In a post to his site Ben Sampson shows how to mask IDs in URLs using hashids in a Laravel-based application. Hashids converts values into strings that can then be decoded back to their original values.

By default a URL generated by a Laravel app will contain the ID of a model like this https://app.name/users/1 where 1 is the ID of the item. Often this is absolutely fine, but sometimes you might want to hide it (or obfuscate it). The two main use cases for this I've come across so far are: Security [and it looks] More professional.

He shows how to use this package to encode and decode ID values in your URLs. He also includes updates to the models, controllers and routing to use route model binding to handle the encode/decode process. He shows how to set up different salts for different data types, setting it on each model and how to correctly bind the functionality in the main route service provider.

Aaron Saray has a post to his site sharing the "anatomy of a PHP hack" - the evidence that he found and pulled apart based on a recent hack he experienced.

It’s hard to come up with a title for this - but - basically I found some rogue code the other day that I thought was pretty interesting. I was fixing a “hacked” website when I came across the source of the symptoms of the hack.

He starts with the code he found in the hacked website, obfuscated to hide the true intent and how he disassembled it to find the true intent. He walks through the method he used to reverse the code ultimately ending up with a simple call to base64_decode a value that comes in from a $_POST request.

In his latest post Anthony Ferarra makes a suggestion about teaching developers how to solve problems via a "quick fix" versus educating them about the real problem: educate, don't mediate.

Recently, there has been a spout of attention about how to deal with eval(base64_decode("blah")); style attacks. A number of posts about "The Dreaded eval(base64_decode()) - And how to protect your site and visitors" have appeared lately. They have been suggesting how to mitigate the attacks. This is downright bad. The problem is that these posts have been suggesting things like "Disable eval()" and "Disable base64_decode()" as possible solutions. And while technically that would work, it completely misses the point, and does nothing to protect users

He suggests that developers shouldn't just look for a "quick fix" solution posted in a tutorial somewhere and go on their merry way. One danger in this is that those instructions could only be patching part of the problem, not all of it. In this case, the disable eval/base64 handling is only a code-level fix. If this exploit exists in your application, the attacker was able to get to the local file system - a much bigger problem.

In the latest post to the HHVM (HipHop VM) blog Sara Golemon recounts the journey of a thousand bytecodes and the process that it takes to decompose a PHP file and optimize it for execution in the HHVM environment.

Compilers are fun. They take nice, human readable languages like PHP or Hack and turn them into lean, mean, CPU executin’ turing machines. Some of these are simple enough a CS student can write one up in a weekend, some are the products of decades of fine tuning and careful architecting. Somewhere in that proud tradition stands HHVM; In fact it’s several compilers stacked in an ever-growing chain of logic manipulation and abstractions. This article will attempt to take the reader through the HHVM compilation process from PHP-script to x86 machine code, one step at a time.

The process is broken down into six different steps, each with a description and some code examples where relevant:

• Lexing the PHP to get its tokens
• Parsing the token results into an AST (and optimizing it along the way)
• Compilation to Bytecode
• HHBBC Optimization
• Intermediate Representation
• Virtual Assembly
• Emitting machine code

PHPBuilder.com has posted a new tutorial today showing you how to work with JSON in PHP including serialization and database interaction.

This article explains how to use the JavaScript Object Notation (JSON) extension in PHP, going step by step through a series of essential operations. JSON is an object string notation, it is defined as a subset of JavaScript's syntax and its general-purpose is to interchange data format. As you probably know, JSON was first made to be used with JavaScript for accessing remote data, but now it is used by many other languages because JSON data is platform independent data format. JSON can be used natively in JavaScript, but you can also use it in a server-client application logic.

They start with an introduction to the JSON structure and how to both create and encode data using PHP's own json_encode and json_decode. The examples start out using arrays for the data but then move into something slightly more complex - objects. The article talks about JsonSerializable and show how to automatically hook the data into a table and store the content based on the column name/property name match.

Joshua Thijssen has posted a walk-through of some work he's done to create a TLS decoder in PHP. TLS (Transport Layer Security) is a method for encrypting data being sent back and forth between the client and server, similar to how SSL is used.

As a proof of concept I wanted to see in how far I could decode some TLS data on the client side. Obviously, this is very complex matter, and even though TLS looks deceptively simple, it isn’t. To make matters worse, PHP isn’t quite helping us making things easy neither.

His solution (code posted here) goes through a few steps to finally get to the actual data:

• Capturing TLS data
• Gathering all the necessary fields
• From pre-master-secret to master-secret (decoding TLS_RSA_WITH_RC4_128_SHA)
• Partitioning our master-secret
• Decoding our data
• Verifying message integrity

For each step along the way he shares the relevant code and a brief description of what's happening. If you want to see the end result and try it out for yourself, check out his repository.

David Stockton has a new post to his ZendTutorials.com site today introducing you to an increasingly more handy Zend Framework component that can make your messaging needs easier. The new tutorial introduces you to Zend_Json, a component for generating and parsing JSON messages.

In the past few years, JSON, or JavaScript Object Notation has seemed to overtake XML and other data encoding methods on the web. [...] I’ve also seen numerous examples of developers who create their own sort of JSON encoder rather than either using json_encode or using Zend_Json. What inevitably comes back to bite them is when the data they are encoding contains a special character like quotes, colons, curly brackets, etc.

He demonstrates how the Zend_Json component helps to alleviate some of the worries with built-in features that handle everything from basic encoding/decoding, printing out results in a "pretty" way and a handy way to include executable Javascript (once it's evaled on the other side) in your payload. He finishes the tutorial off with a mention of a very handy method that will please those already having to work with XML - the fromXML() method that automagically converts the data over to JSON for you.

PHPBuilder.com has a new article by Hillel Aftel about his method of choice for securing the data that you send over the GET string when moving things around on your site.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

PHPBuilder.com has a new article by Hillel Aftel about his method of choice for securing the data that you send over the GET string when moving things around on your site.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

Paul Jones has released two new concurrent versions of the Solar framework today:

Yesterday, I released Solar 0.27.0, then quick-fixed two minor bugs and released 0.27.1 an hour later. It feels so good to be back doing releases on a monthly basis.

Some of the updates/changes in these new releases include:

• The use of spl_autolaod to load classes
• Locale functions have a new home
• a super-fast JSON encoder/decoder
• a modification to the SQL adapter for PDO
• A new bit of functionality in Solar_Url that can find the ".ext" filename extension in a URL automagically