Unicode email and url filter in PhalconPHP

Previously I wrote two functions to add unicode support to email and url sanitation in PHP. This is something that is lacking from PHP itself and from any other framework I’ve tried, and PhalconPHP is no different, so I did what I normally do when I test unicode support…

Share
Read More

Two step password hashing with hmac and bcrypt

The approach explained in this post is the same standard used by the Mozilla security team. Many people might see this as an overkill or think that “my application is so small that I don’t need it”. No matter the scale of your application, as long as you have your system available in the world…

Share
Read More

Stronger cryptography in PHP

Making a random string in PHP is an easy task. One of the fastest ways is this.

But this does not provide strong cryptographical randomness. To do this we have to write our own functions. This might look “scary” to some people, but it’s really not hard at all. The first thing we will…

Share
Read More

How to migrate hashed passwords

So, you have realized that the way you have hashed your users password needs to be updated, but you don’t want to cause any extra trouble for your users by forcing them to change password. From my previous experience this is one of the main reasons why people are so hesitant of updating their stored…

Share
Read More

Regular expressions and unicode character properties

Unicode has brought headaches to developers all around the world. It has caused countless hours of trial and error, sleepless nights and probably a decent amount of hair loss as well. After fine tuning complex patterns it turns out that it doesn’t really work any ways. If you have ever had to work with regular…

Share
Read More

Improved email and url sanitation

Many people just uses PHP’s native functionality blindly thinking that everything will work smoothly, but that isn’t the case. PHP provides the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL filters to use with the filter functions. The problem here is that they also strip unicode characters, meaning that if you’re sanitizing a unicode url you will destroy it. So…

Share
Read More

PhalconPHP – How to get CSRF working on index page

I’ve just started learning PhalconPHP which is a framework for PHP (obviously) written in C. It’s a really great framework, but like anything else there are some things that doesn’t always work as you would expect them to. In this post I will explain the issue I had when I was trying to add CSRF…

Share
Read More

[Source] Sublime Snippet – PhalconPHP controller skeleton

Sublime Text snippet to quickly create a skeleton for a new controller class for projects using PhalconPHP

Usage Go to Tools > New Snippet. Copy the above snippet into the file and save. Note: Make sure that you are in the correct folder. I’m not sure about Windows or Mac, but in Linux, default folder is /home/[username]/.config/sublime-text-X/Packages/User/…

Share
Read More

[Source] Sublime Snippet – Class method with docblock

Handy snippet for Sublime Text to create a new class method with docblock.

Usage Go to Tools > New Snippet. Copy the above snippet into the file and save. Note: Make sure that you are in the correct folder. I’m not sure about Windows or Mac, but in Linux, default folder is /home/[username]/.config/sublime-text-X/Packages/User/ X is the version…

Share
Read More

LFI to shell – exploiting Apache access log

Local file inclusion (LFI) is normally known to be used to extract the contents of different files of the server the site is hosted on. This includes files like passwd, hosts, etc. But have you ever thought about how you could take this to another level? A level where you can initialize reverse shell, get…

Share
Read More