LALR parser generator for PHP

I’ve been tinkering forever with parser generators; mostly to get behind how they work and what I can do with them.

A (long) while ago, I found myself in need for a Bison-like parser generator for PHP and there was none.

(more…)

Worst “trojan” ever

While idly browsing [pastebin][1] (yes, sometimes I do that), I found [something interesting][2]. It’s some mildly obfuscated PHP scripted malware. Curious what it might do, I started reverse engineering it and found what must be the *worst coded trojan **ever.***

[1]: http://pastebin.com/
[2]: http://pastebin.com/7HU17uqA

(more…)

To deprecate or not to deprecate

As of version 5.3 of PHP, certain features and functions are [considered deprecated][1]. It comes with the territory. In major version changes, new features are added while old stuff is discarded. Unsurprisingly – and lucky for me, with that change in versions comes yet another WTF for me to rant about.

[1]: http://www.php.net/manual/en/migration53.deprecated.php

(more…)

Twitter plugin for WordPress

I recently installed [V.J. Catkick@’s Twitter Plugin for WordPress][1]. Shortly thereafter I noticed my [HTML validator Firefox Plugin][2] changing from a pleasing green check mark to a nasty red cross complaining about (X)HTML validation errors.

[1]: http://www.vjcatkick.com/?page_id=5475
[2]: https://addons.mozilla.org/en-US/firefox/addon/html-validator/

(more…)

The whitespace of death

As the first entry to the list of my PHP-related WTFs, I present:

**The whitespace of death**

This one has taken me almost a **full hour** to sort out. There may be some good features to PHP, yet this one I don’t think is even one. It should be considered a bug. As my experience has grown in [reporting bugs myself][php-bug1] or trying to [report a bug][php-bug2], I reconsidered and chose not to report it as a “bug”.

[php-bug1]: https://bugs.php.net/bug.php?id=48458
[php-bug2]: https://bugs.php.net/bug.php?id=51112

(more…)

Why HTTP_HOST is evil

When browsing [Stackoverflow][so] I often notice users [asking questions][so-q] somehow involving the use of `HTTP_HOST`. I nonchalantly hint on its vulnerable nature and fail to produce a hint on an article explaining why. Which is why I decided to take matters into my own hands.

[so]: http://stackoverflow.com/
[so-q]: http://stackoverflow.com/questions/4652464/how-to-chain-on-mod-rewrite

(more…)