Another recount on breaking into a retired PHP app (RainLoop) using textbook vulnerabilities (unserialize, not checking file paths, etc.).

Unlike the other time, it seems there is no English text available, so just a short recount by yours truly.

Although RainLoop web-mail client looks extremely dated, and its Github repo is in the archived state, it was listed as an obscure web-mail option by a Beget cloud platform, and hence was eligible for their bug bounty program. So a bug hunter nicknamed hunter decided to dig in.

And so how it went:

`+` unserializse, fed by cookie input in RainLoop\Utils::DecodeKeyValuesQ()
- that input is encrypted with a long key stored in SALT.php
`+` curl is fed by invalidated user-supplied data allowing file:// scheme in RainLoop\Actions\DoComposeUploadExternals()
- there is no direct way to get the output
`+` attached files are not checked for validity, hence
create a new mail with an arbitrary attach file
save it as a Draft and check the HTTP request
modify it so the attachment becomes file:///var/www/html/data/SALT.php (it's unclear how the path was discovered but it's doable, like via guesswork or relative path)
check whatever attachment hash returned by the system
use that hash to forge a request for attachment
bingo, we have SALT.php attached.
+ now we can create a payload for unserialize and encrypt it using the actual key

Now the story goes on creating the executable payload. The list of used libraries were examined and Predis was targeted, starting from destructor method in \Predis\Response\Iterator\MultiBulkTuple(), resulting in POC code. And then, once MultiBulkTuple's desctuctor is called, Predis/Command/Processor/KeyPrefixProcessor.php would execute calluserfunc() with a command stored in DispatcherLoop::$callbacks and payload DispatcherLoop::$pubsub and the simplest command would be system with whatever shell command you can imagine.

Also there was a note that all this long way was really unnecessary as it turned out that gopher:// based SSRF could have directly manipulated php-fpm service. Though I am not sure how exactly it could be done, but would like to learn.

From this story I learned about file:// and gother:// protocols supported by curl, the latter being effectively a telnet client which can be used to connect any TCP service by asking curl to open a gother:://service:port/payload URL.

https://redd.it/1lvftxe
@r_php

Need to upgrade PHP on XAMPP for Linux

Hi,
I installed XAMPP on Ubuntu Server 24.04. It comes with php 8.2.12. I need to upgrade it to 8.3.6 or later.
I tried different guides and solutions found on forums but nothing works, it also corrupted previous data saved on XAMPP folder. Has anyone had my same problem??

https://redd.it/1lvke47
@r_php

Does anyone have a PHP job without a framework?



https://redd.it/1lvldwz
@r_php

Strange issue when trying to run commands via app

I have a strange issue, i want to execute symfony commands via app, i followed the suggestion from:

https://symfony.com/doc/current/console/command\_in\_controller.html

public function execute(CommandInterface $command): string
{
$input = new ArrayInput($command->getParameter());
$output = new BufferedOutput();

$application = new Application($this->kernel);
$application->setAutoExit(false);
$application->run($input, $output);

$converter = new AnsiToHtmlConverter();
$content = $output->fetch();

return $converter->convert($content);
}

And a relative vanilla command:

readonly class ExtractTranslationsCommand implements CommandInterface
{
public function construct(private string $locale)
{
//
}

public function getCommand(): string
{
return 'translation:extract';
}

public function getParameter(): array
{
return
'command' => $this->getCommand(),
'--format' => 'php',
'--force' => null,
$this->locale => $this->locale,
;
}
}

And i get:

Error thrown while running command "translation:extract --format=php --force en". Message: "The "en" argument does not exist."

If i run the command in the console it works fine.

if i change the last parameter from $this->locale => $this->locale to $this->locale => null it is also not working with the error:

Uncaught PHP Exception TypeError: "Symfony\Component\Console\Input\Input::escapeToken(): Argument #1 ($token) must be of type string, null given, called in /var/www/html/vendor/symfony/console/Input/ArrayInput.php on line 107" at Input.php line 154

Does anything sees an issue that might cause the errors, i mean the copy paste it it does work

translation:extract --format=php --force en

https://redd.it/1lvo7nc
@r_php

L12 starter kit (Inertia/Vue) and persistent layout

Has anybody tried to implement persistent layout on the inertia+Vue starter kit?

I'm using the sidebar version, and I would like for the app not reload the layout each time and lose the opened sidebar item. And also I have to implement a chat component that has to live on the layout

I don't think it's possible to pass props (ie the breadcrumbs) from each page to the AppLayout?

https://redd.it/1lvx3he
@r_php

Refreshing a Livewire component after closing a Flux modal.

I currently have two Livewire components, one called PatientDetails, and another PatientForm. PatientDetails is the main component, while PatientForm opens up in a FluxUI modal. At the end of the save() function in PatientForm (which either creates or updates a Patient record), I have the following:

Flux::toast($message, heading: 'Success', variant: 'success', position: 'top-right');
Flux::modal("patient-form-{$this->patient->id }")->close();

What I would like to then do is refresh the underlying PatientDetails component, so whatever has been updated can refresh. How can I go about doing this?

https://redd.it/1lw4m56
@r_php

🔥 Profiling in PHP with excimer and how to export the data 🚀

> The post is by Oleg Mifle, author of excimetry.

I want to share how to export profiling data collected using excimer. Now, excimer isn’t the most popular profiling module — and I think that’s unfair. It’s tightly integrated into PHP and has minimal CPU overhead ⚡

Any downsides? Of course — it lacks built-in visualization. But there are plenty of visualizers out there: Pyroscope from Grafana, for example. Or Speedscope. The real problem is — how to send the data there, since excimer doesn’t support OpenTelemetry or any common format out of the box.

So what to do?

Well… write a wrapper and adapters yourself 😎 That’s exactly what I did. And that’s how the open source package excimetry was born 👩‍💻 - https://github.com/excimetry/excimetry

Personally, I find it really convenient. I’ve added native integration with OpenTelemetry clients, sending binary data using protobuf.

It currently supports:

- ✅ Pyroscope
- ✅ Speedscope
- ✅ File export
- ✅ CLI command profiling

Here’s an example:

use Excimetry\Profiler\ExcimerProfiler;
use Excimetry\Exporter\CollapsedExporter;
use Excimetry\Backend\PyroscopeBackend;

// Create a profiler $profiler = new ExcimerProfiler();

// Start profiling $profiler->start();

// Your code to profile here // ...

// Stop profiling $profiler->stop();

// Get the profile $log = $profiler->getLog();

// Send to Pyroscope
$exporter = new CollapsedExporter();
$backend = new PyroscopeBackend(
    serverUrl: 'http://localhost:4040',
    appName: 'my-application',
    labels: ['env' => 'production'],
    exporter: $exporter,
);

// Send the profile to Pyroscope $backend->send($log);

// You can also set the backend to send asynchronously
$backend->setAsync(true); 
$backend->send($log); // Returns immediately, sends in background

// Add custom labels 
$backend->addLabel('version', '1.0.0'); 
$backend->addLabel('region', 'us-west');

Honestly, I don’t know how far this will go — but I genuinely like the idea 💡 Maybe excimer will get just a little more attention thanks to excimetry.

Would love to get your ⭐️ on GitHub, reposts, and feedback ❤️

https://redd.it/1lw6kej
@r_php

shipmonk/phpstan-ignore-inliner: Inline your PHPStan error ignores into the source files via @phpstan-ignore comments!
https://github.com/shipmonk-rnd/phpstan-ignore-inliner

https://redd.it/1lwe1yf
@r_php

Filter Laravel model using URL query strings

Hi r/PHP 👋

I've built a Laravel package to filter Eloquent models using URL query strings. I know there's a plethora of packages that solve this problem, but I haven't found a single one that uses this specific approach. Let me know what you think!

The package is [goodcat/laravel-querystring](https://github.com/goodcat-dev/laravel-querystring). I'm using the attribute `#[QueryString]` to tag a method as a "filter" and the Reflection API to map the query string name to the filter. Here's an example:

// http://example.com/users?email=john@doe.com

class User extends Authenticatable
{
use UseQueryString;

#[QueryString('email')]
public function filterByEmail(Builder $query, string $search): void
{
$query->where('email', $search);
}
}

I’ve added the `UseQueryString` trait to the `User` model and marked a method with the `QueryString` attribute.

class UserController extends Controller
{
public function index(Request $request): View
{
$users = User::query()->queryString($request)->get();

return view('user.index', ['users' => $users]);
}
}

Inside the query, I use the `queryString($request)` scope, passing it the request. The query string is automatically mapped to the method, and the filter we wrote earlier is applied. I like this approach because:

* No restriction on query string names, use whatever name you like.
* No pre-defined filters, you explicitly write each filter method.
* It leverages modern PHP with Attributes, caching, and the Reflection API.

I'm really curious to know what you think! 😼 I wrote an [article on Medium](https://medium.com/@outlaw.plz/filter-laravel-models-using-url-query-strings-45f3683d7cbe) to delve deeper into the motivations that led me to write this package. If I’ve piqued your curiosity, check out the code on GitHub: [goodcat/laravel-querystring](https://github.com/goodcat-dev/laravel-querystring).

https://redd.it/1lwgpif
@r_php

NativePHP for Mobile v1.1: >50% Size Reduction, Faster Builds + Geo. Splash. Secure Store and lots more!
https://laravel-news.com/nativephp-for-mobile-v11

https://redd.it/1lwhm23
@r_php

PHP Redis Session Manager - Compatible with Websockets

Github:

https://github.com/jeankassio/PHP-Redis-Session-Manager

I needed to work once again with websockets and again I came across the problem of getting sessions correctly within a websocket, so I decided to create this library to help me, for anyone who has to work with websockets, it may be useful to you too






https://redd.it/1lwfeis
@r_php

Exploiting public APP_KEY leaks to achieve remote code execution in hundreds of Laravel applications
https://blog.gitguardian.com/exploiting-public-app_key-leaks/

https://redd.it/1lwh1ub
@r_php

[Release] phpfmt v0.1.0 – code formatter for PHP written in Go
https://github.com/mibk/phpfmt/releases/tag/v0.1.0

https://redd.it/1lwmm0j
@r_php

Storing mysqli db user and password settings on Front End Server PHP in 2025

Hi,

I saw some php code that is being currently used at the company I am currently working at, it has the hostname, port, user and password to connect to a mysqli instance everything stored in a file with a .php extension. The front end server is directly connecting to the database to perform some read operations (running select statements based on what the user enters).

I came across this old stackoverflow post discussing the same (https://stackoverflow.com/questions/47479857/mysqli-connection-db-user-and-password-settings) and it is discussed as it is generally safe.

But what I have learnt is that it is never safe to store username and password on a front end server even if everything is internal (principal of least privilege). Can you please help me figuring out whether this can be used in 2025?, as I am being asked to create something similar to the old application, and I just want to cover my back if something goes wrong (I have never worked with PHP so was shocked)

Thanks for the help.

https://redd.it/1lwnbs4
@r_php

Running a PHP Application inside a Container
https://forum.nuculabs.de/threads/running-a-php-application-inside-a-container.1/

https://redd.it/1lwoqn3
@r_php

Perennial Task: A CLI Task Manager Built With PHP
https://perennialtask.com/

https://redd.it/1lwtyb2
@r_php

assert() one more time

Does anyone actually use the assert() function, and if so, can explain its use with good practical examples?

I've read articles and subs about it but still dont really get it.

https://redd.it/1lwycdu
@r_php

Looking for Guidance: Building a Retro PHP/MySQL Social Network as a Serious Side Project

Hey everyone,

I’m currently building a project modeled after early 2000s-era social networks (think old-school Facebook vibes) using vanilla PHP and MySQL – no modern frameworks, no React, just classic tech with a passion for design accuracy.

I’ve built a working sign-up/login system, user profiles, and post functionality. Everything’s shaping up great, but I’m stuck on a few things like session handling, styling consistency, and dynamic content loading.

This is a personal learning project with long-term potential, and I’m not looking to sell anything or promote a product. Just hoping someone experienced with old-school PHP could nudge me in the right direction or even review my code for best practices.

If you enjoy web nostalgia or clean, efficient back-to-basics PHP work — would love to connect and I am open for the potential person to join as a founding partner in this venture

Thanks in advance 🙏

https://redd.it/1lx34cy
@r_php

Laravel Pipelines - Your expierence?

I recently implemented a workflow with the laravel Pipeline class (facade) and have to say it was a nice improvement for the structure and readability of my code. I think it's not that well-known and there is no "official" documentation, but other posts and some videos of Laravel itself (https://www.youtube.com/watch?v=2REc-Wlvl9M)


I'm working on Boxbase (https://boxbase.app), which, in a nutshell, is a gym-management software. I used the pipeline class to set up a new membership for a user. It involves a couple of steps like

Stripe
\- creating the membership itself
\- creating some related data (relations)
\- connecting to stripe if paid via Stripe


It looks something like this:

$membership = (new CreateMembershipAction())->execute($data);

$pipes =
CreateMembershipCyclePipe::class,
...,
CreateStripeResourceForMembershipPipe::class,
;

return Pipeline::send($membership)
->through($pipes)
->thenReturn();



I would love to hear about your experience with it or in which use cases you've used this flow. I think there's potential to make it very clear what's going on with that approach for other use cases as well.


If you have any experience, your feedback would be very helpful and appreciated. Thank you! 🙌

https://redd.it/1lx2jag
@r_php

Simple implementation of a radix tree based router for PHP.
https://github.com/Wilaak/RadixRouter

https://redd.it/1lx4249
@r_php

Help with PHP Fatal Error When Trying to Connect to MySQL Database

I've been trying to connect to my MySQL database using PHP, but I'm getting a fatal error that's driving me crazy. Here are the details of what I've tried so far:


I've made sure that the database connection settings in my code match the ones in my database configuration file. The connection string is correct and I'm not getting any errors when trying to connect using the command line.


The error message I get is:

Fatal error: Uncaught Error: Connection refused (ECONNREFUSED) in /path/to/my/noscript.php:12


I've tried increasing the timeout value, but it doesn't seem to be making a difference. Has anyone else experienced this issue before? What could be causing it?


Edit: I should mention that I'm using PHP 8 and MySQLi extension. Let me know if you have any suggestions for how to resolve this issue.

https://redd.it/1lx95n2
@r_php