Joomla! (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit

Yesterday, Melvin Lammerts wrote an article on the account creation with elevated privileges vulnerability in Joomla! < 3.6.4. And included a PoC exploit. This Joomla! vulnerability makes it easy for an attacker to create an user account, even when user registration is turned off. Yikes!

Continue reading “Joomla! (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit"

Send authenticated email over TLS from Zen Cart

Zen Cart is an open source shopping cart software. Unfortunately, Zen Cart has had some difficulties in the past sending authenticated SMTP email from a website. Here is how to let Zen Cart send email over an encrypted TLS connection, when the following condition is met: StartTLS is required. Since Zen Cart v1.5.2 StartTLS support is available.

Continue reading “Send authenticated email over TLS from Zen Cart”

PHP 5.6 default_charset change may break HTML output

An important note for everyone who’s upgrading from PHP 5.4 and PHP 5.5, to PHP 5.6: the PHP default_charset in php.ini changed from “empty” to UTF-8, making UTF-8 the default charset in PHP. This may break HTML output if you try to set a different charset in your HTML head. It may also break functions like htmlentities() and htmlspecialchars. For example:

Continue reading “PHP 5.6 default_charset change may break HTML output”

PHP, MySQL and IPv6: still slow

Years ago, I noticed that PHP connections to MySQL were significantly slower over IPV6 (where a hostname has an IPv6 address or AAAA record), when no MySQL service is listening on that address. The connection is refused, and PHP has to fallback to IPv4. The fallback takes a significant amount of time. Too much time if you’d asked me. Unfortunately this fallback to IPv4 is still slow today…

Continue reading “PHP, MySQL and IPv6: still slow”

How to set a good PHP realpath_cache_size

The PHP directive realpath_cache_size sets the size of the realpath cache to be used by PHP. Increasing realpath_cache_size might greatly improve PHP performance, as PHP states: “this value should be increased on systems where PHP opens many files.” Setting a correct value for PHP realpath_cache_size can greatly improve PHP performance and optimize WordPress – and other CMS’s – websites.

Continue reading “How to set a good PHP realpath_cache_size”

PHP script to check website availability with PHP/cURL

Here you find a PHP script to check if a website is online availability with PHP/cURL. The following PHP function checks if your website is online available or not. Website uptime and availability is important and you want your website to be always online available. When your website is down, you want to be notified about the downtime.

Continue reading “PHP script to check website availability with PHP/cURL”

Set or remove the read-only attribute assigned to files with PHP chmod

Chmod.php, change file attributes with PHP, to make files read only or normally accessible on Windows IIS servers. Sometimes you need chmod to make files read only on your website, or make them normally accessible in case they already are read only. For instance Drupal’s settings.php configuration file, or WordPress Contact Form 7 temporary captcha files, are examples of read-only files.

Continue reading “Set or remove the read-only attribute assigned to files with PHP chmod”

Validate MIME types with PHP Fileinfo

How to check the file type in PHP and secure file uploads: it is important to validate MIME types in PHP. Especially of files uploaded through an upload form to your website. Using PHP, the best way to validate MIME types is with the PHP extension Fileinfo. Any other method might not be as good or secure, and unfortunately those other methods are still wildly used…

Continue reading “Validate MIME types with PHP Fileinfo”

Optimize all MySQL tables with PHP/MySQLi multi_query

The PHP MySQLi extension supports multiple queries, which are concatenated by a semicolon, with mysqli->multi_query. We use this to optimize all MySQL tables, in a single multi-query statement. Neat! Optimizing MySQL tables is important to keep tables small and fast. This boosts MySQL, PHP and website performance and we all love that, don’t we? :)

Continue reading “Optimize all MySQL tables with PHP/MySQLi multi_query”

Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration

An often heard solution to PHP cURL errors with SSL is to turn off CURLOPT_SSL_VERIFYPEER. Please don’t turn off CURLOPT_SSL_VERIFYPEER, but fix your PHP config instead. This article provides you with two solutions to solve CA certificate validation errors with PHP cURL and OpenSSL. For system administrators and end-users.

Continue reading “Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration”

Connect to MS SQL Server with PHP 5.3+

Connect to an SQL Server database with PHP 5.3+ using the SQLSRV API and sqlsrv_connect. As of PHP 5.3.2 you have to use the SQLSRV API functions to connect to an MS SQL Server database from PHP. For example, use sqlsrv_connect() to create a connection resource and open a connection. The main difference with the older mssql functions of PHP is that SQLSRV requires an Array() with connection information, instead of strings.

Continue reading “Connect to MS SQL Server with PHP 5.3+”

PHP declareren van variabelen

PHP input validation, voorkomt PHP notices zoals undefined index: help in … Het vooraf declareren van variabelen in PHP is belangrijk. Je voorkomt hiermee notices en warnings over niet-geïnitialiseerde variabelen: lelijke meldingen waar je jouw websitebezoekers niet mee wilt lastigvallen. Door vooraf variabelen te declareren in PHP functioneert jouw PHP-website en applicatie ook beter, omdat variabelen waarmee wordt gewerkt al aanwezig zijn.

Continue reading “PHP declareren van variabelen”