Collaborate Disseminate
PHP is a programming language that many people love for its ease of use. It’s used all over the Web, from sites like Facebook to small, personal sites. In some cases, it’s used as a replacement for another programming language.
Here are so… Continue reading What Are Some Of The Advantages of PHP Programming Over Other Programming Languages? [closed]
I’m doing a pentest on a website and I’ve managed to gain access to the admin’s page that has file upload functionality to an /uploads/ directory. It will only accept html files, per the upload.php source code.
I’ve tried uploading a simpl… Continue reading Help with bypassing file upload whitelist
I’m trying sqlmap (newest stable version {1.6#stable}).
Here’s my situation & current result:
The target is behind a firewall. Sometimes the firewall blocks my ip & shows a recaptcha.
So it seems that I can’t get reliable result. … Continue reading SQLmap: identified time-based blind, able to retrieve banner, but cannot retrieve database names, target behind firewall [closed]
I am solving a lab related to serialization vulnerabilities. It deals with retrieving files based on the signature. The theory of the lab states as quoted, "Adding ./ will still give you the same file but the application will generate… Continue reading How does "./" affects signature generation for files, in a PHP based web application?
I am trying to develop a website where I grab data using javascript and send it to PHP using ajax post. However, while researching, I found that the POST request can be modified using third-parties software such as Postman (I believe). How… Continue reading Can POST request be changed in a HTTPS website?
Here is the code which potentially can allow a timing attack
$user = getUserFromDatabase($input_username);
if ($user === false) { // potential timing attack
// user not exist
http_response_code(401);
echo json_encode(["me… Continue reading How to prevent a timing attack when I do/don’t perform password_verify (depending if the user exists)?
Usually once you register in a website you need to visit a url like:
https://example.com/user_activate/^random_string^
Does the ^random_string^ necessarily need to be cryptographically pseudorandom instead of a time-based random one?
I mea… Continue reading Is it necessary to use cryptographically-secure randomness in order to create URLs for user activation?
Usually once you register in a website you need to visit a url like:
https://example.com/user_activate/^random_string^
Does the ^random_string^ necessarily need to be cryptographically pseudorandom instead of a time-based random one?
I mea… Continue reading Is it necessary to use cryptographically-secure randomness in order to create URLs for user activation?
I’m presently implementing a simple RSA-based encryption as follows in PHP (using openssl_public_encrypt):
// $sRawText is the text string to encrypt.
// $sPublicKey is the public key stored on the server.
openssl_public_encrypt($sRawText,… Continue reading Risks of Using SHA1 Instead of SHA256 for RSA OAEP Padding
On the PHP website it is stated that "Developers must not use long life session IDs for auto-login because it increases the risk of stolen sessions.". Instead it is recommended to use a secure one time hash key as an auto-login k… Continue reading Why not use a long life session ID for auto-login instead of a persistent cookie with a token?