Profile cover photo
Profile photo
Ryan Chouinard
60 followers
60 followers
About
Posts

Post has attachment
PHP Code Analysis with NetBeans 7.4
NetBeans has become my IDE of choice for PHP in the last year or so. Version 7.4 shipped with support for code analysis tools with PHP, namely PHPMD and PHP_CodeSniffer . Unfortunately, usage of these tools within the IDE is not well documented, so I wanted...
Add a comment...

Post has attachment

Post has attachment
MySQL Community Server 5.7.1 development milestone has been released! Some cool stuff packed in there, check it out: http://dev.mysql.com/downloads/mysql/5.7.html

Windows users, check out MySQL Installer for 5.7: http://dev.mysql.com/downloads/installer/5.7.html

Note this is a development milestone release. I wouldn't rush out to put this in production yet!
Add a comment...

Post has attachment
MySQL is looking for a technical writer for our documentation team! If you or somebody you know enjoys writing documentation and would like to work with an awesome team, get in touch with Stefan Hinz (details in link).
Add a comment...

Post has attachment
Add a comment...

Would any PHP developers be interesting in a GitHub post-commit service for generating your API documentation?
Add a comment...

Oh wow, you can log in to BitBucket using GitHub now. That's kind of funny. :-)
Add a comment...

Got an invite to play the new SimCity during a closed beta period. Too bad EA can't keep their authentication servers running. I have yet to get the game to launch, but others who have report that they get kicked often because the game loses its connection to the auth servers. Who thought it would be a good idea to require a game to constantly authenticate against remote servers?

I don't think I'll be investing any time or money on this one. Its a shame, because I've really enjoyed the past SimCity games.
Add a comment...

I have a number of PHP projects which depend on some sort of CSPRNG. Since PHP core doesn't include an interface for this, you generally have to use either the OpenSSL extension (openssl_random_pseudo_bytes()), the MCrypt extension (mcrypt_create_iv()), or roll your own. There are a few decent pure PHP CSPRNG implementations out there, and a LOT of crap ones. Like any good developer would, I've started to build a library to deal with this in a clean way which I can then include into my other projects.

I've been aware of a bug in openssl_random_pseudo_bytes() for a while now which affects non-interactive Windows servers. Basically, the original implementation of openssl_random_pseudo_bytes() in PHP used OpenSSL's RAND_screen() function to add entropy to the PRNG from the interactive display on Windows. The OpenSSL documentation for this function specifically warns against its use on non-interactive servers such as a headless production Web server. The result in these cases is that RAND_screen() will hang trying to gather entropy from a non-existent device.

The problem is generally well known to people who care about such things. The bug was reported as fixed in the PHP 5.3.4 changelog entry, and everyone recommends avoiding this function in versions prior to that. Many well-known security libraries detect PHP versions below 5.3.4 and wisely skip the function on windows platforms.

So if it's fixed, why am I bringing it up? Because it's not. At least, not when people think it was. I started diving through the PHP source code in an effort to better understand how these functions which I put so much faith into for security use actually work. What I found is that the aforemention bug wasn't actually fixed until PHP 5.3.8, with the commit message asking, "did I not kill that already?"

The real fix wasn't included in the changelog, so most people don't know about it. I have yet to see a library which uses openssl_random_pseudo_bytes() actually check for the right PHP version. I guess not many users of these libraries run on Windows, at least not versions < 5.3.8. Still, it's good to know about, and I've learned to do a bit more research when implementing functionality like this.

Interestingly enough, the entire OpenSSL implementation of openssl_random_pseudo_bytes() was tossed out on Windows platforms starting at PHP 5.4.0. From then on, the function uses Microsoft's CryptoAPI to access Windows' built-in CSPRNG. It still generates secure data, but it no longer works as advertised on the box. Interestingly, since PHP 5.4.0 both openssl_random_pseudo_bytes() and mcrypt_create_iv() are identical on Windows platforms as they both use the Microsoft CryptoAPI. This change was in the changelog, but I've found you can't always rely on what you see there.
Add a comment...

Post has attachment
Add a comment...
Wait while more posts are being loaded