PHP - How To Secure My Php Application From Someone Copying Source Code
I've been developing a php application that runs my entire company for the last 4 years. One of the things I never thought of until now is that the server guys or anyone else could copy the source code and db and be able to start up another company which brings up my question to you.... How would you protect your application?
My thought is to create one small php file that is encrypted with something that is required to make the entire site run (not sure at this point what it would be that they couldn't just rebuild). Then if this file sees it's on a different domain/ip it requests data from my site which logs the info for me to look at. If I find out it's something not approved, it would then not allow the program to run and will give a error. What is your idea? Similar TutorialsCan anyone help me make this more secure? I want to link the info to .inc instead of pulling this info straite from the page // cPanel info $cpuser = 'userhere'; // cPanel username $cppass = 'passwordhere'; // cPanel password $cpdomain = 'mysite.com'; // cPanel domain or IP $cpskin = 'x'; // cPanel skin. Mostly x or x2. // See following URL to know how to determine your cPanel skin // http://www.zubrag.com/articles/determine-cpanel-skin.php // Default email info for new email accounts // These will only be used if not passed via URL $epass = 'hispassword'; // email password $edomain = 'mysite.com'; // email domain (usually same as cPanel domain above) $equota = 20; // amount of space in megabytes The only time it pulls the info is in this line // Create email account $f = fopen ("http://$cpuser:$cppass@$cpdomain:2082/frontend/$cpskin/mail/doaddpop.html?email=$euser&domain=$edomain&password=$epass"a=$equota", "r"); if (!$f) { $msg = 'Cannot create email account. Possible reasons: "fopen" function allowed on your server, PHP is running in SAFE mode'; break; } $msg = "<h2>Email account {$euser}@{$edomain} created.</h2>"; Thank you for the h elp once again So I have an webapp which has a built in proxy checker. However because I didn't write the code I am kind of confused on whats going on. I have a small amount of knowledge on php been looking all over the net to find a solution. So this file called (proxy_check.php) keeps causing my index.php to show the 404 designed page. The file is required in the index.php file. I believe its something to do with the $reponse variable. Please help <?php # Visitor proxy check snippet $v_ip = $_SERVER['REMOTE_ADDR']; $arContext['http']['timeout'] = 10; $context = stream_context_create($arContext); $response = file_get_contents('http://www.shroomery.org/ythan/proxycheck.php?ip='.$v_ip, 0, $context); if ('Y' === $response) { echo "<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <meta http-equiv='Content-Type' content='text/html;charset=UTF-8'> <head> <title> The page you were looking for doesn't exist (THIS BUG)</title> <style type='text/css'> body { background-color: #efefef; color: #333; font-family: Georgia,Palatino,'Book Antiqua',serif;padding:0;margin:0;text-align:center; } p {font-style:italic;} div.dialog { width: 490px; margin: 4em auto 0 auto; } img { border:none; } </style> </head> <body> <div class='dialog'> <a><img src='assets/img/404.png'></a> <p>It looks like that page you were looking has been mislaid, sorry.</p> </div> </body> </html>"; die(); }
Hi guys, I wrote this speck of code to prevent directory transversal. However, I'm not that great with security issues, so I would like some of the gurus to offer pointers/tips/hints as to whether my code is safe or not and how to improve it. $pageID = $_GET["pageid"]; $pageNewIDLower = strtolower($pageID); $pageNewID = ereg_replace("[^A-Za-z0-9]","",$pageNewIDLower); if (strstr($pageNewID,"../") || strstr($pageNewID,"%") != true) { // do stuff } else { include("pages/home.htm"); } If this looks wrong, let me know. I didn't take it directly from my php code as I'm on a cell phone at the moment. I had a programmer who was doing a job for me look over one of my pages and added this security to my POST submit button: Code: [Select] ##### secure ##### if(!empty($_POST['user_url']) & preg_match('/(order.*?by|union.*?select|select.*?from|update.*?set|"|\'|\/*)/', $_POST['user_url'])) exit; if(!empty($_POST['user_url']) & !preg_match('/https?:\/\/[\w\d:#@%\/;$()~\\_?+-=.&]*/', $_POST['user_url'])) exit; ################# However now it doesnt matter what i type into the text box it always Exits the script... can anyone see whats happening here? PS. the purpose the of the text box is to insert URLs into my database... so it would need to allow that format. I want to copy everything in templates/blue to the folder code/ However: shell_exec("cp -r 'templates/blue' 'code'"); Creates a folder called blue inside code. I tried cp -r 'templates/blue/*' 'code', but that didn't do anything. Any ideas? Hi Little Help Needed I have created a new website In the index.php file i want to show records from database Now, here is how the problem arise I want to import codes from github intead of hosting those files on my server because i want to keep it opensource Below is the code I am using <?php // connect to the database include('connect-db.php'); // get results from database $sql = "SELECT id, upadhi, name FROM munishri"; $result = $conn->query($sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { echo "id: " . $row["id"]. " - Name: " . $row["upadhi"]. " " . $row["name"]. "<br>"; } } else { echo "0 results"; } // close connection $conn->close(); ?> Can i host the code to show result in another file and use something like <?php // connect to the database include('connect-db.php'); // get results from database include('http://rawgit.com/th...database.php'); ?> Does any one have a better idea to protect PHP files so that you can distribute a 'release' without the customer being able to read the source files. There are tools on the internet which costs money, BUT your are dependant on their software and if its not open source, its not trustworthy. What I've done so far is writing an ISAPI DLL in borland cpp and installed it under iis6. Basically you call this isappi dll and it decrypts the encrypted php files and executes them respectively. It is thread safe (as is php). There are other methods available on the net that you use to encrypt your pages, BUT the decryption algorithm is found in your main php file and duh, if you can read the main file, you can easily decrypt all other files, so that is a bad idea. Any other ideas? Possibly to write a PHP extension perhaps but I have not been able to get that working on borland cpp. looking for a way to view the PHP source code of any PHP page on the web. Looking for a way to obtain PHP source code in order to help me with a certain issue. Advise. So I am completely done with my forum after several posts here and a lot of time. But crap! I just realized that the way my avatar system works it will give away the password! I REALLY don't want to redo that system because truth is it is about 40 percent of the entire sites coding. It works by making pictures in a directory named the usersname.thepassword . Whatever filesystem. Now when I echo the path everyone can see the password and username in the source code! And thy can click it to see the picture! Is there a way to hide the paths or the source codeM thanks!
How to edit my source code so the output prints correctly ?
So I am completely done with my forum after several posts here and a lot of time. But crap! I just realized that the way my avatar system works it will give away the password! I REALLY don't want to redo that system because truth is it is about 40 percent of the entire sites coding. It works by making pictures in a directory named the usersname.thepassword . Whatever filesystem. Now when I echo the path everyone can see the password and username in the source code! And thy can click it to see the picture! Is there a way to hide the paths or the source codeM thanks! Currently testing a site thats almost built, am going to be including php on a sidebar on all pages so thought it'd be easier to just make all pages .php, however when i upload and try and view, in Firefox it just displays the source code on screen! It does it on other computers, but works fine in IE! ARRGGGHH Anyone have a clue? Kind Regards, Chris Hello all, i have a feeling im doing something wrong, but i have no idea what. being server-side code, php should not show when you 'view page source' in your browser (or rather it should display as html), correct ? why, then am i seeing php code when i view page source? see attached image Hi, I need to extract the integers from the source code:
<span class=CatLevel1><a onclick="Javascript:ShowMeu('21');">Arts</a> (9768)</span> <span class=CatLevel1><a onclick="Javascript:ShowMeu('271');">Industrial Products</a> (9321)</span> <span class=CatLevel1><a onclick="Javascript:ShowMeu('1273');">Baby</a> (11407)</span>What are the pattern that I can use to retrieve all the integer in the bracket (9768, 9321, 11407)? This is my php code: <!DOCTYPE html> <html> <body> <?php $file_string = file_get_contents('http://www.lelong.com.my/'); preg_match('/<title>(.*)<\/title>/i', $file_string, $title); //pattern $title_out = $title[1]; echo $title_out; ?> </body> </html>Thanks Edited by Raex, 22 August 2014 - 12:49 AM. well basically im trying to do that the 'subject says. ive done my homework and had around 10 examples of using curl, but none of them worked in my case. this is the final code i'm using <?php $cookiefile = '/temp/cookies.txt'; #2 ways ive tried doing #$data = array('edit[username]' => 'REMOVED', 'edit[password]' => 'REMOVED', 'edit[submit]' => 'Login'); $data = array('username] => 'REMOVED', 'password' => 'REMOVED', 'submit' => 'Login'); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://pokerrpg.com'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiefile); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiefile); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_exec($ch); curl_setopt($ch, CURLOPT_URL, 'http://pokerrpg.com/furniture_store.php'); $contents = curl_exec($ch); $headers = curl_getinfo($ch); echo $contents; curl_close($ch); unlink($cookiefile); ?> im not sure about the cookie file, but i just made a txt file to that location. and empty txt file. hope it's fine. the page i'm trying is http://pokerrpg.com, you can even look the source code that both of these fields do exist. when i run it, the output is a login page without logging in, so it does not log in. Ok this has been driving me absolutely crazy. I have a script that gets called by Prototype's Ajax.Updater() class which should then update a div. It does update the div but a portion of what gets outputted doesn't render. Code: [Select] if (is_array($PROCESSED["associated_proxy_ids"]) && count($PROCESSED["associated_proxy_ids"])) { foreach ($PROCESSED["associated_proxy_ids"] as $student) { if ((array_key_exists($student, $STUDENT_LIST)) && is_array($STUDENT_LIST[$student])) { ?> <li class="user" id="audience_student_<?php echo $STUDENT_LIST[$student]["proxy_id"]; ?>" style="cursor: move;"><?php echo $STUDENT_LIST[$student]["fullname"]; ?><img src="<?php echo ENTRADA_URL; ?>/images/action-delete.gif" onclick="removeAudience('student_<?php echo $STUDENT_LIST[$student]["proxy_id"]; ?>', 'students');" class="list-cancel-image" /></li> <?php } } } I've echoed from within the foreach and the following if and the $student variable does have a value, however I'll point out that it also doesn't render but that may be because its not a <li>, I'm not sure. Now, if I take that li element lin end output it outside of the foreach loop it renders just fine(once I substitute the $student variable for a known index of course). Inside the loop it doesn't. I can see it in the source code of the page but for some reason its not rendering. I'll put the output from the source of the page below, the top is the code output from within the loop and the bottom is from outside of the loop. The bottom renders as expected, the top doesn't. Code: [Select] <!--foreach li element:doesn't render--> <li class="user" id="audience_student_2" style="cursor: move;">Hudson, Tom<img src="http://localhost/entrada/www-root/images/action-delete.gif" onclick="removeAudience('student_2', 'students');" class="list-cancel-image" /></li> <!--non foreach li element:renders--> <li class="user" id="audience_student_2" style="cursor: move;">Hudson, Tom<img src="http://localhost/entrada/www-root/images/action-delete.gif" onclick="removeAudience('student_2', 'students');" class="list-cancel-image" /></li> They're identical. I can't figure out for the life of me why this isn't working. Any help would be great. Hey guys, First post here, so feel free to flame me if im violating the rules somehow. So, the issue is this: i built an ebay listing creator for a customer. it conssists of a form with several fields being posted to a page that assembles everything into a listing (text, images, radio buttons etc.). now, what i want to do is to easily allow the customer to copy the compiled source code into the clipboard (or a txt file, doesnt really matters) - in order to easily copy it into ebay. I tried it with CURL, but all i get is the source without the posted information. I must be missing something there. Any help would be appreciated, if you need links or codes iv's used, ill provide. Thanks in advance! Hi, I need a small help. Here is my situation. I am using a MVC application (e.g. Joomla or Drupal) which has a .htaccess redirect rule that all requests are passed through index.php file. That's normal and this is my main application. Now I installed another application within the application folder structure. What I want do do here is to allow opening the third party application URLs after one logged into my main application. Can anybody provide me some pointers to do the same? Please let me know if you need any further information on this. Any solution irrespective of framework will work. Thanks! Anupam Hi guys, I am making a bot which only scrapes the source code of the site AFTER logging into the site.The script to login is : Code: [Select] <?php $username="xxx"; $password="iwonttellyou"; $url="http://internet.com/login.php"; $cookie="cookie.txt"; $postdata = "name=".$username."&password=".$password; $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"); curl_setopt ($ch, CURLOPT_TIMEOUT, 60); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt ($ch, CURLOPT_REFERER, $url); curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata); curl_setopt ($ch, CURLOPT_POST, 1); $result = curl_exec ($ch); echo $result; ?> I can see different SESSION ID's in cookie.txt everytime i compile this code, which makes me believe its working.However what next? How should i go to that site again, already logged in and scrape the data ? Some suggestions would be nice. Hey guys,
I'm facing an issue compiling the above stack from a source code inside lxc using centos 6.5 as a domain OS.
[lxc@lxc1 httpd-2.4.9]$ ./configure --with-included-apr checking for chosen layout... Apache checking for working mkdir -p... yes checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu configu configu Configuring Apache Portable Runtime library... configu configuring package in srclib/apr now checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu Configuring APR library Platform: x86_64-unknown-linux-gnu checking for working mkdir -p... yes APR Version: 1.5.1 checking for chosen layout... apr checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... configu error: in `/home/lxc/httpd-2.4.9/srclib/apr': configu error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details configure failed for srclib/apr This problem has been detected by me when I replaced my desktop machine with new one and installed a centOS again. This such a problem never happened before using my old machine with the same version of OS and libvirt. Just to be clear, a new selinux policy into a "domain machine" has been created to be able to use the "dbus daemon" to all containers and if I try to complile this stack from source using the "domain os" this problem never happens at all. All "Development tools" is installed to this particular container, in case someone asks me why I get the following error message - "configu error: cannot run C compiled programs" Any ideas? Edited by jazzman1, 08 June 2014 - 01:37 PM. |