I suppose, that most of you know, how bad is to skip peer verification when accessing resources through SSL. There is a nice article dealing with the topic from the PHP perspective - Insufficient Transport Layer Security (HTTPS, TLS and SSL). Generally, the purpose of SSL is to secure the connection itself through encryption and also to provide authentication of the communicating peers. That means, data are not only sent through an encrypted channel, but also to the right target. To verify the remote host, you need to check, if the certificate it presents to you is signed by a trusted certification authority.
Monday, November 19, 2012
Thursday, October 11, 2012
Configuration in Zend Framework 2
First of all, to be honest - Zend Framework 2 is not ready for use at all. Of course, it brings many interesting concepts, but the problem is that you need to dig them out the hard way with numerous WTFs all the time. The documentation is incomplete and there are no best practices yet. The guys designing ZF2 made it extremely modular with components that are loosely coupled and reusable. Anti-patterns like the singleton pattern has been thrown away and dependency injection "rules them all". The question is - how to assemble a working application? The simple answer is - as you like. As a side effect to the modularity, different pieces of configuration, autoloading and bootstrapping are scattered all over the directory structure and it's up to you what "strategy" to use. Nevertheless, there are some notions of best practices, which can be found in the documentation or in some tutorials. In this post I'll begin with the configuration.
Friday, August 10, 2012
DokuWiki Shibboleth authentication backend updated and moved to GitHub
Few years ago I wrote a Shibboleth authentication backend for DokuWiki. So far it worked well, but recently I needed some additional features, so I made few modifications and enhancements:
- moved the project to GitHub
- changed the license from the restrictive GPL2 to FreeBSD
- added an option to use the DokuWiki session instead of the Shibboleth session - the Shibboleth session is checked only upon login
- the authentication backend and the login plugin are now in one single package
- improved example configuration - better formatting and comments, you can edit it, put it in the conf/ directory and simply include it in your local.php file
- refactored the code to be more PHP 5.x compliant
You can get the code from the GitHub repository.
Tuesday, May 22, 2012
Data encryption with OpenSSL in PHP
PKI is well-known and widely spread technology. It is very easy to use it for data encryption in PHP using the standard OpenSSL extension. Data are encrypted with the public key and decrypted with the private key. There is one restriction though - the size of data encrypted with the public key can be up to the length of the key (usually 1024 or 2048 bytes), which may not be enough. Of course, you could divide your data into chunks and encrypt them separately, but there is a better solution.
Tuesday, May 15, 2012
File upload widget for ExtJS 4.x
In a project I'm working on, I needed a flexible file upload panel with multiple file upload support. Unfortunately, the ExtJS built-in mechanisms (Ext.form.field.File) does not support multiple upload and there are some other limitations as well. I searched for a user contributed plugin, but I couldn't find a suitable one. Most of the contributions were written for older versions of ExtJS - 3.x or even 2.x. So I decided to write one myself, trying to use some advanced features of HTML5.
You may first check the live demo.
You may first check the live demo.
Friday, April 6, 2012
Using the window.onerror handler for logging javascript errors
I'm running a really large administration application with javascript based user interface. It is used by a large number of users on different computers with different operation systems and different browsers. Sometimes weird javascript errors occur. And when such error occurs, the browser stops the execution of the script and the users usually reports something like "it didn't work".
Luckily, there is a way how to handle this and although it may not cover 100% of all the errors, it might be helpful when dealing with errors at the client side. If you define the window.onerror handler, it will be executed when an error occurs. Three arguments are passed to the handler - the error message, the URL of the script and the line, where the error is located.
Luckily, there is a way how to handle this and although it may not cover 100% of all the errors, it might be helpful when dealing with errors at the client side. If you define the window.onerror handler, it will be executed when an error occurs. Three arguments are passed to the handler - the error message, the URL of the script and the line, where the error is located.
Subscribe to:
Posts (Atom)