Coding for Hackers

Languages › PHP

PHP

Roadmap

The language of half the web — and a lot of its bugs.

Learning Path Available — Lessons Currently Being Developed

Overview

PHP still powers an enormous share of the web, from WordPress to custom CMS platforms. Its security history is rich: file inclusion, the old preg_replace /e modifier, type juggling, and deserialization. For a web pentester, reading PHP source is one of the highest-yield grey-box skills.

Why learn PHP

  • A huge fraction of the web runs PHP — endless real targets.
  • Its classic bug classes (LFI, type juggling, deserialization) are exam-grade.
  • Reading PHP source is core to web grey-box testing.

Security applications

  • Local and remote file inclusion
  • Type juggling and loose comparison bugs
  • PHP object injection and deserialization
  • WordPress and CMS security review
  • Source review of web applications

Planned curriculum

  1. PHP syntax and request handling
  2. Reading application source
  3. File inclusion vulnerabilities
  4. Type juggling and == vs ===
  5. Object injection and deserialization
  6. The legacy preg_replace /e RCE
  7. WordPress security model
  8. Static analysis of PHP
This path is on the roadmap. The four live courses (Python, JavaScript, Bash, Regex) will teach you most of what carries over.

Related languages

JavaScript Live SQL Roadmap Python Live