(This should only be considered a reference; I’m not supporting the following plugin)

<?php
/*
Plugin Name: SemisecureLoginReimagined-RegisterPlus-Bridge
Plugin URI: http://moggy.laceous.com
Description: Integrate SemisecureLoginReimagined with RegisterPlus (reference implementation; tested with: PHP 5.2.9, WP 2.8.6, SLR 3.0.8.3, RP 3.5.1)
Author: moggy
Author URI: http://moggy.laceous.com
Version: 1.0
*/

// hook into the registration form (wp-login.php?action=register)
// make sure this function runs before RegisterPlus
add_action('register_form', 'slr_rp_b_register_form', -1000);
function slr_rp_b_register_form() {
  // if both plugins are activated (and configured)
  if (slr_rp_b_plugins_activated()) {
    // if there are any errors, RegisterPlus will pass the unencrypted password from the server to the browser
    // this stops the password from being sent in the clear
    if (isset($_POST['pass1']))
      unset($_POST['pass1']);
    if (isset($_POST['pass2']))
      unset($_POST['pass2']);
  }
}

// hook into the head section of the registration page (wp-login.php?action=register)
add_action('login_head', 'slr_rp_b_login_head');
function slr_rp_b_login_head() {
  // if this is the registration page and both plugins are activated (and configured)
  if ($_GET['action'] == 'register' && slr_rp_b_plugins_activated()) {
    // Make sure that all the external JavaScript is available (including jQuery)
    SemisecureLoginReimagined::enqueue_js(true);
    // insert our custom JavaScript
    ?>
    <script type="text/javascript">
    //<![CDATA[
      jQuery(document).ready(function($) {
        // display a default message
        $('#pass2').after('<span id="semisecure-message">Semisecure Login is enabled.</span>');

        // Bind to the form's submit event
        $('form#registerform').submit(function() {
          // update the message when the form is submitted
          $('#semisecure-message').text('Encrypting password & submitting...');

          // Collect the password(s)...
          var pass1 = $('#pass1').val();
          var pass2 = $('#pass2').val();
          var passwords = [];
          passwords[0] = pass1;
          passwords[1] = pass2;

          // ...and form name(s)
          var names = [];
          names[0] = $('#pass1').attr('name');
          names[1] = $('#pass2').attr('name');

          // Pass the needed PHP values over to the JavaScript side
          var public_n = '<?php echo SemisecureLoginReimagined::public_n(); ?>';
          var public_e = '<?php echo SemisecureLoginReimagined::public_e(); ?>';
          var uuid = '<?php echo SemisecureLoginReimagined::uuid(); ?>';
          var nonce_js = '<?php echo SemisecureLoginReimagined::nonce_js(); ?>';
          var max_rand_chars = '<?php echo SemisecureLoginReimagined::max_rand_chars(); ?>';
          var rand_chars = '<?php echo addslashes(SemisecureLoginReimagined::rand_chars()); ?>';
          var secret_key_algo = '<?php echo SemisecureLoginReimagined::secret_key_algo(); ?>';

          // Encrypt the password(s)
          var arr = SemisecureLoginReimagined.encrypt(passwords, names, nonce_js, public_n, public_e, uuid, secret_key_algo, rand_chars, max_rand_chars);

          if (arr) {
            // Loop through the array and append the controls to the form
            for (var i = 0; i < arr.length; i++) {
              $('form#registerform').append(arr[i]);
            }

            // Finally, don't submit the plain-text password(s)
            // One option is to submit asterisks in place of the actual password
            var temp1 = '';
            var temp2 = '';
            for (var i = 0; i < pass1.length; i++) { temp1 += '*'; }
            for (var i = 0; i < pass2.length; i++) { temp2 += '*'; }
            $('#pass1').val(temp1);
            $('#pass2').val(temp2);
            // Another option is to disable the control(s) with the plain-text password(s) altogether
            $('#pass1').attr('disabled', 'true');
            $('#pass2').attr('disabled', 'true');
            return true;
          }
          else {
            $('#semisecure-message').text('Problem encrypting password! Please disable JavaScript to submit without encryption.');
            return false;
          }
        });
      })
    //]]>
    </script>
    <?php
  }
}

function slr_rp_b_plugins_activated() {
  // if SemisecureLoginReimagined v3 is activated (tested w/ v3.0.8.3)
  // Note: v3.0.5 fixed a bug with the version method in this context
  if (method_exists('SemisecureLoginReimagined', 'version') && version_compare(SemisecureLoginReimagined::version(), '3.0', '>=')) {
    // if the RSA keypair has been generated and openssl is available
    if (SemisecureLoginReimagined::is_rsa_key_ok() && SemisecureLoginReimagined::is_openssl_avail()) {
      // if RegisterPlus is activated (tested w/ v3.5.1)
      if (class_exists('RegisterPlusPlugin')) {
        // if registrants can enter their own password
        $regplus = get_option( 'register_plus' );
        if (is_array($regplus) && $regplus['password']) {
          return true;
        }
      }
    }
  }
  return false;
}

?>

For starters, past versions relied on RSA public-key encryption alone. Version 3 now uses a combination of public and secret-key encryption. This means that there is no longer a limit on the length of passwords that can be encrypted. The limit in earlier versions was large enough that I doubt it affected anyone, however.

Initially, two secret-key algorithms are provided: RC4 (a stream cipher) and AES (a block cipher). On the JavaScript side I chose to go with the crypto-js library. Unfortunately, there wasn’t a complimentary PHP library so I ended up converting the majority of crypto-js to PHP.

Past versions of this plugin didn’t behave themselves very well when stepping outside of the ASCII character bounds. (Western ISO-8859-1 might be more technically correct.) Version 3 now has support for UTF-8 passwords. Only UTF-8 is supported. If your blog is using another character encoding then your mileage may vary.

The settings page was starting to get long and unwieldy. This has been corrected by splitting each section into sub-pages.

If you’re having trouble generating an RSA keypair then you can now (optionally) display some debugging information to get you pointed in the right direction.

The main reason that the version has been bumped up to version 3 (rather than… say… 2.5) is because the integration API has changed. This change was necessary because of the secret-key addition. Hopefully now, the integration has also been simplified a bit.

Finally, support for older versions of WordPress has been dropped. Semisecure Login Reimagined v3 requires WP 2.7 (or higher) and PHP 4.3 (or higher). Seriously, if you’re running an older version of WordPress you’re just asking to be hacked! OpenSSL is still required, but no other PHP extensions are required (including mcrypt, etc).

Download
The download location hasn’t changed :) You can still download Semisecure Login Reimagined at its official WordPress page.

Programming note: while v1 of this plugin supported WP 2.1, it also required PHP 4.3. Techincally, WP 2.1.x, 2.2.x, and 2.3.x only required PHP 4.2. Semisecure Login Reimagined v2 should now work properly with PHP 4.2. (Hopefully most people have upgraded to a recent version of PHP 5)

This new version is now using a new internal API to decrypt passwords on the server side. Previously, it had been using the wp_authenticate hook, but this post indicates that it might be removed at some point in the near future. The new API is much more generic and isn’t limited to just logging in.

What’s New

• jQuery is now being used on the client side
• If you’re not able to generate a keypair with the standard or alternative methods, then you can now generate a keypair via JavaScript (you’ll have to manually insert the data in your DB though)
• If you’re using WP 2.7 or higher then you can now encrypt the password on the user administration pages (editing or adding a new user)
• 3rd-party integration support for other plugin authors (see the included help link on the plugin’s settings page)
• You can decide which parts of this plugin to enable: activating the plugin enables the API, while the settings page lets you decide if you want to encrypt the password on the login page (enabled by default so there’s no surprises for anyone upgrading from v1) and if you want to encrypt the password on the user administration pages (disabled by default)

Download
You can still download Semisecure Login Reimagined at its official WordPress page.

The best hook to use is still the query_string filter. Unfortunately, this specific filter is technically deprecated (and may be removed at some point). You’re supposed to use the request filter now. However, the request filter doesn’t seem to provide quite as much functionality as the query_string filter. Namely, there doesn’t appear to be a good way to check for is_home (which is important for our purposes).

<?php

/*
 * Plugin Name: Custom Hemingway Home Query
 * Plugin URI: http://moggy.laceous.com/2008/08/15/paging-hemingway-part-deux/
 * Description: Gives you the ability to use the paging links on your homepage (works with Hemingway and HemingwayEx)
 * Version: 0.2a
 * Author: moggy
 * Author URI: http://moggy.laceous.com
 */

add_filter('query_string', 'custom_hem_home_query');
function custom_hem_home_query($query_string) {
	global $wp_query;
	$wp_query->parse_query($query_string); //required in order to check is_home
	if ($wp_query->is_home) {
		if (strlen($query_string) > 0) {
			$query_string .= '&';
		}
		$query_string .= 'posts_per_page=2';
		global $hemingwayEx;
		if (isset($hemingwayEx)) {
			if (method_exists($hemingwayEx, 'get_asides_category_id')) {
				$category_id = $hemingwayEx->get_asides_category_id();
				if (!is_null($category_id) && !empty($category_id) && is_numeric($category_id)) {
					$query_string .= '&cat=-' . $category_id;
				}
			}
		}
	}
	return $query_string;
}

?>

An alternate way to do this would be to hook into the pre_get_posts action. Unfortunately, there’s a down-side here as well. Namely, if you create a new WP_Query object then this method might interfere with your new WP_Query instance (rather than just affecting the main loop). I ran into this very problem with my asides widget, and had to throw in a category check in the code below.

<?php

/*
 * Plugin Name: Custom Hemingway Home Query
 * Plugin URI: http://moggy.laceous.com/2008/08/15/paging-hemingway-part-deux/
 * Description: Gives you the ability to use the paging links on your homepage (works with Hemingway and HemingwayEx)
 * Version: 0.2b
 * Author: moggy
 * Author URI: http://moggy.laceous.com
 */

add_action('pre_get_posts', 'custom_hem_home_query', 1, 1);
function custom_hem_home_query($wp_query) {
	if (is_home()) { //at this point is_home is already set
		$wp_query->query_vars['posts_per_page'] = 2;
		//$wp_query->query['posts_per_page'] = 2; //only setting query_vars seems to matter
		if (isset($GLOBALS['hemingwayEx'])) {
			if (method_exists($GLOBALS['hemingwayEx'], 'get_asides_category_id')) {
				$category_id = $GLOBALS['hemingwayEx']->get_asides_category_id();
				if (!is_null($category_id) && !empty($category_id) && is_numeric($category_id)) {
					//check if the category has already been set
					//if I don't check this then it breaks my asides widget
					if (strlen($wp_query->query_vars['cat']) <= 0) {
						$wp_query->query_vars['cat'] = '-' . $category_id;
					}
				}
			}
		}
	}
}

?>

To get this to work you’ll still need to follow the 3 steps from my original post. Namely (that’s número tres for those of you counting along at home *wink wink*), copying the PHP code into a file (i.e. custom_hem_home_query.php) and uploading to your plugins folder (don’t forget to activate the plugin when you’re ready), commenting out the custom query in your theme’s index.php file (the query_posts line towards the top), and adding the paging links to your home page (also in your theme’s index.php file).

RESTfully designed web-services use POST, GET, PUT, and DELETE.

Behind the scenes a basic GET request looks like this:

GET /path/to/file.php HTTP/1.1
Host: www.domain.com

If you were to type this URL into your browser it would look like http://www.domain.com/path/to/file.php

Similarly, a POST to the same URL would look like this:

POST /path/to/file.php HTTP/1.1
Host: www.domain.com

(Note: For the purpose of these examples I’m leaving out other request headers such as User-Agent, Keep-Alive, Connection, etc. that you might normally see when using a web browser)

When you do a GET or POST you can also pass in variables. Consider a web page with a form that asks you to submit your first and last name.

The GET request might look like this:

GET /path/to/file.php?FirstName=John&LastName=Doe HTTP/1.1
Host: www.domain.com

As you can see, the variables are attached to the URL. In your browser this would look like http://www.domain.com/path/to/file.php?FirstName=John&LastName=Doe. These type of request variables are sometimes known as GET variables.

The POST version of this request would look like this:

POST /path/to/file.php HTTP/1.1
Host: www.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

FirstName=John&LastName=Doe

As you can see, the variables aren’t appended to the URL in a POST, but instead submitted following the request headers. Variables submitted in this way are sometimes known as POST variables. In this example I also set the Content-Length and Content-Type headers indicating that this POST was submitting name/value pairs. You can also submit other data via POST such as uploading a file (and you would want to set the Content-Type appropriately).

PHP has two superglobals called $_GET and $_POST. These arrays are automatically populated by PHP based on the request.

It should be noted that it’s technically possible to submit a POST request with both GET and POST-type variables.

POST /path/to/file.php?variable1=value1&variable2=value2 HTTP/1.1
Host: www.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

FirstName=John&LastName=Doe

In this case, $_GET would be populated with:

Array
(
    [variable1] => value1
    [variable2] => value2
)

And $_POST would be populated with:

Array
(
    [FirstName] => John
    [LastName] => Doe
)

Using A Custom Request Method
What happens if you want to create a RESTful web-service and submit a PUT request to a PHP page? What if you want to make up your own request method; how do you handle that with PHP?

Consider the following request:

MYMETHOD /path/to/file.php HTTP/1.1
Host: www.domain.com
Content-Length: 27

FirstName=John&LastName=Doe

In this example I’m submitting POST-style variables with my own made-up request method called MYMETHOD. I could just as easily substitute MYMETHOD with PUT. You can easily submit this type of request with a Firefox extension called RestTest. You can verify what is actually being sent with another extension called Live HTTP Headers.

(Note: Some servers may be locked down to only allow certain request methods. If you make a request with a method that’s not allowed then the server will respond back with a 405 Method Not Allowed error. A 405 response will include a response header letting you know which methods are allowed.)

If you don’t want to rely on the convenience of $_GET and $_POST then you can always parse out the raw data yourself.

• $_SERVER['QUERY_STRING'] is the raw version of $_GET
• php://input is the raw version of $_POST

You should never have to parse out the query string manually, but $_POST is only populated if the request method is POST and an appropriate Content-Type is set.

To get our raw MYMETHOD data we could do something like this:

if ($_SERVER['REQUEST_METHOD'] == 'MYMETHOD')
{
  $raw_data = file_get_contents('php://input');
}

We could then parse out the raw data into a $_MYMETHOD variable (to mimic $_GET and $_POST).

$array = explode('&', $raw_data);
foreach($array as $item)
{
  list($key, $value) = explode('=', $item);
  $_MYMETHOD[$key] = $value;
}

Putting It All Together
Besides using a tool like RestTest, we can also create a web page that submits a MYMETHOD request. We’ll do this by using some JavaScript and making an Ajax request with the XMLHttpRequest object.

<?php
if ($_SERVER['REQUEST_METHOD'] == 'MYMETHOD' && strpos($_SERVER['CONTENT_TYPE'], 'application/x-javascript') !== FALSE):
  $raw_data = file_get_contents('php://input');
  $array = explode('&', $raw_data);
  foreach($array as $item)
  {
    list($key, $value) = explode('=', $item);
    $_MYMETHOD[$key] = $value;
  }
  print_r($_MYMETHOD);

else:
?>
<html>
<head>
<script type="text/javascript">
/**
 * Bridge XMLHTTP to XMLHttpRequest in pre-7.0 Internet Explorers
 */
if( typeof XMLHttpRequest == "undefined" )
  XMLHttpRequest = function() {
    try { return new ActiveXObject("Msxml2.XMLHTTP.6.0") } catch(e) {}
    try { return new ActiveXObject("Msxml2.XMLHTTP.3.0") } catch(e) {}
    try { return new ActiveXObject("Msxml2.XMLHTTP") }     catch(e) {}
    try { return new ActiveXObject("Microsoft.XMLHTTP") }  catch(e) {}
    throw new Error( "This browser does not support XMLHttpRequest or XMLHTTP." )
  };

function ajax(url, vars) {
  var request = new XMLHttpRequest();
  request.open("MYMETHOD", url, true);
  request.setRequestHeader("Content-Type", "application/x-javascript;");

  request.onreadystatechange = function() {
    if (request.readyState == 4 && request.status == 200) {
      if (request.responseText) {
        alert(request.responseText);
      }
    }
  };

  request.send(vars);
}
</script>
</head>
<body>

<input type="button" value="click for ajax" onclick="javascript:ajax('<?php echo $_SERVER['PHP_SELF']; ?>', 'FirstName=John&amp;LastName=Doe');" />

</body>
</html>
<?php endif; ?>

If you copy this into a PHP file (i.e. mymethod.php), upload it to a PHP-enabled web server, and navigate to it with your web browser you’ll see a button that says click for ajax. If you click the button, an asynchronous MYMETHOD request will be sent, the server will parse out the sent name/value pairs and send the processed data back to the browser. The user will then be presented with an alert popup containing the following text:

Array
(
    [FirstName] => John
    [LastName] => Doe
)