Phalcon 1.1 beta released!

After ​our successful 1.0 release, we continue improving Phalcon ​with our latest release 1.1.0 (beta). In this article, we’re highlighting the most important features introduced.

  • QueryBuilder paginator
  • Beanstalkd Queuing client
  • Encryption
  • Assets Management
  • Hostname routing
  • and more

Great! Thanks!!!!!


Perhaps the phalcon encryption could be made to be more similar to the new PHP 5.5 encryption API. Then you can fill in the features as you have time. This would be very helpful for me since I'm going to be stuck on PHP 5.3 for at least a year. So for now I could base my code on the phalcon calls and then in the future phalcon could offer an option to simply wrap around the PHP 5.5 API. It seems unwise to go in a different direction since PHP core will have much more resources to do this very important part right. In the future by simply wrapping it there could be other uses when used with the resource loader, although I'm unsure what those advantages might be.


@dschissler PHP 5.5 introduces a new API to use blowfish password hashing in an easier way, which in fact is the same as Phalcon\Security is currently providing, however, they're using a procedural style (again) instead of using an OO API. So, we could internally replace the use of bcrypt in PHP 5.5 to use the new API but I think the result will the same


PHP 5.5 API also does stuff like automatic or explicit salting and algorithm changing.

Also it will offer protection against timing attacks. We probably don't need that for the moment but it will be a freeby in the future.

See this:

" Hash(password + salt) Is Fine

No, it's not. There's plenty of information out there to dispel this myth. See the references section for some details. "

Basically this stuff can be really complicated to get right to stop against really well informed attacks.

"Why Do We Need A Simple API

As recent attacks have shown, strong password hashing is something that the vast majority of PHP developers don't understand, or don't think is worth the effort. The current core implementations of strong password hashing using crypt() are actually fairly difficult to work with. The error states are difficult to check for (returning *0 or *1 on error). The salt format is difficult to generate as it uses a custom base64 alphabet (. instead of + and no padded =). Additionally, salts are reasonably difficult to generate randomly (not too difficult, but requires a fair bit of code). Additionally, checking the return when validating a password can expose the application to remote timing attacks.

By providing a simple API that can be called, which takes care of all of those issues for you, hopefully more projects and developers will be able to use secure password hashing."

edited Oct '14

Also password_needs_rehash() is pretty dang cool for developing on a long running site.

edited Oct '14

Actually password_needs_rehash() provides the same functionality as Phalcon\Security::isLegacyHash, it just checks if the hash starts with a common crypt's convention, as we only support blowfish, it only checks for that algo

Расширенный русский анонс: ( russian )