Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ben Sampson:
Masking IDs in URLs using hashids in Laravel
May 29, 2018 @ 17:47:18

In a post to his site Ben Sampson shows how to mask IDs in URLs using hashids in a Laravel-based application. Hashids converts values into strings that can then be decoded back to their original values.

By default a URL generated by a Laravel app will contain the ID of a model like this https://app.name/users/1 where 1 is the ID of the item. Often this is absolutely fine, but sometimes you might want to hide it (or obfuscate it). The two main use cases for this I've come across so far are: Security [and it looks] More professional.

He shows how to use this package to encode and decode ID values in your URLs. He also includes updates to the models, controllers and routing to use route model binding to handle the encode/decode process. He shows how to set up different salts for different data types, setting it on each model and how to correctly bind the functionality in the main route service provider.

tagged: laravel tutorial hashid mask encode decode route model

Link: https://sampo.co.uk/blog/masking-ids-in-urls-using-hash-ids-in-laravel

Aaron Saray:
Anatomy of a PHP Hack
Nov 27, 2017 @ 16:09:55

Aaron Saray has a post to his site sharing the "anatomy of a PHP hack" - the evidence that he found and pulled apart based on a recent hack he experienced.

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.

He starts with the code he found in the hacked website, obfuscated to hide the true intent and how he disassembled it to find the true intent. He walks through the method he used to reverse the code ultimately ending up with a simple call to base64_decode a value that comes in from a $_POST request.

tagged: hack decode reverse base64 post input

Link: https://aaronsaray.com/2017/anatomy-of-a-php-hack.html

Anthony Ferrara:
Educate, Don't Mediate
Oct 21, 2014 @ 16:53:55

In his latest post Anthony Ferarra makes a suggestion about teaching developers how to solve problems via a "quick fix" versus educating them about the real problem: educate, don't mediate.

Recently, there has been a spout of attention about how to deal with eval(base64_decode("blah")); style attacks. A number of posts about "The Dreaded eval(base64_decode()) - And how to protect your site and visitors" have appeared lately. They have been suggesting how to mitigate the attacks. This is downright bad. The problem is that these posts have been suggesting things like "Disable eval()" and "Disable base64_decode()" as possible solutions. And while technically that would work, it completely misses the point, and does nothing to protect users

He suggests that developers shouldn't just look for a "quick fix" solution posted in a tutorial somewhere and go on their merry way. One danger in this is that those instructions could only be patching part of the problem, not all of it. In this case, the disable eval/base64 handling is only a code-level fix. If this exploit exists in your application, the attacker was able to get to the local file system - a much bigger problem.

tagged: educate mediate opinion bugfix quickfix eval base64 encode decode

Link: http://blog.ircmaxell.com/2014/10/educate-dont-mediate.html

HHVM Blog:
The Journey of a Thousand Bytecodes
Oct 06, 2014 @ 17:49:38

In the latest post to the HHVM (HipHop VM) blog Sara Golemon recounts the journey of a thousand bytecodes and the process that it takes to decompose a PHP file and optimize it for execution in the HHVM environment.

Compilers are fun. They take nice, human readable languages like PHP or Hack and turn them into lean, mean, CPU executin’ turing machines. Some of these are simple enough a CS student can write one up in a weekend, some are the products of decades of fine tuning and careful architecting. Somewhere in that proud tradition stands HHVM; In fact it’s several compilers stacked in an ever-growing chain of logic manipulation and abstractions. This article will attempt to take the reader through the HHVM compilation process from PHP-script to x86 machine code, one step at a time.

The process is broken down into six different steps, each with a description and some code examples where relevant:

  • Lexing the PHP to get its tokens
  • Parsing the token results into an AST (and optimizing it along the way)
  • Compilation to Bytecode
  • HHBBC Optimization
  • Intermediate Representation
  • Virtual Assembly
  • Emitting machine code
tagged: hhvm bytecode process hiphop compile decode optimize

Link: http://hhvm.com/blog/6323/the-journey-of-a-thousand-bytecodes

PHPBuilder.com:
Processing JSON in PHP
Apr 04, 2014 @ 15:40:39

PHPBuilder.com has posted a new tutorial today showing you how to work with JSON in PHP including serialization and database interaction.

This article explains how to use the JavaScript Object Notation (JSON) extension in PHP, going step by step through a series of essential operations. JSON is an object string notation, it is defined as a subset of JavaScript's syntax and its general-purpose is to interchange data format. As you probably know, JSON was first made to be used with JavaScript for accessing remote data, but now it is used by many other languages because JSON data is platform independent data format. JSON can be used natively in JavaScript, but you can also use it in a server-client application logic.

They start with an introduction to the JSON structure and how to both create and encode data using PHP's own json_encode and json_decode. The examples start out using arrays for the data but then move into something slightly more complex - objects. The article talks about JsonSerializable and show how to automatically hook the data into a table and store the content based on the column name/property name match.

tagged: process json encode decode tutorial example

Link: http://www.phpbuilder.com/articles/application-architecture/object-oriented/processing-json-in-php.html

Joshua Thijssen:
Decoding TLS with PHP
Dec 31, 2013 @ 16:17:19

Joshua Thijssen has posted a walk-through of some work he's done to create a TLS decoder in PHP. TLS (Transport Layer Security) is a method for encrypting data being sent back and forth between the client and server, similar to how SSL is used.

As a proof of concept I wanted to see in how far I could decode some TLS data on the client side. Obviously, this is very complex matter, and even though TLS looks deceptively simple, it isn’t. To make matters worse, PHP isn’t quite helping us making things easy neither.

His solution (code posted here) goes through a few steps to finally get to the actual data:

  • Capturing TLS data
  • Gathering all the necessary fields
  • From pre-master-secret to master-secret (decoding TLS_RSA_WITH_RC4_128_SHA)
  • Partitioning our master-secret
  • Decoding our data
  • Verifying message integrity

For each step along the way he shares the relevant code and a brief description of what's happening. If you want to see the end result and try it out for yourself, check out his repository.

tagged: decode tls transport layer security protocol data tutorial

Link: http://www.adayinthelifeof.nl/2013/12/30/decoding-tls-with-php

David Stockton's Blog:
Zend JSON - An Introduction
Aug 24, 2011 @ 13:17:12

David Stockton has a new post to his ZendTutorials.com site today introducing you to an increasingly more handy Zend Framework component that can make your messaging needs easier. The new tutorial introduces you to Zend_Json, a component for generating and parsing JSON messages.

In the past few years, JSON, or JavaScript Object Notation has seemed to overtake XML and other data encoding methods on the web. [...] I’ve also seen numerous examples of developers who create their own sort of JSON encoder rather than either using json_encode or using Zend_Json. What inevitably comes back to bite them is when the data they are encoding contains a special character like quotes, colons, curly brackets, etc.

He demonstrates how the Zend_Json component helps to alleviate some of the worries with built-in features that handle everything from basic encoding/decoding, printing out results in a "pretty" way and a handy way to include executable Javascript (once it's evaled on the other side) in your payload. He finishes the tutorial off with a mention of a very handy method that will please those already having to work with XML - the fromXML() method that automagically converts the data over to JSON for you.

tagged: zendjson json zendframework introduction xml encode decode expression

Link:

PHPBuilder.com:
Securing Data Sent Via GET Requests
Dec 14, 2007 @ 14:49:00

PHPBuilder.com has a new article by Hillel Aftel about his method of choice for securing the data that you send over the GET string when moving things around on your site.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

tagged: get request secure data encode decode salt convert get request secure data encode decode salt convert

Link:

PHPBuilder.com:
Securing Data Sent Via GET Requests
Dec 14, 2007 @ 14:49:00

PHPBuilder.com has a new article by Hillel Aftel about his method of choice for securing the data that you send over the GET string when moving things around on your site.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

tagged: get request secure data encode decode salt convert get request secure data encode decode salt convert

Link:

Paul Jones' Blog:
Solar 0.27.0 and 0.27.1 Released
Mar 02, 2007 @ 13:57:00

Paul Jones has released two new concurrent versions of the Solar framework today:

Yesterday, I released Solar 0.27.0, then quick-fixed two minor bugs and released 0.27.1 an hour later. It feels so good to be back doing releases on a monthly basis.

Some of the updates/changes in these new releases include:

You can download this latest update(s) from the framework's main website.

tagged: solar release update bugfix autoload locale json encode decode sql pdo extension solar release update bugfix autoload locale json encode decode sql pdo extension

Link:


Trending Topics: