Laravel PHP file upload max size

https://stackoverflow.com/questions/46067336/laravel-validate-file-size-when-php-max-upload-size-limit-is-exceeded

 post_max_size and upload_max_filesize are directives you can set to configure your php.ini file OR .htaccess file OR httpd.conf file.

php.ini example:

post_max_size=15M
upload_max_filesize=15M

For FPM

ini file located in /etc/php/7.3/fpm/php.ini

Need to update apache2 and php fpm after ini file has changed

Restart Apache :
/etc/init.d/apache2 restart
Restart php5-fpm :
sudo service php5-fpm restart
https://stackoverflow.com/questions/12892331/do-i-need-to-restart-apache-after-changing-the-php-ini-file/12892408

URL encrypt GET ? request parameters such as id=xxx

 https://security.stackexchange.com/questions/17259/better-techniques-than-url-parameter-encryption

Summary. Your primary defense should be access control. You need to limit which users can view which pages. Details below.

In short: Don't encrypt URL parameters, use a separate look-up.

https://paragonie.com/blog/2015/09/comprehensive-guide-url-parameter-encryption-in-php

Don't.

Cryptography is a tricky field, especially for newcomers. To a security expert, it's immediately obvious why encrypting URL parameters is a bad idea. Let me explain why, and then I'll offer a superior alternative solution.

Why Encrypting URL Parameters is a Bad Idea

Typically, the desired result of encrypting a URL looks like this:

One problem arises that, given the desired outcome of a very short URL (which is a common constraint to any system that sends URLs over SMS), there isn't enough room to both encrypt the desired information and then authenticate the encrypted output. Encryption without message authentication is totally broken.

Unless you're a cryptographer or security engineer, you wouldn't know these details. In this situation, encryption adds complexity and lots of room for nefarious errors to your application, for no real benefit. Obfuscation is a trivial task, as we'll demonstrate below; why add unnecessary complexity if you can avoid it?

What About Hashids?

From the What Not To Do section of the Hashids page:

Do not encode sensitive data. This includes sensitive integers, like numeric passwords or PIN numbers. This is not a true encryption algorithm.

The hashids protocol has been publicly broken by simple cryptanalysis techniques.

This might seem like an attractive solution, but it won't stop users from trivially teasing the underlying database row ID out of your obfuscated URL parameter. Hashids are not secure; don't use them.

What Should I Do Instead?

Okay, by this point, we hope you're convinced that neither encryption nor hashids are the way to go forward. Encryption is very hard to get right, and hashids are not secure.

But knowing this doesn't solve your problem: How can you serve content via an obfuscated URL without resorting to encryption?

The answer is: add another column to the table with a unique, random token and reference that in your database lookups instead of your database identifier.

A little bit of math:

• In MySQL, an INTEGER(11) UNSIGNED primary key can hold about 4 billion rows. This is equal to 32 bits.
• If you generate 9 raw bytes from a cryptographically secure pseudorandom number generator (72 bits of possible values), then base64 the result, you will end up with a 12 character identifier.
• 72 bits of possible values means a 50% chance of collision at 236$2^{36}$ records, according to the birthday problem.

This means you have a 50% chance of only two duplicate random values after about 69 billion records (a far cry beyond your 4 billion storage capacity). This means that you will almost never have a collision. You should still make sure every selector you generate is unique before inserting a new one, of course.

Furthermore, this record is completely randomly generated and has nothing to do with the rest of the data stored in your database. There is no pattern to be found. (The closest relevant buzz-word here is a "zero knowledge".)

Instead of encrypting URL parameters, add a column that stores a random 12-character string for each row (which is generated by base64-encoding 9 bytes from a CSPRNG), and use that in your URLs and SELECT queries.

use ParagonIE\ConstantTime\Base64UrlSafe;
/**
 * Generate a selector
 * 
 * @return string (12 characters)
 */
function generateSelector(): string
{
    return Base64UrlSafe::encode(random_bytes(9));
    /* Equivalent:
        return strtr(base64_encode(random_bytes(9)), '+/', '-_');
     */
}

(Code snippet above uses paragonie/constant_time_encoding.)

This problem is simpler and less likely to cause bugs or implementation errors now and going forward.

A Quick Note about Access Controls

An obfuscated URL does not obviate the need for access controls. The use case here is, "I want to serve a unique ID for a particular resource without leaking metadata about the activity level of our app."

Do not use obfuscated URLs as a backdoor into your application.

PHP hash ids

https://hashids.org/php/

PHP CURL Basic Usage

 https://stackoverflow.com/questions/8115683/php-curl-custom-headers

// Set headers

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"http://www.example.com/process.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,$vars);  //Post Fields
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$headers = [
    'X-Apple-Tz: 0',
    'X-Apple-Store-Front: 143444,12',
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Encoding: gzip, deflate',
    'Accept-Language: en-US,en;q=0.5',
    'Cache-Control: no-cache',
    'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
    'Host: www.example.com',
    'Referer: http://www.example.com/index.php', //Your referrer address
    'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
    'X-MicrosoftAjax: Delta=true'
];

curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$server_output = curl_exec ($ch);

curl_close ($ch);

print  $server_output ;

// Curl defaults including curl_setopt_array

$Defaults = array(
//		CURLOPT_HEADER				=>	TRUE,
		CURLOPT_RETURNTRANSFER      =>  TRUE,
		CURLOPT_FAILONERROR         =>  TRUE,
		CURLOPT_CONNECTTIMEOUT      =>  0,
		CURLOPT_TIMEOUT             =>  5,
		CURLOPT_ENCODING            =>  "",
		CURLOPT_MAXREDIRS           =>  10,
		CURLOPT_HTTP_VERSION        =>  CURL_HTTP_VERSION_1_1,
		CURLOPT_SSL_VERIFYPEER		=>	FALSE,
		CURLOPT_SSL_VERIFYHOST		=>	FALSE,
	);

		$curl = curl_init();
		curl_setopt_array( $curl, $Defaults );

// https://stackoverflow.com/questions/11079135/how-to-post-json-data-with-php-curl
/ / curl with JSON

                curl_setopt_array( $curl, array(
                    CURLOPT_CUSTOMREQUEST		=>	'POST',
                    CURLOPT_POSTFIELDS			=>	json_encode( $data),
                    CURLOPT_URL					=> $url
                    CURLOPT_HTTPHEADER          =>  array(
                                                        'Content-Type: application/json',
                                                        'Accept: application/json',
                                                        'Authorization: Bearer ' .  $token,
                                                    ),
                ) );

MYSQL LIKE Query , Underscore and Mod symbols are wildcare, need to be escaped, PHP string replace with array

 https://stackoverflow.com/questions/19588455/why-does-using-an-underscore-character-in-a-like-filter-give-me-all-the-results

The '_' and '%' are wildcards in a LIKE operated statement in SQL.

The _ character looks for a presence of (any) one single character. If you search by columnName LIKE '_abc', it will give you result with rows having 'aabc', 'xabc', '1abc', '#abc' but NOT 'abc', 'abcc', 'xabcd' and so on.

The '%' character is used for matching 0 or more number of characters. That means, if you search by columnName LIKE '%abc', it will give you result with having 'abc', 'aabc', 'xyzabc' and so on, but no 'xyzabcd', 'xabcdd' and any other string that does not end with 'abc'.

In your case you have searched by '%_%'. This will give all the rows with that column having one or more characters, that means any characters, as its value. This is why you are getting all the rows even though there is no _ in your column values.

Solution 

WHERE mycolumn LIKE '%\_%' ESCAPE '\'

PHP ESCAPE Underscore and Mod

https://stackoverflow.com/questions/15424102/search-with-in-mysql-query-like

$key = str_replace(array('%', '_'), array('\%', '\_'), $key);

PHP chgrp function

 https://www.php.net/manual/en/function.chgrp.php

chgrp(string $filename, string|int $group): bool

Attempts to change the group of the file filename to group.

Only the superuser may change the group of a file arbitrarily; other users may change the group of a file to any group of which that user is a member.

PHP or syntax function

 https://stackoverflow.com/questions/9535255/php-or-syntax

Let's just say that:

$result = first() || second();

will evaluate to:

if (first()) {
    $result = true;
} elseif (second()) {
    $result = true;
} else {
    $result = false;
} 

while:

$result = first() or second();

will evaluate to:

if ($result = first()) {
    // nothing
} else {
    second();
}

In other words you may consider:

$result = first() || second();

$result = (first() || second());

and:

$result = first() or second();

to be:

($result = first()) || second();

It is just matter of precedence.

PHP BCADD() && Fatal error: Uncaught Error: Call to undefined function bcadd()

 https://www.geeksforgeeks.org/php-bcadd-function/

https://stackoverflow.com/questions/51094183/fatal-error-uncaught-error-call-to-undefined-function-bcadd

PHP does not recognize "bcadd()" gives the error. "bcadd()" function is included in "bcmath" PHP extention.

Just installing the relevant bcmath extension would solved the issue.

sudo apt-get install php7.<Your PHP version>-bcmath

Please note, you should find the correct version of bcmath extension according to your PHP version. And restart apache

sudo service apache2 restart

PHP | bcadd() Function
Last Updated : 19 Apr, 2018
The bcadd() function in PHP is an inbuilt function and is used to add two arbitrary precision numbers. This function accepts two arbitrary precision numbers as strings and returns the addition of the two numbers after scaling the result to a specified precision.
Syntax:
string bcadd ( $num_str1, $num_str2, $scaleVal)

Program 1:

<?php // PHP program to illustrate bcadd() function     // input numbers with arbitrary precision $num_str1 = "3"; $num_str2 = "11.222";     // calculates the addition of // the two numbers when $scaleVal is // not specified $res = bcadd($num_str1, $num_str2);    echo $res;     ?>

Output:

14

Program 2:

<?php // PHP program to illustrate bcadd() function     // input numbers with arbitrary precision $num_str1 = "3"; $num_str2 = "11.222";    // scale value $scaleVal = 4;     // calculates the addition of the two // numbers when $scaleVal is specified $res = bcadd($num_str1, $num_str2, $scaleVal);    echo $res;     ?>

Output:

14.2220