Collaborate Disseminate
The PHP code has a handleRoute($path) function that is triggered for URLs like server.com/routeme/a. Handle route has the follwing: if file_exists($path) then include $path.
The $path argument is /srv/dirs/routeme/a.
A Go… Continue reading PHP Local File Inclusion from URL; no param
I am wondering if it is smart to hash my session IDs before writing sessions to the session storage, in order to prevent session ID disclosure.
I am writing an application in PHP on top of the Symfony framework. By default PHP stores sess… Continue reading Should I hash session IDs before storing the session contents?
Client POSTs creds, and if authenticated, server responds with a 302 redirect to an enormous path:
https://phpwebsite.com/login/auth/[encoded_data]
where encoded_data is either 811, or 726 characters long (for admins and un… Continue reading Can anyone identify the authentication backend used by a PHP website from the following URL?
Is this the right way to crack a password hashed with PHP?
I used the password_hash function to hash a password (PHP version 7.3).
Then I created a word list using a Python script. It’s around 1GB in size.
Then I created a … Continue reading Crack passwords hashed with PHP?
Frequently, I’d say in virtually every case, there is only one PHP library for any particular problem. (I don’t count obsolete, abandoned, trash ones.)
Therefore, it’s never a “choice” by me to use it. I have to either use i… Continue reading How to deal with this fundamental problem with the advice: "Don’t trust obscure PHP libraries that nobody uses!"?
Description:
I want to create an upload center for small files (word/excel/zip documents etc) with PHP.
I want to protect files uploaded by user as much as possible, so if server is breached, attacker cannot read/open thes… Continue reading How to encrypt user files securely on the server with PHP
I’m a PHP web developer who has been trying to learn and understand how to encrypt and secure the data stored on a database with PHP Sodium.
In terms of security knowledge I am very new to the area besides applying basic password_hash / p… Continue reading How is data Encrypted and Decrypted from a database with PHP Sodium
$smarty->assign(“action”, $_SERVER[“PHP_SELF”]);
PHP_SELF is set client side by the browser so it can be modified by an attacker. Is Smarty “action” assigned to the form action field?
So can an attacker control where to POST data is … Continue reading Is this php smarty template statement a security flaw?
We have developed an application with contain file upload functionality. We use that application for internal purpose only. We use core php language.
We already use the below validations:
File extension checks (allow only … Continue reading How to validate file content in php?
I have a scenario with 2 sites. Site 1 is mysite.com and Site 2 is secondurl.com.
Site 1 is using Wordpress. There, I did a Javascrit/jQuery routine that checks if a given url parameter comes in. If the parameter “p” exists… Continue reading URL parameter manipulation and injection