DHCP implementation in… PHP

PHP is not usually used to implement network services – and generally for good reasons. Not because it can’t be done, but rather because it’s not what it was meant to be used for.
Although, if you think that PHP simply can’t be used for anything other than serving your blog, think again. Because my DHCP implementation in PHP seems to work quite well!

Continue Reading

Best two-factor authentication (2FA) for WordPress

When securing your WordPress installation, there’s an abundance of tasks to be performed. One of them, and a very important one, is enabling two-factor authentication for all users. Most popular way of doing that is by using a plugin that works with smartphone apps, like Google Authenticator – but from what I saw those are either quite poor or require a payment to use for more than one user.
Recently, a new player has come to the scene, and they’re making quite a stir.

Continue Reading

Protecting against PHP shells

The less known feature of PHP is the option to disable certain functions and classes. It may help securing your application and web server by blocking rarely used, from the perspective of pure web experience, functions.

Continue Reading

Hi Fitbit, congrats on learning how to use CSRF tokens (almost)!

I got my first Fitbit tracker a couple of years ago and I’ve been a loyal Fitbit user since – I’m currently on my 3rd tracker and my family has them too. Very quickly I became interested in getting a bit more information out of my data, charting it across other health data I have available – so I went on to Fitbit’s website, as I was quite sure they must have an API, right? Yes, they do. And yes, I can use it for free. Because, as Fitibit says, “your data is yours”. Awesome.
And then it turned out it’s not as much “my data” as “my totals”. Fitbit’s public API could only give me aggregated data for each day, total number of steps each day, averages, etc. I wanted to get a count of my steps for each 5-minute period, the same as I can see on Fitbit’s dashboard when I log in. It turned out that was not possible, unless I had a commercial application, submit a request to Fitbit, and they decide it’s worth it. Boo. (Please refer to the bottom of this post for a note of the state of the API today)

Continue Reading