Want to join us? Connect with Twitter and introduce yourself.

Latest Comments

1.Muhammad Azaz Qadir said:

Definitely agree with you. Shared hosting has security issues, it is not always the best option for your PHP based website. Apart from security issues, there are also performance concerns as well, as the resources are shared between different websites. It is better to use a VPS, where you get dedicated server and server scaling option. If someone doesn't know how to setup a VPS, they can use server provisioning tools for PHP, like Cloudways.

Posted In Shared Hosting.

Thu, 17 Aug 2017 at 14:41:13 GMT

2.Private Proxies said:

Great share.

Posted In Cross-Site Request Forgeries.

Fri, 07 Jul 2017 at 13:56:03 GMT

3.विनोद अनुज said:

is suggesting the mysqli prepared statement not appropriate?

Posted In SQL Injection.

Mon, 23 Jan 2017 at 02:22:16 GMT

4.Tommy Tom said:

The top link is dead, here is (I think) an alternate link

Posted In Ajax Is Not an Acronym.

Fri, 02 Dec 2016 at 13:52:58 GMT

5.Vincent Wansink said:

Beware that storing the session in the database can be a huge performance hit if you're using the session a lot and have high traffic.

It's great if you're only storing authentication and userid for example, but if you're using it to remember state and parameters for every page, then a high number of users will quickly chew up your CPU cycles.

Posted In Storing Sessions in a Database.

Thu, 27 Oct 2016 at 19:56:27 GMT

6.Chris Shiflett said:

Just noticed another one:

Posted In URL Sentences.

Tue, 20 Sep 2016 at 03:19:42 GMT

7.Chris Shiflett said:

Julio, can you share a screen shot or a paste or something that shows what's happening?

Also, this post might be helpful:


Fri, 15 May 2015 at 21:44:26 GMT

8.Julio Potier said:


Each time i try to hack the host header in a request, each time the server response is "400 Bad Request", tested on 8 differents websites hosting.

So, what is the setting that allow me to do this kind of request? It seems that @thibaut said about VHOST is the thing but not sure, and if yes, again, what is the configuration to do your tests?



Sun, 19 Apr 2015 at 23:58:28 GMT

9.Maria Antonietta said:

Thank you very much Chris!

You avoided me hours of headaches!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Tue, 10 Feb 2015 at 11:38:41 GMT

10.Ben Ramsey said:

Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.


This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted In The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT

11.Jesus Bejarano said:

I am right now into Nicholas C.Zakas's book javascript for web developers , 964 pages, but is a excellent encyclopedia, you should try it out

Posted In JavaScript Study Guide.

Wed, 04 Jul 2012 at 16:19:21 GMT

12.Bob Lerner said:

Rather shocked that leakedin not only doesn't use a password field for the password, that it also doesn't serve over SSL either.

In the even that my password wasn't on this list, then shoulder surfers, back-button pressers, or man-in-the-middle attackers could sure get it then.

Posted In LeakedIn.

Fri, 22 Jun 2012 at 16:49:14 GMT

13.Paul Reinheimer said:

Hook us up Chris!

Posted In Link Blog and Planet Chris.

Wed, 20 Jun 2012 at 13:29:55 GMT

14.Karl Barnes said:

There is a great deal of information on usort and array_multisort but your example made their usage crystal clear - thanks!

Posted In Sorting Multi-Dimensional Arrays in PHP.

Mon, 18 Jun 2012 at 22:52:40 GMT

15.Elisavet Triant said:

Well, asking people for their passwords, even if it's legit isn't a very good idea.

What I did was to change my password anyway in LinkedIn and THEN check to see if it was leaked. Your form says it wasn't.

Posted In LeakedIn.

Wed, 13 Jun 2012 at 07:18:11 GMT

16.Marek Janouš said:

Mine was not leaked nor cracked according to, yet I still got the e-mail from LinkedIn, saying they believe it was included “in the post” (though not cracked).

Posted In LeakedIn.

Tue, 12 Jun 2012 at 09:47:06 GMT

17.Ian Coleman said:

Thanks Chris!

This has become a SERIOUS problem, the hackers HAVE a corresponding email addresses to my cracked password!! My only use of the email address I used for linked in one other place, twitter. Stupidly my twitter and linkedin accouts also had the same password which I didn't realise until this morning, as my twitter account was accessed by a 3rd party who tweeted spam tweets to a russian based .ru site.

Either via the linkedIn data dump, or by other means, the group clearly have matched email addresses with passwords! Now I have to check everything to make sure there isn't somewhere else I've used that email address/password combo.

Thanks for shedding light in this, linkedin certainly aren't

Posted In LeakedIn.

Mon, 11 Jun 2012 at 13:54:50 GMT

18. said:

Mine was leaked but not cracked.

Anyway I changed it.

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:18:49 GMT

19. said:

Thanks Chris for this very helpful blog. I too was reluctant to post my password so I used a php script on xampp to hash it, then used findstr from the Windows 2003 Resource Kit to search the combo_not.txt file. Sure enough, there was my hashed password!

Posted In LeakedIn.

Mon, 11 Jun 2012 at 09:05:07 GMT

20.Avalonica Sativa said:

What is the answer to Philip Herbert's query above? When you go from form page to form page?

Posted In Cross-Site Request Forgeries.

Sun, 10 Jun 2012 at 20:10:44 GMT

21. said:

I typed in some entries from the 10 worst passwords leaked and it says I am safe - WTH? Did they remove those entries?

Posted In LeakedIn.

Sat, 09 Jun 2012 at 15:54:52 GMT

22.Michael Hraba said:

Friendly question for layman....

You enter your password, and all within my browser, without anything transmitted, and no one seeing it, my password transforms into a bunch of stuff.... and then it checks it?

Slow non-techie people want to join in, too. =)

Posted In LeakedIn.

Fri, 08 Jun 2012 at 21:33:01 GMT

23.Vince Work said:

Thanks for removing getclicky--an acknowledgment of the security risk mentioned in comment #57, perhaps? However, there are still glaring issues with is transmitting unsalted SHA1 hashes over cleartext HTTP.

Ask yourself this. What did hackers obtain from LinkedIn and post on an online forum--the whole source of this controversy?

Answer: unsalted SHA1 hashes.

Now, what does risk leaking?

Answer: More unsalted SHA1 hashes.

To offer a solution by compounding the problem is just not right. Please reconsider.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 19:08:17 GMT

24. said:

@Amarendra Godbole: Doesn't matter that the password is hashed client side. There's no difference between sending the hash over the wire in clear text and the hash existing in the leaked file. The leaked file doesn't contain any passwords in clear text either. If you're concerned about your hash existing in this file, you should be concerned about sending it across the wire in the clear as well.

@Chris Morrow: Leaked means the hash was leaked when the file was leaked. Cracked means that the hash has been reversed into a password. It's possible to be leaked but not cracked because hash algorithms are one way. You can generate a hash from some text but there is no algorithmic way to get the text from the hash. In order to crack the passwords given the hashes one has to brute force (i.e. guess) the passwords. Clever folks have created specialized programs to make cracking these hashes more efficient, including Rainbow Tables. For a deeper understanding see

Posted In LeakedIn.

Fri, 08 Jun 2012 at 18:17:10 GMT

25.Michael Rasmussen said:

@Olli Erinko - You can tunnel and log in from two places at a time. I'm routinely accessing my bank account from net locations ~2700km apart within 20 minutes.

Posted In LeakedIn.

Fri, 08 Jun 2012 at 14:50:12 GMT

Join Us

Connect with Twitter to join us!

All Members