo || $bar;

4. Don’t compare variables to booleans

“if ( $foo == TRUE )” is the same as “if ( $foo )”. This shortcut can make your life as a programmer much easier:

Long:

function has_value($var)
{
    if ( $var == TRUE )
    {
        return TRUE;
    }
    else
    {
        return FALSE;
    }
}

Short:

function has_value($var)
{
    return ( bool ) $var;
}

5. Use default values for variables

It’s usually a good idea to define important variables at the beginning of your script, instead of inside control structures (this could result in undefined variables later on). Another advantage is that you can often save an entire else-block as demonstrated in this example:

Long:

if ( $foo > 3 )
{
    $message = '$foo is greater then 3.';
}
else
{
    $message = '$foo is lower than or equal to 3.';
}

Short:

$message = '$foo is lower than or equal to 3.';
 
if ( $foo > 3 )
{
    $message = '$foo is greater then 3.';
}

6. Assign variables inside conditions

Long:

$contents = file_get_contents($file);
 
if ( $contents )
{
    echo $contents;
}

Short:

if ( $contents = file_get_contents($file) )
{
    echo $contents;
}

7. Group variable declarations

Instead of prefixing every single variable declaration in a class with “public”, “protected” or “private” keywords, group them:

Long:

class db
{
    public $query;
    public $result;
    public $tables;

Short:

class db
{
    public
        $query,
        $result,
        $tables
        ;

Something similar can be done with regular variable declarations if they need to assign them the same value:

Long:

$foo    = TRUE;
$bar    = TRUE;
$foobar = TRUE;

Short:

$foo    =
$bar    =
$foobar = TRUE;

8. Merge arrays instead of assigning individual keys

Long:

$items = array('item 1', 'item 2');
 
$items[] = 'item 3';
$items[] = 'item 4';
$items[] = 'item 5';

Short:

$items = array('item 1', 'item 2');
 
$items = array_merge($items, array(
    'item 3',
    'item 4',
    'item 5'
    ));

Even shorter:

$items = array('item 1', 'item 2');
 
$items += array(
    'item 3',
    'item 4',
    'item 5'
    );

That’s it! Please share this post if you found it useful.

The concept is simple; participants post a message from a sponsor on Twitter. After some time a winner is randomly selected and awarded the prize. The sponsor receives amplified outreach to the online world.

Many companies offer services for free on the internet, often powered by advertisements. I figured the same could be done with a lottery. Twitter has a huge user base and tracking specific messages is easy, making it the perfect place for a project like this.

Anyone can join, all you need is a Twitter and Paypal account.

I’m a programmer myself, I write most of my applications in PHP and JavaScript. I built websites for a living and often work on experimental projects on the side.

This is my first WordPress blog, I used to share science and technology related articles on Blogger but never published any unique content. I also have a discontinued blog on Tumblr where I posted updates about one of my apps, Wappalyzer. I’m going to post the updates here from now on.

WordPress Theme

I started off with the Modicus theme from Upstart Blogger and turned it into something completely different. It’s a work in progress.

Plugins in use

• DISQUS Comment System
• Easy Twitter Links
• Feedburner FeedSmith
• Google Sitemap Generator
• WP Greet Box
• WP Syntax
• WP Typography

If you’re interested in what I have to say, please subscribe to my feed and follow me on Twitter.