Tags
#php
#kotlin
#bash
#go
#sql
#rust
#typescript
#html
#java
#python
#files
#utils
#strings
#http
#concurrency
#async
#json
#arrays
#security
#types
#crypto
#database
#dates
#format
PHP
Validate Uploaded File
A defense-in-depth check for $_FILES uploads: confirms the upload completed, the size is within bounds, the MIME type matches an allow-list (by libmagic, not by extension), and the file landed where PHP expected.
@admin
PHP
TOTP Code Generate + Verify
Generate and verify a 6-digit time-based one-time password (RFC 6238) compatible with Google Authenticator / Authy. Uses a base32-encoded secret and 30-second time steps.
PHP
Email Address Obfuscator
Render an email address as HTML that is human-readable but resistant to naive scraping bots. Uses entity encoding and an optional Caesar-style ROT for the mailto link.
PHP
Generate Secure API Key
Mint an API key with a recognizable prefix ("sk_live_…") and 32 bytes of crypto-random entropy encoded as URL-safe base64. Stripe-style readable IDs.
PHP
Validate URL (scheme + host)
Beyond filter_var, also require the URL to have an http(s) scheme and a non-empty host. Rejects "javascript:" and other risky pseudo-schemes commonly seen in stored XSS.
PHP
Generate Crypto-Strong Password
Generate a strong random password with configurable length and character sets. Uses rejection sampling to keep the distribution uniform across the chosen alphabet (no biased % alphabetLen).
HTML
Iframe with Sandbox + lazy loading
Embed third-party content (YouTube, Stripe, maps) safely. `sandbox` restricts what the embedded page can do. `loading="lazy"` defers offscreen iframes — huge perf win for blog posts with multiple embeds.
PHP
Secure Session Bootstrap
Start a session with all the security flags you should always set: HttpOnly, SameSite=Strict, Secure on HTTPS, custom name, and an idle-timeout regeneration.
PHP
Constant-Time String Compare
Compare two strings in constant time to avoid timing-attack leaks when checking secrets like API keys, session tokens, or HMAC signatures. Always use hash_equals — never ===.
PHP
Validate IP Address (v4 + v6)
Distinguish IPv4 from IPv6, optionally reject private/reserved/loopback ranges. Useful for hardening server-side fetchers against SSRF.
PHP
Detect MIME Type via Magic Bytes
Use PHP's built-in finfo (libmagic) to detect a file's true MIME type from its bytes — not from the extension, which can be lied about. Critical for validating user uploads.
JavaScript
String Template Tag — SQL / HTML Sanitiser
A tagged template literal that automatically escapes interpolated values, preventing SQL injection (server-side) or XSS (client-side) from untrusted input. The html tag HTML-encodes values; the sql tag parameterises values and returns a { text, values } tuple ready for a parameterised query driver.
JavaScript
Web Crypto — AES-GCM Encrypt & Decrypt
Encrypts and decrypts text using AES-GCM (256-bit) via the browser's native Web Crypto API — no external library needed. A random 96-bit IV is generated per encryption and prepended to the output so decryption can recover it. Suitable for encrypting sensitive data client-side before storage.
PHP
Hash Large File Without Loading It
Compute the SHA-256 of a multi-gigabyte file by streaming it through hash_init / hash_update_stream — no memory blow-up. Useful for backup verification or torrent-style integrity checks.
PHP
HMAC Webhook Signature Verify
Verify an inbound webhook (Stripe / GitHub / etc.) is genuine using HMAC-SHA256 and a shared secret. Includes timestamp tolerance to block replay attacks.
PHP
Safe Path Join
Concatenate path segments and produce a normalized canonical path that resists "../" escape attempts. Throws if the result would land outside the given base directory.
PHP
CSRF Token Generate + Verify
Per-session CSRF token helpers using hash_equals for constant-time comparison. Token is regenerated on logout but persists across requests within a session.