PHP - Swf Encrypt Php Urls, Php Safe?
Hey guys!
I have a doubt and this is a question that relates Flash and PHP... I have a flash (swf) file that grabs/sends variables from/to php. That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted. Is there any other way a hacker could find out where and which my PHP files are located/named? Any ideas, suggestions? Thanks in advance! Cheers, Similar TutorialsI am using seo friendly urls so when someone makes a post named "this is a post" the url will point to www.example.com/topic/this_is_a_post But when the user enters a character in their post name that means something in a url(? /) it obviously breaks. How can i make the urls safe from this without str_replace as i want to keep the characters. Hi all, I am looking a developing a script that instead of using something like mysite.com/showproduct.php?id=1 I would like it to appear as mysite.com/php-editor Is their a simple way of doing this? I would still need to pull info from a database so the page would still need to be dynamic, I just want it to appear static! I am used to using the get id function of php, what would the workaround be? would the id be hidden from the url but still usable in a query? I have had a look at the apache mod_rewrite, but quite frankly, I dont understand it! Cheers Hi I allow users to log in, they are redirected to a page and in the url their account ID is carried e.g. accountid=2. Obviously they could alter the number and potentially see other members details. What is the best way to hide this information? Thanks Hi, for my php program running in command line (windows cmd), the user must login first, so my ques is how can they enter the password as ***** when they are typing for example? all help appreciated. Hi all I wonder if somebody could give me some guidance on this. I manage a website programmed in PHP and having MySQL backend. Recently some of my clients raised concerns about the security of their data. It is not credit card information or so, however I would like to sort it out. I have a button on the web site which the clients click to tell me that their data should now be analysed and a report sent to them. My php program pulls out the records for this particular user and writes them into an excel file on my web space(on a shared hosting). The same php program then attaches this excel file to an email and sent it to me. I want to make sure that this data in the excel file is securely transmitted during the above process. Any help would be much appreciated. Carol Hi, I want to send a URL to a user with their name in it: index.php?user=tom how can I encrypt this name so that I can track what they do but if I was hacked nobody else could determine who the user was? Thanks Is there an alternative way to encode url params besides: base64_encode() examples would be great. Can php encrypt a link so that it's hidden or expires after a download or x number of days? An example of this use would be on music download sites. Hello! I've got an issue! I'm trying to pass a very very long variable from JS to PHP through $_GET, but it seems too long for get. Is there any encryption function that works on both JS and PHP, so I can encrypt it in JS, send it though GET and decrypt it in PHP? Thanks ! This is my code it's not working.
$username = $_POST['username']; $password = $_POST['password']; $encrypt_password = md5($password); $email = $_POST['email']; $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'"; //--> Below is the INSERT Code $query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')"; $result = mysql_query($query); if($result == 1) { print("Thank you, your accout has been created!"); }Can anyone tell me why the md5() function is not working? Edited by Tom8001, 28 November 2014 - 07:49 PM. Hi. I have made a login script, but I would wan't to encrypt the password. I followed a tutorial and got this: login.php <?php $password = "secret"; echo $password; /* displays secret */ $password = sha1($password); echo $password; /* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */ ?> <form action="validate.php" method="post"> <label for="username">Username</label> <input type="text" name="username" id="username" /> <br /> <label for="password">Password</label> <input type="password" name="password" id="password" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> <?php ?> validate.php <?php include "setup.php"; /* get the incoming ID and password hash */ $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); // Encrypted Password /* establish a connection with the database */ $server = mysql_connect("$db_host", "$db_username","$db_password"); if (!$server) die(mysql_error()); mysql_select_db("$database"); /* SQL statement to query the database */ $query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'"; /* query the database */ $result = mysql_query($query); /* Allow access if a matching record was found, else deny access. */ if (mysql_fetch_row($result)) echo "Access Granted: Welcome, $username!"; else echo "Access Denied: Invalid Credentials."; mysql_close($server); ?> Its the line $password=md5($password); // Encrypted Password that messes everything up. If I delete it and login, everything is fine, if I add it it says Code: [Select] Access Denied: Invalid Credentials I need help with this one! And if someone have time, give me some ideas how to make PHP scripts safer! Regards Worqy How can I encrypt POST data from a form? Basically, I want to ensure that the data on the form is not in plain text ever. Is this possible? <form method="post"> <input type="text" name="email" size="40"> <input type="password" name="password"/> ... Basically, when this posts, I want to do a foreach on $_POST and see something like: password = 1f3870be274f6c49b3e31a0c6728957f and not password = stringTheUserTyped I hope what I'm asking for is clear. (PHP 5.2.14) Thanks! Hello everyone... I am developing a software as a service program for use by multiple companies, each would have their own instance of the application... The part that I am not really to clear on, is what would be the most secure, with low latency, PHP method of encrypting/decrypting data to and from the database... all data is sent over SSL... I would also want to use a unique key for each company... Access to the program itself is protected from the outside by a user based log in system... I am currently recoding a website from ASP to PHP. The aim is for a customer to add items to a cart, fill in their credit card details. Then an email is encrypted (on the secure website) and sent to the client. The client then opens the email on her PC and it is decoded either when she opens the e-mail, or downloads an attachment that can be opened by a program that requires a password. Once entered the order is revealed, the e-mail is decrypted. I just wondered if anyone has any link to sites where I can download the de-crypting software to install on the clients machine. Or any other ideas on sending an encrypting email and decrypting on the recipients computer. Many thanks. I have an ecommerce site on shared hosting enviroment. My ecommerce site stores customer data (name, address, email, phone, and item purchase) in mySQL database. (No super private data like credit card numbers or social security numbers.) Using openssl (openssl_cipher, iv, etc.), I've been encrypting this customer data and storing the encrypted data in mySQL. Today, I'm thinking "what's the point." It's like having a lockbox with the key on the wall above...
My thoughts: What do you all think? Sorry for my bad english. I am not from around these parts.
Hi. I purchased software for a PayPal subscription management system, and it relies on user verification by way of a username (email address) and a hashed password. I have also developed my own login scripts for an application which also uses a hashed md5 password and all that works fine. I want to integrate my scripts with the purchased software using the supplied mySql database tables. My problem is that the supplied software goes a step further than a hashed md5 password by applying initializing vectors to the hashed password. I cannot figure out how to modify my login code to accommodate the encrypted password that appears in the database. It is beyond my current abilities to work this out on my own. I'd really appreciate it if anyone can help. I've attached my own login script below, and Ive attached what I believe is the decryption code that comes with the purchased software. There is also a database file that relates to this. Hope someone can help me. <?php session_start(); if ($_POST['password']) { //Connect to the database include_once "db_connect.php"; $email = stripslashes($_POST['payer_email']); $email = strip_tags($email); $email = mysql_real_escape_string($email); $password = preg_replace("/[^A-Za-z0-9]/", "", $_POST['password']); // filter everything but numbers and letters $password = md5($password); // Make query and then register all relevant database data into SESSION variables. $sql = mysql_query("SELECT * FROM sec_tblusers WHERE payer_email='$email' AND password='$password' AND signedup='1'") or die("failed"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ // Get member data into a session variable $id = $row["recid"]; session_register('recid'); $_SESSION['recid'] = $id; $payer_email = $row["payer_email"]; session_register('payer_email'); $_SESSION['payer_email'] = $payer_email; $password = $row["password"]; session_register('password'); $_SESSION['password'] = $password; $iv = $row["iv"]; session_register('iv'); $_SESSION['iv'] = $iv; $signedup = $row["signedup"]; session_register('signedup'); $_SESSION['signedup'] = $signedup; $lastlogin = $row["lastlogin"]; session_register('lastlogin'); $_SESSION['lastlogin'] = $lastlogin; // Update last_log_date field for this member now mysql_query("UPDATE sec_tblusers SET lastlogin=now() WHERE recid='$id'"); // Print success message here then exit the script //header("location: member_profile.php?id=$id"); header("location: adduser.php?id=$id"); exit(); } // close while } else { // Print login failure message to the user and link them back to your login page print '<br /><br /><font color="#FF0000">You do not show in our records as a subscriber. Has the subscription expired?</font><br /> <br /><a href="../main.php">Click here</a> to go back.'; exit(); } }// close if post ?> What I think is the decrypting code that comes with the purchased software goes like this. <?php //--------------------------------------- //Given the payer_email address, return the decrypted password function getpassword($payer_email, $dbhost, $dbusername, $dbpass, $dbname, $dbprefix, &$message) { $dl = new DataLayer(); $dl->debug=false; $dl->connect( $dbhost, $dbusername, $dbpass, $dbname ) or die ( "Database connection error " . $dl->geterror() ); //SELECT password, iv FROM sec_tblusers WHERE payer_email = '" . $payer_email . "'" $cols = array("password", "iv"); $table = $dl->select( $dbprefix."sec_tblusers", "", $cols, "payer_email = '$payer_email'", "" ); if ($dl->geterror()) { $message = "SQL error - user.php ref 58 " . $dl->geterror(); exit; } $IV = $table[0]['iv']; $password = $table[0]['password']; $decryption = new password($IV, $password); $decryption->decode(); $decode = $decryption->getdecodedtext(); return $decode; } //------------------------------------ ?> The database table is here. Code: [Select] -- Table structure for table `sec_tblusers` -- CREATE TABLE `sec_tblusers` ( `recid` int(11) NOT NULL AUTO_INCREMENT, `payer_email` varchar(100) NOT NULL, `password` varchar(50) DEFAULT NULL, `iv` int(11) DEFAULT NULL, `signedup` int(11) NOT NULL DEFAULT '0', `signupdate` datetime NOT NULL, `lastlogin` datetime NOT NULL, PRIMARY KEY (`recid`), UNIQUE KEY `payer_email` (`payer_email`), KEY `password` (`password`), KEY `signedup` (`signedup`), KEY `lastlogin` (`lastlogin`), KEY `signupdate` (`signupdate`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ; -- -- Dumping data for table `sec_tblusers` -- INSERT INTO `sec_tblusers` (`recid`, `payer_email`, `password`, `iv`, `signedup`, `signupdate`, `lastlogin`) VALUES (5, 'someone@gmail.com', 'cRbeAWgN3 ', 316, 1, '0000-00-00 00:00:00', '2010-11-10 22:29:06'), (6, 'someoneelse@gmail.com', 'cRbeAWgN3 ', 269, 1, '0000-00-00 00:00:00', '0000-00-00 00:00:00'); I suspect that there may be some other relevant code in the purchased software, and I could hunt that up if someone could tell me what I should look for. Anyway, I'm really in need of some help, or some advice. Cheers, everyone. Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. I have a button that uses $_POST to send information to another page. The data is in a hidden input so it's not possible for users to change information. I have nothing to check if the data is correct on the other page. Is it still possible for people to change the $_POST data though? Or somehow send false $_POST data to the other page? |