Community

Want to join us? Connect with Twitter and introduce yourself.

Latest Comments

1.industriemusic11 said:

<a href="" http://www.masalaart.com.sg"">new futura 4 bedroom</a>

Posted In Secure Design.

Tue, 12 Sep 2017 at 09:07:00 GMT


2.industriemusic11 said:

Thanks for the valuable information and insights you have so provided here...

<a title="new futura 4 bedroom" href="http://www.masalaart.com.sg">new futura 4 bedroom</a>

Posted In Secure Design.

Tue, 12 Sep 2017 at 09:06:20 GMT


3.industriemusic11 said:

Wonderful article, thanks for putting this together! This is obviously one great post. Thanks for the valuable information and insights you have so provided here.

<a href='http://www.masalaart.com.sg'>new futura 4 bedroom</a>

Posted In Secure Design.

Tue, 12 Sep 2017 at 09:05:32 GMT


4.Muhammad Azaz Qadir said:

Definitely agree with you. Shared hosting has security issues, it is not always the best option for your PHP based website. Apart from security issues, there are also performance concerns as well, as the resources are shared between different websites. It is better to use a VPS, where you get dedicated server and server scaling option. If someone doesn't know how to setup a VPS, they can use server provisioning tools for PHP, like Cloudways.

Posted In Shared Hosting.

Thu, 17 Aug 2017 at 14:41:13 GMT


5.Private Proxies said:

Great share.

Posted In Cross-Site Request Forgeries.

Fri, 07 Jul 2017 at 13:56:03 GMT


6.विनोद अनुज said:

is suggesting the mysqli prepared statement not appropriate?

Posted In SQL Injection.

Mon, 23 Jan 2017 at 02:22:16 GMT


7.Tommy Tom said:

The top link is dead, here is (I think) an alternate link

http://adaptivepath.org/ideas/ajax-...b-applications/

Posted In Ajax Is Not an Acronym.

Fri, 02 Dec 2016 at 13:52:58 GMT


8.Vincent Wansink said:

Beware that storing the session in the database can be a huge performance hit if you're using the session a lot and have high traffic.

It's great if you're only storing authentication and userid for example, but if you're using it to remember state and parameters for every page, then a high number of users will quickly chew up your CPU cycles.

Posted In Storing Sessions in a Database.

Thu, 27 Oct 2016 at 19:56:27 GMT


9.Chris Shiflett said:

Just noticed another one:

http://mds.is/

Posted In URL Sentences.

Tue, 20 Sep 2016 at 03:19:42 GMT


10.Chris Shiflett said:

Julio, can you share a screen shot or a paste or something that shows what's happening?

Also, this post might be helpful:

http://shiflett.org/blog/2008/aug/i...nd-hacking-http

Posted In SERVER_NAME Versus HTTP_HOST.

Fri, 15 May 2015 at 21:44:26 GMT


11.Julio Potier said:

Hello

Each time i try to hack the host header in a request, each time the server response is "400 Bad Request", tested on 8 differents websites hosting.

So, what is the setting that allow me to do this kind of request? It seems that @thibaut said about VHOST is the thing but not sure, and if yes, again, what is the configuration to do your tests?

Thanks

Posted In SERVER_NAME Versus HTTP_HOST.

Sun, 19 Apr 2015 at 23:58:28 GMT


12.Maria Antonietta said:

Thank you very much Chris!

You avoided me hours of headaches!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 10 Feb 2015 at 11:38:41 GMT


13.Ben Ramsey said:

Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: https://github.com/ramsey/mimeparse (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

<?php
 
$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
 
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.

Bingo!

This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted In The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT


14.Jesus Bejarano said:

I am right now into Nicholas C.Zakas's book javascript for web developers , 964 pages, but is a excellent encyclopedia, you should try it out

Posted In JavaScript Study Guide.

Wed, 04 Jul 2012 at 16:19:21 GMT


15.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Posted In LeakedIn.

Fri, 22 Jun 2012 at 16:49:14 GMT


16.Paul Reinheimer said:

Hook us up Chris!

Posted In Link Blog and Planet Chris.

Wed, 20 Jun 2012 at 13:29:55 GMT


17.Karl Barnes said:

There is a great deal of information on usort and array_multisort but your example made their usage crystal clear - thanks!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Mon, 18 Jun 2012 at 22:52:40 GMT


18.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Posted In LeakedIn.

Wed, 13 Jun 2012 at 07:18:11 GMT


19.Marek Janouš said:

Mine was not leaked nor cracked according to leakedin.org, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Posted In LeakedIn.

Tue, 12 Jun 2012 at 09:47:06 GMT


20.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Posted In LeakedIn.

Mon, 11 Jun 2012 at 13:54:50 GMT


21. said:

Mine was leaked but not cracked.

Anyway I changed it.

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:18:49 GMT


22. said:

Thanks Chris for this very helpful blog. I too was reluctant to post my password so I used a php script on xampp to hash it, then used findstr from the Windows 2003 Resource Kit to search the combo_not.txt file. Sure enough, there was my hashed password!

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:05:07 GMT


23.Avalonica Sativa said:

What is the answer to Philip Herbert's query above? When you go from form page to form page?

Posted In Cross-Site Request Forgeries.

Sun, 10 Jun 2012 at 20:10:44 GMT


24. said:

I typed in some entries from the 10 worst passwords leaked and it says I am safe - WTH? Did they remove those entries?

Posted In LeakedIn.

Sat, 09 Jun 2012 at 15:54:52 GMT


25.Michael Hraba said:

Friendly question for layman....

You enter your password, and all within my browser, without anything transmitted, and no one seeing it, my password transforms into a bunch of stuff.... and then it checks it?

Slow non-techie people want to join in, too. =)

Posted In LeakedIn.

Fri, 08 Jun 2012 at 21:33:01 GMT


Join Us

Connect with Twitter to join us!

All Members