PHP - Protect Php Source Code

So I am completely done with my forum after several posts here and a lot of time. But crap! I just realized that the way my avatar system works it will give away the password! I REALLY don't want to redo that system because truth is it is about 40 percent of the entire sites coding. It works by making pictures in a directory named the usersname.thepassword . Whatever filesystem. Now when I echo the path everyone can see the password and username in the source code! And thy can click it to see the picture! Is there a way to hide the paths or the source codeM thanks!

Hello all,

i have a feeling im doing something wrong, but i have no idea what.

being server-side code, php should not show when you 'view page source' in your browser (or rather it should display as html), correct ?

why, then am i seeing php code when i view page source?

see attached image

Currently testing a site thats almost built, am going to be including php on a sidebar on all pages so thought it'd be easier to just make all pages .php, however when i upload and try and view, in Firefox it just displays the source code on screen! It does it on other computers, but works fine in IE! ARRGGGHH

Anyone have a clue?

Kind Regards, Chris

I've been developing a php application that runs my entire company for the last 4 years. One of the things I never thought of until now is that the server guys or anyone else could copy the source code and db and be able to start up another company which brings up my question to you.... How would you protect your application?

My thought is to create one small php file that is encrypted with something that is required to make the entire site run (not sure at this point what it would be that they couldn't just rebuild). Then if this file sees it's on a different domain/ip it requests data from my site which logs the info for me to look at. If I find out it's something not approved, it would then not allow the program to run and will give a error.

What is your idea?

Ok this has been driving me absolutely crazy. I have a script that gets called by Prototype's Ajax.Updater() class which should then update a div. It does update the div but a portion of what gets outputted doesn't render.

Code: [Select]

if (is_array($PROCESSED["associated_proxy_ids"]) && count($PROCESSED["associated_proxy_ids"])) {
foreach ($PROCESSED["associated_proxy_ids"] as $student) {
                if ((array_key_exists($student, $STUDENT_LIST)) && is_array($STUDENT_LIST[$student])) {
?>
<li class="user" id="audience_student_<?php echo $STUDENT_LIST[$student]["proxy_id"]; ?>" style="cursor: move;"><?php echo $STUDENT_LIST[$student]["fullname"]; ?><img src="<?php echo ENTRADA_URL; ?>/images/action-delete.gif" onclick="removeAudience('student_<?php echo $STUDENT_LIST[$student]["proxy_id"]; ?>', 'students');" class="list-cancel-image" /></li>
<?php
}
}
}
I've echoed from within the foreach and the following if and the $student variable does have a value, however I'll point out that it also doesn't render but that may be because its not a <li>, I'm not sure. Now, if I take that li element lin end output it outside of the foreach loop it renders just fine(once I substitute the $student variable for a known index of course). Inside the loop it doesn't. I can see it in the source code of the page but for some reason its not rendering. I'll put the output from the source of the page below, the top is the code output from within the loop and the bottom is from outside of the loop. The bottom renders as expected, the top doesn't.
Code: [Select]
<!--foreach li element:doesn't render-->
<li class="user" id="audience_student_2" style="cursor: move;">Hudson, Tom<img src="http://localhost/entrada/www-root/images/action-delete.gif" onclick="removeAudience('student_2', 'students');" class="list-cancel-image" /></li>

<!--non foreach li element:renders-->
<li class="user" id="audience_student_2" style="cursor: move;">Hudson, Tom<img src="http://localhost/entrada/www-root/images/action-delete.gif" onclick="removeAudience('student_2', 'students');" class="list-cancel-image" /></li>

They're identical.
I can't figure out for the life of me why this isn't working. Any help would be great.

Hi, I need to extract the integers from the source code:

<span class=CatLevel1><a onclick="Javascript:ShowMeu('21');">Arts</a>&nbsp;(9768)</span>
<span class=CatLevel1><a onclick="Javascript:ShowMeu('271');">Industrial Products</a>&nbsp;(9321)</span>
<span class=CatLevel1><a onclick="Javascript:ShowMeu('1273');">Baby</a>&nbsp;(11407)</span>

What are the pattern that I can use to retrieve all the integer in the bracket (9768, 9321, 11407)?    This is my php code: 

<!DOCTYPE html>
<html>
<body>


<?php
$file_string = file_get_contents('http://www.lelong.com.my/');
preg_match('/<title>(.*)<\/title>/i', $file_string, $title);     //pattern
$title_out = $title[1];
echo $title_out;
?>
 

</body>
</html>

Thanks
Edited by Raex, 22 August 2014 - 12:49 AM.

well basically im trying to do that the 'subject says.
ive done my homework and had around 10 examples of using curl, but none of them worked in my case.
this is the final code i'm using

<?php
$cookiefile = '/temp/cookies.txt';


#2 ways ive tried doing

#$data = array('edit[username]' => 'REMOVED', 'edit[password]' => 'REMOVED', 'edit[submit]' => 'Login');
$data = array('username] => 'REMOVED', 'password' => 'REMOVED', 'submit' => 'Login');




$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'http://pokerrpg.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiefile);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiefile);

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

curl_exec($ch);

curl_setopt($ch, CURLOPT_URL, 'http://pokerrpg.com/furniture_store.php');
$contents = curl_exec($ch);
$headers = curl_getinfo($ch);

echo $contents;

curl_close($ch);
unlink($cookiefile);
?>

im not sure about the cookie file, but i just made a txt file to that location. and empty txt file.  hope it's fine.

the page i'm trying is http://pokerrpg.com, you can even look the source code that both of these fields do exist.

when i run it, the output is a login page without logging in, so it does not log in. 

Hey guys,

First post here, so feel free to flame me if im violating the rules somehow.

So, the issue is this: i built an ebay listing creator for a customer. it conssists of a form with several fields being posted to a page that assembles everything into a listing (text, images, radio buttons etc.). now, what i want to do is to easily allow the customer to copy the compiled source code into the clipboard (or a txt file, doesnt really matters) - in order to easily copy it into ebay. I tried it with CURL, but all i get is the source without the posted information. I must be missing something there.

Any help would be appreciated, if you need links or codes iv's used, ill provide.

Thanks in advance!

Hi guys,

I am making a bot which only scrapes the source code of the site AFTER logging into the site.The script to login is :

Code: [Select]
<?php

    $username="xxx"; 
$password="iwonttellyou"; 
$url="http://internet.com/login.php"; 
$cookie="cookie.txt"; 

$postdata = "name=".$username."&password=".$password; 

$ch = curl_init(); 
curl_setopt ($ch, CURLOPT_URL, $url); 
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"); 
curl_setopt ($ch, CURLOPT_TIMEOUT, 60); 
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 0); 
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie); 
curl_setopt ($ch, CURLOPT_REFERER, $url); 

curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata); 
curl_setopt ($ch, CURLOPT_POST, 1); 
$result = curl_exec ($ch); 

echo $result;  

?>

I can see different SESSION ID's in cookie.txt everytime i compile this code, which makes me believe its working.However what next?
How should i go to that site again, already logged in and scrape the data ? Some suggestions would be nice.

Hey guys, I'm facing an issue compiling the above stack from a source code inside lxc using centos 6.5 as a domain OS.     [lxc@lxc1 httpd-2.4.9]$ ./configure --with-included-apr
checking for chosen layout... Apache
checking for working mkdir -p... yes
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
configu
configu Configuring Apache Portable Runtime library...
configu
configuring package in srclib/apr now
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
Configuring APR library
Platform: x86_64-unknown-linux-gnu
checking for working mkdir -p... yes
APR Version: 1.5.1
checking for chosen layout... apr
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... configu error: in `/home/lxc/httpd-2.4.9/srclib/apr':
configu error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details
configure failed for srclib/apr
      This problem has been detected by me when I replaced my desktop machine with new one and installed a centOS again. This such a problem never happened before using my old machine with the same version of OS and libvirt. Just to be clear, a new selinux policy into a "domain machine" has been created to be able to use the "dbus daemon" to all containers and if I try to complile this stack from source using the "domain os" this problem never happens at all. All "Development tools" is installed to this particular container, in case someone asks me why I get the following error message - "configu error: cannot run C compiled programs" Any ideas?    
Edited by jazzman1, 08 June 2014 - 01:37 PM.

I am coding a login form. If the user forgets his password, he will click on a link where he will have to insert his email address, then, he will get a confirmation link in his inbox. After that, he willl click on the link, to redirect him to a page to create a new password.

The page link to create a new password (the confirmation link) is actually like this:

http://xxxxx.forgetpassword.php

I want that when it will appear in the user's inbox, it should be like this:

http://xxxxx.f135kkgg3f6f2f2.php

Well, you know what I mean, perhaps most of us have got this kind of URL when we forget a password. It is like encrypted or hashed something like that. So, how can I do it like this?

So I thought I was secure until I was debugging. I thought I'd give it a try to manually run queries though the url, and I'm able to execute them.

When you go to my downloads module, you can click on a category to view results from said category.
You can also modify the query executed to perform extra tasks to grab different results, here's an example:
http://zextcms.com/index.php?component=downloads&cat=0%27%20OR%20download_parent%20=%20%271

This shouldn't even be capable of happening. I have a script that recursively checks all post and get data and removes all special characters with htmlspecialchars().

I also have a class that handles all my queries, new data and update data is already sanitized with mysqli_escape_string() so that leaves me to finish securing $_GET variables.
I just double checked to see if I may have taken out htmlspecialchars for testing purposes and it is still in effect.

My code checks if get or post data is an array, if it is not it uses htmlspecialchars() on the key and value of the array and returns the cleansed version.  If there is an array, the function calls upon itself until it's done cleaning all dimensions of the array, so what am I forgetting?

Hi.  I am working on a website that sells online subscriptions to premium content.  On the low end this includes articles, and on the high end guides and books.

In the back of my mind I had always planned on putting this content into MySQL for safe keeping, but in the last day or so it has occurred to me that putting an entire book into MySQL could be cumbersome at best?!

Which leads to this question...

Can you easily protect a PHP page from unauthorized users and outsiders?

My original desire to put things in MySQL was driven much more by security than any of the more obvious reasons you'd use a database.

I will be putting articles into MySQL, but the more I think about it, trying to put a 500 or 1,000 page book into MySQL could be difficult at best.

For articles, I simple have a PHP page that loads up the article from MySQL and first checks that the logged in user has the proper access rights - meaning they are a paid subscriber - before allowing the article to load.

I could do that with a guide or book, but the question becomes, "How do you put even 500 pages into a database table and easily access it?"

What do you think?

 

 

In my javascript code i use ajax so i load a php file .. then on the success i have a function where i load a file there.. the thing is how can i secure it from direct access from the browser?

if i type the link of the file in the browser i can access it even tho it needs other files to run so it will return me errors.. how can i disable that?

Thanks.

EDIT: i have tried to put

if(!defined("MAIN")){
die('<tt>You cannot view this file directly!</tt>');
}

on the file i want to protect but then when i call the ajax on the success the file doesnt load on the page that i call it and shows the above die();

Hi,

I have a MySQL database with BLOB data (MS Word files, Excel, PowerPoint, PDF etc.). I have a show_file function that assembles the blobs to send the file to the browser. It's been working great for a decade. Now, I am looking to filter the data against XSS vulnerabilities, much like I do with strings using htmlentities(). How do you go about doing that with BLOB data? I'm assuming htmlentities() will strip out characters from the BLOB data that will render the file unusable, correct? Here is my function:

function show_file( $fileID ) {
$nodeList = array();
$fileInfo = get_record( 'FileList', 'fileID', $fileID ) or trigger_error( 'Not a valid file ID: ' . $fileID );
// Pull list of inodes
$nodes    = get_recordset( 'FileData', 'fileID', $fileID, 'blobID' );
if ( !$nodes ) { trigger_error( 'Failure to retrieve file inodes: ' . mysql_error() ); }  
while ( $node = mysql_fetch_array( $nodes ) ) { $nodeList[] = $node['blobID']; }
// Send down the header to the client
if ( strpos( $_SERVER['HTTP_USER_AGENT'], 'MSIE' ) ) { header( 'Cache-Control: public' ); }
header( 'Content-Type: ' . $fileInfo['fileType'] );
header( 'Content-Length: ' . $fileInfo['fileSize'] );
header( 'Content-Disposition: attachment; filename=' . $fileInfo['fileName'] );
// Loop thru and stream the nodes 1 by 1
for ( $z = 0; $z < count( $nodeList ); $z++ ) {
$query = 'SELECT fileData FROM FileData WHERE blobID = ' . $nodeList[$z];
if ( $result = mysql_query( $query ) ) {
echo mysql_result( $result, 0 );
} else {
trigger_error( 'Failure to retrieve file node data: ' . mysql_error() );
}
}
}


So, I am looking to do something like echo mysql_result( htmlentities($result), 0 );

Thanks for any help you may provide,
George.