Closing of Tyreus

My favorite Web host, Tyreus, has finally closed down. I’ve hosted all my websites on there for years, so it’s definitely sad to see it go. Nonetheless, I congratulate Tyreus for being the longest-lasting Post2Host out there, and thank them for offering such a great service. I was also staff there for a while, so it was nice to have been a part of something so huge.

Moving to a New Server

With the closing of Tyreus, I obviously had to move my sites somewhere. I decided to use the VPS that Hylus is currently hosted on, since there’s plenty of space on there. The move was a definite success, otherwise you wouldn’t be reading this right now.

The server move also allowed me to re-organize my project files. I decided that I will definitely be revamping UE and Trippy. UE currently has a message on the homepage that says that it’s undergoing revamp, and Trippy is still up and running but has a message in the footer saying that it will be updated in early 2012. My personal site has also been moved, but nothing will really change.

Upcoming

I’ve lately been focusing a lot on getting my life more organized. This means that I do not want to waste time on anything that does not deserve it. I have a set group of applications that I use every day that helps me get stuff done, in which I plan to write a post about soon. Also, I obviously want to get Hylus done before the year ends and plan to revamp all my other projects sometime in 2012.

That’s it for this post. Have a great week!

A while back ago I decided that I wanted to learn more about proper password encryption, and so I came across Phpass: a framework aimed at simplifying the process for encrypting or “hashing” passwords. Phpass has been integrated into many well-known CMS’s such as WordPress, Vanilla, phpBB, and Drupal, and is a huge reason for why I trust this framework. The only downside was that I could not find an easy-to-follow tutorial on using it, so I decided to write my own.

Current Insecure Techniques

Before we jump into Phpass, let’s take a look at some of the wrong techniques of storing passwords. First would be pretty obvious: storing the raw password. Not only does this open up your website to hackers, but legal authorities will probably come after you as well. The next and probably most popular way that developers secure passwords is by the use of the md5() function. It’s better than storing raw passwords, but is not well suited for password encryption as it can easily be broken.

The code below should never be used to hash a user’s password.

<?php

$hash = md5(“the password”);

?>

I will note that the sha1() and hash() functions are slightly more secure (especially in combination) but still don’t give as much protection against hackers as Phpass.

Using Phpass

It’s actually very easy to start using Phpass, so go ahead and download the framework at Openwall. Extract and open the folder until you see the file PasswordHash.php. This is the only file that you will be needing so upload it to wherever your website files are stored.

You must then include the file into wherever you will be working with passwords.

<?php

require(“PasswordHash.php”);

?>

Make sure that the path to PasswordHash.php is correct. If you receive no errors, then Phpass is ready to be used.

Next you will want to construct the class with the proper arguments. The default arguments specified should be fine for up-to-date installations of PHP. The first argument specifies the “base-2 logarithm of the iteration count used for password stretching” and the second argument specifies the use of portable hashes.

<?php

$hasher = new PasswordHash(8, false);

?>

Creating the Hash—Signup

For something like a signup system, you will now want to create a hash of the password. In a typical situation, the password will be coming from a form that the user filled out.

<?php

// In this case, the password is retrieved from a form input
$password = $_POST["password"];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die(“Password must be 72 characters or less”); }

// The $hash variable will contain the hash of the password
$hash = $hasher->HashPassword($password);

if (strlen($hash) >= 20) {

// Store the hash somewhere such as a database
// The code for that is up to you as this tutorial only focuses on hashing passwords

} else {

// something went wrong

}

?>

The $hash variable now contains the hash that you will need to store somewhere such as a database. Make sure to never actually store the raw password, only the hash that Phpass generates.

Also take a note the following:

• The password limit should be set to 72 characters to prevent certain DoS attacks. We do this here with the strlen() function.
• The hash can never be less than 20 characters, so if it is then something went wrong during the encryption process. A simple if statement is done for this as well.

Checking “Matched” Passwords—Login

For something like a login system, you will want to be able to check that the provided password matches up against your stored hash. Include the framework in if you haven’t already.

<?php

require(“PasswordHash.php”);

$hasher = new PasswordHash(8, false);

?>

There is no way to actually “decode” the hash (which is the point), instead we let Phpass do its magic for finding out if the password matches up against the stored hash.

<?php

// Password from form input
$password = $_POST["password"];

// Passwords should never be longer than 72 characters to prevent DoS attacks
if (strlen($password) > 72) { die(“Password must be 72 characters or less”); }

// Just in case the hash isn’t found
$stored_hash = “*”;

// Retrieve the hash that you stored earlier
$stored_hash = “this is the hash we stored earlier”;

// Check that the password is correct, returns a boolean
$check = $hasher->CheckPassword($password, $stored_hash);

if ($check) {

// passwords matched! show account dashboard or something

} else {

// passwords didn’t match, show an error

}

?>

The $check variable will return true if the passwords matched. It’s a good idea to then either display some sort of account dashboard for the user, or redirect them to their profile. If the check failed, you will need to send them back to the login form or output some sort of error message.

Extra Resources

That is all it takes to start using Phpass, so pat yourself on the back for being a security-aware developer. Of course you should also make sure that your website is safe against other vulnerabilities such as SQL Injection, which can also be easily fixed by using prepared statements or the database framework I wrote earlier.

If you need a bit more help on getting started with Phpass, I recommend you check out this starter project I made on GitHub. It basically follows all the steps in this post but is separated into files as well as including the Phpass framework. Also feel free to read the more lengthy article about secure passwords on Openwall.

The Problem

For years I’ve been using the MySQL database extension which you might typically know as the mysql_* functions in PHP. I never found a problem with it until recently when I realized that it is an outdated and insecure way to interact with MySQL databases. I am probably really late to realize that, but I still see a ton of people using these functions.

For those of you that still use the MySQL extension functions such as mysql_connect(), don’t be alarmed. It’s fairly secure and gets the job done, and is probably the simplest way to use MySQL in PHP. However, these functions are extremely old now and don’t support many of MySQL’s latest features. Not only that but there are better options out there that will help secure your queries and prevent vulnerabilities such as SQL injection. If you’re starting a new website, doing a redesign, or simply want to add something new to your skill set, please read on.

MySQL Improved: Pros and Cons

The “i” in MySQLi stands for improved (some say it can also stand for interface), so you can already guess that it’s better. The main pros are speed, performance, security, and that it’s written in an Objected Oriented Programming (OOP) style. It also has a procedural API with function aliases, but that’s only to make old code easy to convert to the MySQLi extension.

The only con it has is the amount of code needed to execute and fetch results from a single query. Here’s a quick example of some code written using MySQLi:

[code lang="php"]
$db = new mysqli("host", "username", "password", "database");
$stmt = $db->prepare("SELECT first_name, last_name FROM users WHERE id = ? AND username = ?")
if ($stmt) {
$stmt->bind_param("is", $_GET["id"], $_GET["username"]);
$stmt->execute();
$stmt->bind_result($first_name, $last_name);
while ($stmt->fetch()) {
echo "First Name: ".$first_name; echo "Last Name: ".$last_name;
}
$stmt->close();
}
$db->close();
?>
[/code]

Here’s a not so quick walk-through of this mess of code, line-by-line:

2. Sets up the database connection and creates the $db object that will contain all the methods we need.
3. Similar to mysql_query() except that we replace all variables with question marks (a.k.a. markers or placeholders). This is a feature of MySQLi that prevents SQL injection completely.
4. Makes sure there are no errors in the query.
5. Bind the parameters (variables) that will replace the markers in our query. The first argument specifies that we have an integer and a string, while the rest of the arguments are your variables. You don’t need to escape them because MySQLi treats our query and parameters separately, making it fine to use values from $_GET or $_POST.
6. Execute the query we’ve “prepared.”
7. Finally, retrieve the result and setup the variables we’d like to retrieve them as.
8. Loops through the result.
9. Here I’m just echo-ing out the data, but you can do whatever you want with it.
10. Close loop.
11. Close the statement (if you don’t, you’ll get errors while executing multiple queries).

As you can see, it’s a very daunting task to execute a query and then fetch the results. I can definitely code this using the mysql_* functions and use less lines of code, but like I said before: you really want to take advantage of all the new features of MySQL and make your queries as secure as possible (unless you like getting hacked).

But you may be thinking, if the mysql_* functions are so bad, then why did they make using MySQLi so hard? To be honest, I don’t know. All I know is that there are many benefits to using MySQLi and I hope the framework I’m about to talk about will help aid more people to stop using those outdated functions.

Introducing the Framework

Using MySQLi shouldn’t be hard at all, and so that is why I’ve written this framework. It is more than a class wrapper: it cleans up the syntax needed to execute a query and adds methods specifically for fetching data. If you’re itching to get started with it, you can get the full source on GitHub. I really recommend that you look at the docs, test it out for yourself, and let me know what you think. If you think it’s stupid, fine don’t use it but at least give me your constructive opinion. If you think it’s the greatest thing since the Internet, then I’d love to know your opinions as well.

A Taste

[code lang="php"]

$db = new Database($name, $host, $username, $password);

$name = $_GET["name"];
$age = $_GET["age"];

$insert = $db->query("INSERT INTO people (name, age) VALUES(?, ?)", array($name, $age));

if ($insert !== false) {
$name = $db->fetch_field("SELECT name FROM people WHERE age = '123' LIMIT 1");
echo $name;
}

?>
[/code]

There’s a little taste of some of the code that makes use of a few great features of the database framework. What you should notice is how easy it is to setup a database connection, execute a secure insert statement, check if that insert was successful, and then retrieve some of the data we just inserted. This also looks nicer (and shorter) than the previous example, doesn’t it?

Feedback

I hope some of you find this framework useful and I’d love to get some feedback on it. I built this out of personal need, but decided to open source it and give something back to the developer community. That’s all for now though, thanks for wasting your time to read this.

Walk-through

I put a decent amount of work into the site, and so I’d like to take a second and tell you all about the design and code that went into it.

Design

The overall design is very simple, and in fact a bit too simple for my liking. I decided to go down this route because this will mostly be a content site, and so all I really needed to do was make the site visually appealing with focus set on the content itself. This is also the first time I tried to make typography look as pleasant and readable as possible. CSS’ @font-face is utilized for custom fonts with the help of Google Web Fonts; I’m currently using Open Sans for headings, and Muli for regular text. I also bumped up the font size a bit so no one has to squint while reading my posts. If any typography purists are reading this, let me know if I’m doing anything wrong here.

As far as the color scheme goes, I went with dark blue and shades of gray. I tend to use gray on almost all my projects as it’s an easy way to add contrast, and I chose dark blue because it’s my favorite color (I mean that in the most serious way possible).

Features

There are quite a few features that I’d like to point out.

Social Links

It is really easy to find me across the Web as I have provided my profile links right below the header. I decided against using the oh-so-popular social icons because they are too much of a distraction, plus I think the links look pretty nice (and I always wanted to embed that neat Twitter follow button somewhere).

Comments

I decided to go with DISQUS for the comments system. Main reason is because I love it when other blogs use it, as it makes commenting so much easier and faster. If you have a DISQUS account and are already logged in, then all you need to do is type your comment and hit “post”. If you don’t have an account, you can still as easily login with other accounts, e.g., Twitter, Yahoo!, Google. Not only that but I also enabled guest comments, so if you’re used to the way WordPress handles comments then you should feel right at home.

There are also a ton of other useful features such as email notifications, comment threading, mentions, and reactions. I particularly can’t wait to see how the reactions feature works out, as it will bring conversations from across other sites like Twitter back to the comment thread.

WordPress

If you haven’t figured it out already, the site runs completely on WordPress. I have only used it to set up single blogs in the past, but not as a CMS. It is more than a blog script though, thus I decided to try it out for my personal site. I don’t regret the decision at all, because the many new WordPress features that were recently introduced as well as the customizable nature of the system made it perfect for small sites like mine. Not only that but I knew that I wanted to have a blog section, and having a framework that already included blogging as a core feature made it a no-brainer.

Known Issues

This can’t be a legit post if I don’t talk about good old Internet Explorer, right? I actually applied almost no fixes for that browser, and the site surprisingly looks decent. IE8 and IE9 are lookin’ good, and IE7 is not perfect but it should manage. By default I prompt a Google Chrome Frame overlay for IE6 users, as I have phased out that browser a long time ago.

There also seems to be a bug with DISQUS and Google Web Fonts not playing nice with each other. When loading a post like this, you might notice that the fonts sort of do a “reload” when DISQUS finishes loading its stuff. I’m not sure of the exact cause, but if someone knows a solution please let me know.

Font reloading seems to no longer be an issue after I upgraded to Firefox 6.

Other Stuff

I’ve customized the hell out of WordPress, trying to make it more secure, faster, and work the way I want it to. Short URLs that would usually be shown as [siteurl]/?p=1[/siteurl] are now shown as [siteurl]/p1[/siteurl]. Not only does that look better, but saves a few characters as well. Then there’s little stuff like how the share buttons load asynchronously, some custom DISQUS styles, a plugin that improves search, and so on. Like I said before: I’m a developer, and so simply installing WordPress with a pre-built theme would not satisfy me. This theme is built from scratch, and I read through a bunch of WordPress documentation on how to change the slightest things. Nothing’s perfect of course, but I’m pretty happy with how things turned out so far.

So that’s it. This is my initial release and I hope to write more posts in the future (hopefully at least on a weekly basis or so) and release cool scripts, downloads, all that jazz. For now, feel free to let me know what you think so far and what I can make better.