Google Authenticator with PHP

Matt Foster — Wed, 04 Mar 2015 19:36:17 +0000

Gone are the days of SecureID OTP tokens costing an arm and a leg, and being just for Enterprise.

My own WP site here is protected with Google Authenticator, and there is no excuse for not doing the same on yours. Just grab the awesome WP Google Authenticator plugin and you will be good to go.

My favourite iOS App for this is the awesome Authy but there are plenty out there.

But the world doesn’t run on WordPress, suppose you want to do it yourself in a LAMP site…

Grab a copy of the PHPGangsta class

Creating users:

$ga = new PHPGangsta_GoogleAuthenticator();
$secret = $ga->createSecret();
echo "Your OTP Secret is: ".$secret."\n\nIt is probably a good idea to take a note of this";
echo "\nPlease scan in the QR code to setup your OTP ";
$qrCodeUrl = $ga->getQRCodeGoogleUrl('MyApp', $secret);

<IMG SRC='<?php echo $qrCodeUrl?>'>
<BR>

<?php
$oneCode = $ga->getCode($secret);
$checkResult = $ga->verifyCode($secret, $oneCode, 2);    // 2 = 2*30sec clock tolerance
if ($checkResult) {
echo 'OK';
$sql="UPDATE localusers set GASecret='" . $secret . "' WHERE id=" . $userRow['id'];
mysqli_query($link,$sql);
} else {
echo 'FAILED';
}

Authenticating users:

if(!isset($userRow['GASecret']) || !isset($_REQUEST['e'])) { // Impossible to Authenticate
header('HTTP/1.1 401 Authentcation Impossible');
header('Content-Type: application/json; charset=UTF-8');
die(json_encode(array('message' => 'ERROR', 'code' => 1337)));
} else { // Try to authenticate
$ga = new PHPGangsta_GoogleAuthenticator();
$checkResult = $ga->verifyCode($userRow['GASecret'], $_REQUEST['e'], 2);    // 2 = 2*30sec clock tolerance
if($checkResult)  {
session_write_close();
session_start();
$_SESSION['OTP'] = 1;
session_write_close();
$result="Authenticated";
header('Content-Type: application/json');
die(json_encode($result));
} else {
header('HTTP/1.1 401 Authentcation Failed');
header('Content-Type: application/json; charset=UTF-8');
die(json_encode(array('message' => 'ERROR', 'code' => 1337)));
}

Obviously these are just snippets, which will never actually run for you, but you get the general idea.

It is so easy, it is just rude not to.

Sanitising User Input

Matt Foster — Thu, 29 Jan 2015 15:57:58 +0000

Some days you need to get user input from a bit of an HTML form that wasn’t really designed for it, in order to get a great UX.

This means that the input get’s passed around through JS, AJAX, PHP and goodness only knows what before it turns up in the right place.

How do we make sure it’s safe to add to a SQL query?

Of course we can use PDO, but how about the general case?

$Words=str_replace(“\xA0″,” “, mysqli_real_escape_string($link,html_entity_decode(strip_tags(preg_replace(‘!\s+!’, ‘ ‘,trim($Words))))); $pieces=explode(” “, strip_tags($Words)));

Something just says this is plain wrong, but it’s working for me.

In this particular use case I’m trying to break up a user provided “sentence” into a set of words, which I then do stuff with.
So is particularly difficult to parse here when things get pasted.

I’m sure the above approach is wrong, would anyone like to tell me how to do it better?

Security – Security Performance Architecture

Google Authenticator with PHP

Creating users:

Authenticating users:

Sanitising User Input