ElbertF Blog

How to store passwords safely with PHP and MySQL

First, let me tell you how not to store passwords and why.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Read more…

Swiftlet 1.0.0 Stable

Swiftlet, the light-weight PHP framework that I’ve been working on for a while, is now stable.

Feature-wise not much has changed since the Beta and Release Candidate cycles but the code has been thoroughly tested and improved where possible. If you’re planning on building a PHP website, give Swiftlet a try.

I moved the project page and documentation away from Google Code, if you go to swiftlet.org you’ll find the new page. It’s powered by a documentation system that I custom coded (dubbed Pintail). If there is any interest I will release the code behind it as Open-Source as well.

Swiftlet Beta

Swiftlet is now in beta, after 15 alpha cycles I’m confident that it’s now pretty much feature complete (there core that is, there will be plenty more plug-ins) and relatively stable.

One of the most important recently added features is the plug-in installer. It checks for compatibility with the core code and creates and populates database tables with a click of the mouse. Plug-ins that don’t require a database connection don’t need to be installed; they’re plug-and-play (and Swiftlet runs fine without a database).

I also added plug-ins to handle user sessions and authorization. This should make it easy to create a website that requires a login system.

Download: code.google.com/p/swiftlet/downloads/list

Swiftlet — light-weight PHP framework

I just released an early alpha version of Swiftlet, an Open Source, light-weight PHP framework released under the GPL license.

It’s targeted at developers who want to built simple websites that don’t require large and complex frameworks, but do want a solid base to work from. Swiftlet provides basic security features such as user input sanitizing, is highly extensible thanks to the deeply integrated hook system, completely Object Oriented and separates logic from design (MVC).

Even the most basic features such as connecting to a database and output buffering are implemented as plug-ins. This means they can be modified, extended and removed without hacking into the core code.

Website: http://swiftlet.org

PHP: How not to pollute the global scope

An emerging trend in JavaScript is to wrap entire programs in a single object to prevent conflicts with other scripts. The same can be done with PHP, something I haven’t seen done very often.

Read more…

Tips for writing compact PHP code

Writing compact code can save you time. It’s not always recommended and often even strongly discouraged as it makes your code less readable, but for simple operations it can be more efficient. In this post I will give a few examples.

Read more…