News
CodeIgniter Community Voice - Mathew Davies
EllisLab is blessed with two of the greatest communities that can be found anywhere on the internet in ExpressionEngine and more recently CodeIgniter. Despite being a relative newcomer to the scene, the people attracted to CodeIgniter are among the smartest, most talented and down-to-earth developers around today. From time to time we want to highlight some of these talented people, and we’ve asked them to lend their voice to ours. Have your voice. I hope you enjoy what they have to say as much as I did.
This week, our Community Voice author is Mathew Davies (AKA Popcorn), author of the Redux Authentication library, a light, easy to use and fully featured auth engine. What follows is a brief discussion of some of the logic and security that went into the library, and considerations for your own programming.
Let me start by saying I love CodeIgniter, it’s a developers dream. 
Today I plan to talk about some of the security features that are used within my library : Redux Authentication.
Hash Once and Only Once!
Over at TalkPHP someone provided a code snippet which had this code :
$psd = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password']))))))));
I’ve made a similar mistake myself in the past. Someone on the CodeIgniter forums pointed out that a solution like the above will actually increase the probability of a collision. Here’s what inparo had to say :
“It’s safer if you only hash it once. The initial string is random in both length and characters. The first sha1 gives you a fixed length and reduced character set. By hashing this again you’re actually increasing the probability of collisions.”
So there you go folks, hash once. This also leads nicely to my next topic “salts”
Salts
A lot of people when hashing passwords will do something like this :
$password = md5($password);
You may think this is secure, but actually it’s very insecure. Websites exist which store hashes of dictionary words, so if your database was ever stolen, the passwords could be looked up and revealed. This is where the power of the password salt comes in. Salts come in two varieties : A dynamic salt and a static salt. A dynamic salt is automatically generated and is usually very hard to guess. A good example of a dynamic salt would be :
$salt = microtime();
It’s not totally random, but you get the idea.
You would then concatenate the salt along with the password to provide a new hash. This new hash can’t be looked up because of it’s “randomness”. You would then store it with other user info and select it when you need to log them in.
I know what you’re thinking. If the database is stolen they’ve got the password and the dynamic salt “What good is that?!” This is where a static salt comes in.
A static salt is just that, a variable that is random in both length and characters. This is best stored in a configuration file somewhere. You then combine this with the dynamic salt to provide a very secure solution. Reasons being: (a) If the database is stolen, they are missing the static salt; (b) Two passwords the same will result in a different hash. Here’s an example:
$dynamic_salt = microtime();
$static_salt = 'qGPBA8iCM3cUuCbBAQx3E0uOkKTrSeEUiSrAkykEk4sEniyP67Q2BTp8vtDqoqw'; // Grabbed from file.
$password = 'password'; // Password from input form.
$hashed_password = sha1($dynamic_salt.$password.$static_salt); // Super Secure!
Forgotten Password
Ooops, the user has forgotten their password. What are we going to do? Michael Wales made a well informed post about this topic a while ago, but it was recently lost.
The best method is to use a secret question and answer system coupled with email verification.
The logic would be something like this:
User requests new password -> Sends email verification code -> Verification code is looked up in the database -> Show secret question -> Check Answers
I prefer this system because a hacker could of got into your email account and requested a new password, but would then struggle to get your secret question right. Keeping the users account secure.
DB Sessions
This will be a quick talk. At the moment Redux stores a “users_id” in the session cookie and uses this to figure out if the user is logged in or not. A hacker could use the algorithm in CodeIgniter’s session library and craft his own cookie with a fake “user_id”.
Database sessions move this data from the clients cookie to the database providing a scenario where the client can’t edit it. Redux doesn’t currently use this, but it is in the works.
Thanks for listening to me babble on, hope you enjoyed it.
PS : All examples above are used in Redux so go download it
- Mathew Davies
Posted by Derek Allard on June 30, 2008
CodeIgniter 1.6.3 Maintenance and Security Release
We are happy to release CodeIgniter version 1.6.3 today. Version 1.6.3 is primarily a maintenance release, with a variety of bug fixes and some refinement to existing features (with a few new ones tossed in for good measure). Details of course can be found in the Change Log.
Additionally, with the assistance of an outstanding community member, Pascal Kriete (Inparo), we have identified and eliminated a potential cross-site scripting vulnerability. No known sites have been affected, but as we take security very seriously, we felt it warranted a feature-light point release to help users protect their sites. We cannot thank Pascal enough for the manner in which he reported this issue to us, and then continuing to diligently work with us to make sure the vulnerability was plugged. If you’re looking for a fresh set of eyes to do a security audit on your app, he comes highly recommended by the EllisLab staff.
Command line addicts: don’t forget that starting with version 1.6.1, the CodeIgniter subversion contains tagged releases!
Posted by Derek Jones on June 26, 2008
CodeIgniter Community Voice - Michael Wales
EllisLab is blessed with two of the greatest communities that can be found anywhere on the internet in ExpressionEngine and more recently CodeIgniter. Despite being a relative newcomer to the scene, the people attracted to CodeIgniter are among the smartest, most talented and down-to-earth developers around today. From time to time we want to highlight some of these talented people, and we’ve asked them to lend their voice to ours. Have your voice. I hope you enjoy what they have to say as much as I did.
This week, our Community Voice author is Michael Wales, a programmer, a father, an aspiring author, and an award winning Airman. For the past 3 years, he’s been focusing the majority of his time on CodeIgniter. He is among the most consistent contributors to the community, has released numerous libraries and tutorials, and is one of the most highly sought after freelancers within the community.
What follows is a summary in his own words of how CodeIgniter has changed how he works, and how he develops.
90% of my work comes from word-of-mouth, which means I can never have my name in too many places. Although I claim to be a CodeIgniter Programmer, I’m willing to take on a vanilla PHP project if the client insists (although I’ll definitely fight for CI beforehand). I’ve been known to crank out a web design or two and anyone that subscribes to my blog knows I often drift off into topics completely unrelated to programming (Battlestar Galactica, the military, etc).
Why do I stretch myself so thin? Because it gets my name out there. I want “CodeIgniter Programmer” to by synonymous with “Michael Wales.” Cocky? Self righteous? Conceited? Maybe - but I’ve always been determined to be the absolute best at whatever I aim to achieve. CodeIgniter has given me that goal to aim for - to be honest, it’s changed my life completely.
CodeIgniter, the Framework, has allowed me to work for clients with vastly different requirements. Whether it’s the hottest new Web 2.0 site, a corporate Intranet, a portal for a gaming community, or a local business’ website - and believe me, I’ve done them all.
CodeIgniter empowers me to deliver the best possible product I can to the client.
CodeIgniter empowers me to deliver a product at a cheaper price than many competitors because I can complete it twice as fast.
CodeIgniter empowers me to let clients utilize whatever architecture they want because CodeIgniter’s going to work.
CodeIgniter, the Community, has given me friends that will last a lifetime. Whether it’s chatting into the wee hours of the night about the wife and kids, walking me through a bit of code I’m just not getting my head around, or putting in a good word for me with a client - and believe me, I’ve done them all.
CodeIgniter empowers me to meet new people, learn about new cultures, and see things “in another man’s shoes.”
CodeIgniter empowers me to seek out new opportunities and to encourage me when I take a risk.
CodeIgniter empowers me to admit when I need help and to allow others to help me.
CodeIgniter, the Clients, have changed my outlook on life and given me a renewed hope that things will be okay. Whether it’s giving me a project that starts my daughter’s college fund, paying me up-front for a project before it’s complete when I need the money, or allowing me to supplement my military paycheck so that my family can live more comfortably - and believe, I’ve done them all.
CodeIgniter empowers me to seek out new challenges and attack problems from “outside the box.”
CodeIgniter empowers me to become a better listener, follower, leader, husband, father, and man.
CodeIgniter empower me to overcome all obstacles and complete the task at hand.
CodeIgniter empowers me - and my family - to leave our Air Force family behind in April 2009 at the end of my enlistment. Although it’s scary - hell, it’s downright petrifying - I know we will be okay. I know we’ll always be welcome in the CodeIgniter family.
- Michael D. Wales
Posted by Derek Allard on June 19, 2008
Japanese CodeIgniter book
A testament to the strength and flexibility of CodeIgniter is how quickly its been adopted internationally. Today, some of the very active users at CodeIgniter Japan have released CodeIgniter Tettei Nyumon (The Definitive Guide to CodeIgniter). Congratulations Katz Kawai, Kenji Suzuki, and Ken Ando from the entire EllisLab team!
Posted by Derek Allard on June 09, 2008
CodeIgniter Community Voice - Elliot Haughin
EllisLab is blessed with two of the greatest communities that can be found anywhere on the internet in ExpressionEngine and more recently CodeIgniter. Despite being a relative newcomer to the scene, the people attracted to CodeIgniter are among the smartest, most talented and down-to-earth developers around today. From time to time we want to highlight some of these talented people, and we’ve asked them to lend their voice to ours. Have your voice. I hope you enjoy what they have to say as much as I did.
This week, our Community Voice author is Elliot Haughin who discovered CodeIgniter in 2006 and instantly became a huge fan of its DRY-MVC-OO-MATYCSASA (More Acronyms Than You Can Shake A Stick At) - sleek, efficient, and (worryingly) sexy coding practices. He went on to produce a series of coding screencasts dedicated to exploring the power and simplicity of the CodeIgniter Framework. He loves peppercorn sauce, once trained for 3 years to become a ninja in the hope of being accepted into a nin-ternship (a very secret and dangerous ninja internship)‚ (It didn’t work), and has never visited the north pole without a wooly hat.
What follows is a voice recording and transcript of Elliot’s thoughts on what attracted him to CodeIgniter.
CodeIgniter is a heck of a can opener
CodeIgniter is one of those things that just does a job perfectly. Take for example, the humble can opener. Whilst there may be a few other ways to open a can of tuna, the can opener just ‘works’ it serves a simple, yet extremely efficient purpose, and does its job with perfection.
CodeIgniter is exactly that. A can opener.
It’s a lightweight, efficient, full-featured web application framework that’s flexible enough to use for any type of web app. It’s built from ground-up with just one purpose - to make our lives easy; without sacrificing functionality, speed, or flexibility.
If most of your web applications share functionality across the board, you wouldn’t rewrite all that functionality for every one of them would you? - It’d be a ridiculous waste of time. CI is basically the skeleton for all my web applications. And instead of spending my time creating core functionality, I can spend my time building application level functionality.
When I first install CodeIgniter, I take 1 minute to configure a few settings, and then I’m away coding how the web application will work. Rapid is very much an understatement.
I’ve used CodeIgniter to build a basic content management system, an Enterprise Level XML-RPC based backend, a file mangement system, a blog, a photo gallery, a forum, a recruitment site… you name it, CodeIgniter just ‘fits’.
I don’t think I’d ever go back to development without CodeIgniter. It’s saved me hundreds in headache pills, and will probably continue to save me thousands more.
Posted by Derek Allard on June 09, 2008
