Profile picture
Scott Arciszewski @CiPHPerCoder
, 16 tweets, 5 min read Read on Twitter
Let's talk about some of the open source libraries that @ParagonIE has created over the years to make it easier to make secure PHP applications.

paragonie.com/software
First, the polyfill libraries:

random_compat exists so that your framework can use the newer PHP 7 CSPRNG API even if they support PHP 5. It's used by a lot of projects, including WordPress.

github.com/paragonie/rand…
In a similar spirit, sodium_compat reimplements (most of) libsodium in pure PHP, and even supports 32-bit operating systems. Its purpose is to help projects transition toward PHP 7.2+ support.

github.com/paragonie/sodi…
If you need a deterministic RNG in 2014 (e.g. shared seed), you might have used srand() or mt_srand() then rand() or mt_rand() (respecitively).

These days, you'll want SeedSpring, which uses AES-CTR to generate a long stream of pseudorandom bytes: github.com/paragonie/seed…
A lot of the cool kids distribute their PHP projects in a PHP Archive (.phar file). One of our first open source projects was called Pharaoh, which allows you to peer inside two Phars and compare them. Great for deterministic builds.

github.com/paragonie/phar…
Ionizer is a dead-simple input filtration library that works on structured input (i.e. $_GET and $_POST). If you want a drop-dead simple way to turn user input into a validated, type-safe array, Ionizer is your tool.

github.com/paragonie/ioni…
CSP-Builder constructs Content-Security-Policy headers at runtime and/or from a JSON configuration file. This allows you to securely use the nonce feature in your favorite template library.

github.com/paragonie/csp-…
CipherSweet lets you encrypt database fields (using correctly-implemented authenticated encryption) and still use the plaintext in SELECT queries after-the-fact.

github.com/paragonie/ciph…
Chronicle is a microservice that lets you tell clients, "No, we don't actually need a #blockchain for that!"

github.com/paragonie/chro…
Certainty makes damn sure you have the latest copy of Mozilla's CACert bundle for use in cURL / Guzzle, without introducing the risk of MITM attacks.

Never again disable certificate validation in a PHP project, especially in eCommerce software!

github.com/paragonie/cert…
EasyDB aims to make SQL injection ancient history by making it super easy to use prepared statements correctly.

github.com/paragonie/easy…
If you're writing PHP software in 2019, you'll want to make sure that:

A. Your framework already solves the same problem as one of these libraries, OR
B. You (or your framework) are using the appropriate library
As far as native framework alternatives go, EasyDB has a some competition so you might not need it.

CipherSweet has no competition. If you need searchable encryption in PHP, that's probably your best bet.

The rest lie on a spectrum in-between both extremes.
Also, this tweet thread didn't cover all of our open source libraries.
Finally, it will cost you $0 to integrate any of these libraries with your PHP code. We're giving this away for free so you can write more secure code. Please take advantage of this.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Scott Arciszewski
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!