Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Here is a script for the command line enthusiasts.

    #!/bin/bash
    EADDRESS=$([[ "$1" == "" ]] && echo "noreply@example.com" || echo "$1")
    EADDRESS=$(echo "$EADDRESS" | sed 's;@;%40;')
    RESPONSE=$(
        curl "https://heroic.com/wp-admin/admin-ajax.php" \
        -H "accept-language: en-US,en;q=0.8" \
        -H "accept-encoding: gzip, deflate, br" \
        -H "user-agent: Mozilla/5.0 (KHTML, like Gecko) Safari/537.36" \
        -H "content-type: application/x-www-form-urlencoded; charset=UTF-8" \
        -H "referer: https://heroic.com/email-security/" \
        -H "x-requested-with: XMLHttpRequest" \
        -H "origin: https://heroic.com" \
        -H "authority: heroic.com" \
        --data "action=heroic_scan_email" \
        --data "data[email]=${EADDRESS}" \
        --compressed --silent
    )
    if command -v php &> /dev/null; then
        php -r "print(json_encode(unserialize(urldecode('${RESPONSE}'))));"
    fi
PS: Using serialized data is a bad idea: https://www.owasp.org/index.php/PHP_Object_Injection


As long as I have you here... ;)

I primarily write JS for a living but because I freelance I often have to work with wordpress. After spending a few weeks digging into the internals I soon realized that every single wordpress project I've inherited–paid themes included–were horrendous and failed to utilize the most basic facilities provided by core.

In most of these projects a quick turnaround was more important than clean code (probably the cause of the aforementioned horrendous codebases), so I always just hacked away at the templates without every trying to gain a deep understanding of PHP, its recommended best practices, and security gotchas.

My question is, can you point me towards something like "PHP, the good parts"? I would like to know how to write well architected, performant, and secure PHP on the occasions I need to use it professionally. I know that PHP has a reputation as being dangerous by default, so knowing what not to do would be reassuring. So far all of the PHP books I've found have been fairly disappointing; covering all of the features without really detailing any best practices or opinions.


I believe this is what you're looking for: http://www.phptherightway.com/


I don't use OO when I write PHP but it seems the real vulnerability there is the use of eval(). There is almost never a legitimate use for that function. I would definitely draw in to question the wisdom of OWASP deciding to classify this as a separate vulnerability. You should use the disable_functions directive in php.ini to hard-disable eval() (and other iffy functions) on production servers. One tutorial @ http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpi...


This tutorial disables curl_exec. Good luck getting any popular API client to work, they all use cURL... or if you're lucky, a modern-enough version of Guzzle that can use socket connections, but LOL that's opening another can of worms...

HTTP parsing is notoriously difficult and I'd rather trust cURL (which is battle-tested in a load of environments) than a PHP userspace library.


    EADDRESS=$([[ "$1" == "" ]] && echo "noreply@example.com" || echo "$1")
could be replaced with:

    EADDRESS={$1:-noreply@example.com}
From the man page:

    ${parameter:-word}
        Use Default Values.  If parameter is unset or null, the expansion of word is substituted.  Otherwise, the value of parameter is substituted.
For:

    EADDRESS=$(echo "$EADDRESS" | sed 's;@;%40;')
you could use:

    EADDRESS=${EADDRESS/@/%40}


Curious - exactly what man page do you find that in? I've always seen that construction but given that it just uses random punctuation it's impossible to Google it. I don't even know what those are called!!


The chapter on parameter subsitution in the LDP's Bash Scripting Guide is nice for this : http://tldp.org/LDP/abs/html/parameter-substitution.html


That's from the Bash man page. :) If you open it in less, you can do `/ :- RET` to search for `:-` and jump to it, which will take you to that part.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: