All Questions
Tagged with phpweb-application
212 questions
1vote
2answers
152views
Are there any attack vectors against the Smarty-PHP template engine when using a trusted template?
This is actually a general question about template engines. If I use Smarty-PHP to generate a website, and the templates and content are both created by me (assumed non-malicious), does this create ...
- 135
0votes
1answer
391views
How to secure Laravel website against the ongoing massive exploitation
My website built upon Laravel is currently under attack. Only the index.php file was changed, and by that I mean that every line of code is inserted above the original Laravel code. So this code ...
0votes
1answer
1kviews
Attempting remote code execution, why does this php webshell code fail with single quotes?
In working on a vulnerable box, I found a field in a database table where one can insert php code. Based on this exploit: https://www.exploit-db.com/exploits/24044 I tried to use this code to make a ...
3votes
1answer
1kviews
Is it possible to embed a phar archive into a PNG image?
I know it's possible to embed phar archives into jpeg images but is it also possible to do so with PNG images? I am testing a php application that securely checks if an image is a valid PNG image ...
- 45
1vote
1answer
784views
What is the most up-to-date secure method for storing .ENV variables?
I am improving the security on my php website. I am not using any frameworks or cms. The credentials are currently stored in plain text in the relevant php files. While researching, I came across this ...
- 11
2votes
1answer
1kviews
How to replace certain backup files on a website every 30 minutes? [closed]
I have a website built with WordPress, unfortunately somebody hacked it several times, deleted my adsense code and put his own adsense. I tried many security techniques, changed database name, did ...
3votes
1answer
316views
Is it possibile to send NaN value to a param to bypass (PHP)?
is it possibile to bypass some check like this: $amount = (int)$_REQUEST['amount']; if (!($amount >= 10)) { // authorize } by sending a NaN value to amount param? like: https://www.site.com/?...
3votes
1answer
454views
Does it make sense to have the application block users by IP as well as the firewalls?
I am planning to create a system, but I still have some questions about security. I would like to know if it makes sense to block unauthorized users from accessing the system, through the ip, using a ...
- 143
1vote
2answers
273views
How to protect client server app if both: client and server - located on client side?
Frontend communicates to backend. I am a developer of frontend and backend. I want to protect my app (prohibit end user from using my app without paying). The only thing I have in mind is to have some ...
- 111
0votes
2answers
219views
can i execute javascript in href when i have text before my input?
This is where I took this example from: <a href="<?php echo $_GET['e'];?>">Back</a> In this code, I can do http://my_url?e=javascript:alert() But what can I do if my code ...
- 73
15votes
1answer
6kviews
Does a log entry with "SPT=81" despite nothing listening on that port indicate my server is hacked?
I manage a Debian GNU/Linux web server (Debian 10 Buster with its bundled 4.19 kernel). I put in place simple iptables logging rules a long time ago, among other things. Here they are: # iptables -A ...
- 261
0votes
4answers
323views
Can here be SQL Injection
i got till moment when i do not know if it is secure! If SQL injection is inserted into myTableTwo via safe PDO query will it make my query below SQL injection open? Is the query below safe? $mysfield ...
- 103
1vote
0answers
550views
Exploiting WebDav [closed]
I'm trying to exploit webdav by uploading a msfvenom generated php script to the target webdav server on windows xp machine using the default credentials - wampp(username), xampp(password). The ...
0votes
1answer
442views
Having problems with SQL injection with mysqli extension PHP
I am new to SQL injections, and people on Reddit asked me do the portswigger labs. Which I did up till before 2nd order ones. So I am pretty comfortable with usual SQL injections. Now I have myself ...
-4votes
3answers
148views
Why is using prepared statements in PHP considered best practice?
Let me first start by stating that I am by no means a webdeveloper, so please do point out if I'm going in the wrong somewhere in my story. I think most people agree with the idea that using prepared ...
