Want to join us? Connect with Twitter and introduce yourself.

Latest Comments

1.Stock Market Today said:

This Application Code is Helpful to me. Thank you!


Posted In Cross-Site Request Forgeries.

Wed, 25 May 2016 at 08:18:44 GMT

2.fred durst said:

Its really good post. A lot of intresting and useful information, thats will help me with my work!

Posted In The Truth about Sessions.

Sat, 14 May 2016 at 12:15:02 GMT

3.fred durst said:

Added your site to bookmarks. Here i found a lot of useful information.

Posted In Foiling Cross-Site Attacks.

Sat, 14 May 2016 at 12:11:36 GMT

4.fred durst said:

thanks to the author. on your site a lot of useful information that will help me in my work!


Posted In Cross-Site Scripting.

Sat, 14 May 2016 at 12:10:48 GMT

5.fred durst said:

Thx. This site has a many useful information. Added to bookamrks.

Posted In Session Fixation.

Sat, 14 May 2016 at 11:58:10 GMT

6.fred durst said:

Fine, that's what I was looking for! Thanks to the author and the creators of the site!


Posted In SQL Injection.

Sat, 14 May 2016 at 11:56:44 GMT

7.fred durst said:

Good post! I was looking for this information everywhere!

Posted In Session Hijacking.

Sat, 14 May 2016 at 11:54:48 GMT

8.fred durst said:

thank you very much to the author. a lot of useful information!

Posted In Storing Sessions in a Database.

Sat, 14 May 2016 at 11:52:50 GMT

9.Etaigbenu Canaan said:

This is a really good article. Thanks

Posted In The Truth about Sessions.

Mon, 02 May 2016 at 13:15:42 GMT

10.Dominic Mayers said:

Well, I like that it strips newline after a closing tag, but I have no idea why it does not do it when it matters the most: the last closing tag in an included file.


<?php header('Content-Type:text/plain'); ?>
Hello<?php include "toinclude.php"; ?>World!


<?php echo " "; ?>

with a new line after the ?>, which is stripped here, will output:



It's strange that it strips it every where else, but not at the end of an included file.

Posted In PHP Stripping Newlines.

Wed, 27 Apr 2016 at 21:54:38 GMT

11.Kvasin Leonid said:


I was looking for this information, thanks for the post!

Posted In Cross-Site Request Forgeries.

Thu, 14 Apr 2016 at 15:00:20 GMT

12.atif said:

A very good post with the use of multisort function. To read other basic types of sorting functions visit Blog of Cloudways.

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 24 Nov 2015 at 11:12:04 GMT

13.Tashreefshareef said:

Well written and done a great job indeed. But, there are several ways through which one attack the users such as hacking into once router as mentioned here >>

How to Know if Your Router is Hacked

Posted In Cross-Site Request Forgeries.

Tue, 03 Nov 2015 at 14:01:46 GMT

14.Swati said:

Its nice.

MySQL_real_escape_string: break out particular characters in a string for utilize in an SQL expression/statement.

You can obtain more information of it.

Posted In addslashes() Versus mysql_real_escape_string().

Fri, 19 Jun 2015 at 11:38:43 GMT

15.Chris Shiflett said:

Julio, can you share a screen shot or a paste or something that shows what's happening?

Also, this post might be helpful:


Fri, 15 May 2015 at 21:44:26 GMT

16.Julio Potier said:


Each time i try to hack the host header in a request, each time the server response is "400 Bad Request", tested on 8 differents websites hosting.

So, what is the setting that allow me to do this kind of request? It seems that @thibaut said about VHOST is the thing but not sure, and if yes, again, what is the configuration to do your tests?



Sun, 19 Apr 2015 at 23:58:28 GMT

17.Maria Antonietta said:

Thank you very much Chris!

You avoided me hours of headaches!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 10 Feb 2015 at 11:38:41 GMT

18.Ben Ramsey said:

Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.


This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted In The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT

19.Jesus Bejarano said:

I am right now into Nicholas C.Zakas's book javascript for web developers , 964 pages, but is a excellent encyclopedia, you should try it out

Posted In JavaScript Study Guide.

Wed, 04 Jul 2012 at 16:19:21 GMT

20.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Posted In LeakedIn.

Fri, 22 Jun 2012 at 16:49:14 GMT

21.Paul Reinheimer said:

Hook us up Chris!

Posted In Link Blog and Planet Chris.

Wed, 20 Jun 2012 at 13:29:55 GMT

22.Karl Barnes said:

There is a great deal of information on usort and array_multisort but your example made their usage crystal clear - thanks!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Mon, 18 Jun 2012 at 22:52:40 GMT

23.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Posted In LeakedIn.

Wed, 13 Jun 2012 at 07:18:11 GMT

24.Marek Janouš said:

Mine was not leaked nor cracked according to, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Posted In LeakedIn.

Tue, 12 Jun 2012 at 09:47:06 GMT

25.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Posted In LeakedIn.

Mon, 11 Jun 2012 at 13:54:50 GMT

Join Us

Connect with Twitter to join us!

All Members