PHP - Encrypt Variable Is Url So I Can See It But Nobody Else

Hey guys!
I have a doubt and this is a question that relates Flash and PHP...

I have a flash (swf) file that grabs/sends variables from/to php.
That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted.

Is there any other way a hacker could find out where and which my PHP files are located/named?

Any ideas, suggestions?
Thanks in advance!
Cheers,

Can php encrypt a link so that it's hidden or expires after a download or x number of days? An example of this use would be on music download sites.

This is my code it's not working.

$username = $_POST['username'];


        $password = $_POST['password'];
        $encrypt_password = md5($password);

        $email = $_POST['email'];


        $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'";

//--> Below is the INSERT Code

$query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')";

        $result = mysql_query($query);

        if($result == 1) {

            print("Thank you, your accout has been created!");
        }

Can anyone tell me why the md5() function is not working?
Edited by Tom8001, 28 November 2014 - 07:49 PM.

Hi.

I have made a login script, but I would wan't to encrypt the password.
I followed a tutorial and got this:
login.php
<?php
$password = "secret";

echo $password;
/* displays secret */

$password = sha1($password);

echo $password; 
/* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */
?>
<form action="validate.php" method="post">
  <label for="username">Username</label>
  <input type="text" name="username" id="username" />
  <br />
  <label for="password">Password</label>
  <input type="password" name="password" id="password" />
  <br />
  <input type="submit" name="submit" value="Submit" />
</form>
<?php
?>

validate.php

<?php
include "setup.php";

/* get the incoming ID and password hash */
$username=$_POST['username'];
$password=$_POST['password']; 
$password=md5($password); // Encrypted Password

/* establish a connection with the database */
$server = mysql_connect("$db_host", "$db_username","$db_password");
if (!$server) die(mysql_error());
mysql_select_db("$database");

  
/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $username!";
else
  echo "Access Denied: Invalid Credentials.";

mysql_close($server);  
?>

Its the line $password=md5($password); // Encrypted Password
that messes everything up.
If I delete it and login, everything is fine, if I add it it says Code: [Select]
Access Denied: Invalid Credentials
I need help with this one!
And if someone have time, give me some ideas how to make PHP scripts safer!

Regards
Worqy

Hello everyone... I am developing a software as a service program for use by multiple companies, each would have their own instance of the application... The part that I am not really to clear on, is what would be the most secure, with low latency, PHP method of encrypting/decrypting data to and from the database... all data is sent over SSL... I would also want to use a unique key for each company... Access to the program itself is protected from the outside by a user based log in system...

How can I encrypt POST data from a form? Basically, I want to ensure that the data on the form is not in plain text ever. Is this possible?

<form method="post">
<input type="text" name="email" size="40">
<input type="password" name="password"/>
...


Basically, when this posts, I want to do a foreach on $_POST and see something like:
password = 1f3870be274f6c49b3e31a0c6728957f
  and not
password = stringTheUserTyped

I hope what I'm asking for is clear.
(PHP 5.2.14)

Thanks!

I am currently recoding a website from ASP to PHP.

The aim is for a customer to add items to a cart, fill in their credit card details.
Then an email is encrypted (on the secure website) and sent to the client.

The client then opens the email on her PC and it is decoded either when she opens the e-mail, or downloads an attachment that can be opened by a program
that requires a password. Once entered the order is revealed, the e-mail is decrypted.

I just wondered if anyone has any link to sites where I can download the de-crypting software to install on the clients machine.

Or any other ideas on sending an encrypting email and decrypting on the recipients computer.

Many thanks.

Hi.
I  purchased software for a PayPal subscription management system, and it relies on user verification by way of a username (email address) and a hashed password.

I have also developed my own login scripts for an application which also uses a hashed md5 password and all that works fine. I want to integrate my scripts with the purchased software using the supplied mySql database tables.

My problem is that the supplied software goes a step further than a hashed md5 password by applying initializing vectors to the hashed password. I cannot figure out how to modify my login code to accommodate the encrypted password that appears in the database.

It is beyond my current abilities to work this out on my own. I'd really appreciate it if anyone can help.

I've attached my own login script below, and Ive attached what I believe is the decryption code that comes with the purchased software. There is also a database file that relates to this.

Hope someone can help me.

<?php
session_start();
if ($_POST['password']) {
//Connect to the database 
    include_once "db_connect.php";    
$email = stripslashes($_POST['payer_email']);
$email = strip_tags($email);
$email = mysql_real_escape_string($email);
$password = preg_replace("/[^A-Za-z0-9]/", "", $_POST['password']); // filter everything but numbers and letters
$password = md5($password);
// Make query and then register all relevant database data into SESSION variables.
$sql = mysql_query("SELECT * FROM sec_tblusers WHERE payer_email='$email' AND password='$password' AND signedup='1'") or die("failed"); 
$login_check = mysql_num_rows($sql);
if($login_check > 0){ 
    while($row = mysql_fetch_array($sql)){ 
        // Get member data into a session variable
        $id = $row["recid"];   
        session_register('recid'); 
        $_SESSION['recid'] = $id;
   
        $payer_email = $row["payer_email"]; 
        session_register('payer_email'); 
        $_SESSION['payer_email'] = $payer_email;
        
        $password = $row["password"]; 
        session_register('password'); 
        $_SESSION['password'] = $password;        
           
        $iv = $row["iv"]; 
        session_register('iv'); 
        $_SESSION['iv'] = $iv;
         
        $signedup = $row["signedup"]; 
        session_register('signedup'); 
        $_SESSION['signedup'] = $signedup;
         
        $lastlogin = $row["lastlogin"]; 
        session_register('lastlogin'); 
        $_SESSION['lastlogin'] = $lastlogin;
    
        // Update last_log_date field for this member now
        mysql_query("UPDATE sec_tblusers SET lastlogin=now() WHERE recid='$id'");
        // Print success message here then exit the script
        //header("location: member_profile.php?id=$id"); 
        header("location: adduser.php?id=$id"); 
        exit();
    } // close while
} else {
// Print login failure message to the user and link them back to your login page
  print '<br /><br /><font color="#FF0000">You do not show in our records as a subscriber. Has the subscription expired?</font><br />
<br /><a href="../main.php">Click here</a> to go back.';
  exit();
}
}// close if post
?> 

What I think is the decrypting code that comes with the purchased software goes like this.

<?php 
//---------------------------------------
//Given the payer_email address, return the decrypted password
function getpassword($payer_email, $dbhost, $dbusername, $dbpass, $dbname, $dbprefix, &$message) {

    $dl = new DataLayer();
    $dl->debug=false;
    $dl->connect( $dbhost, $dbusername, $dbpass, $dbname )  or die ( "Database connection error " . $dl->geterror() );
       
    //SELECT password, iv FROM sec_tblusers WHERE payer_email = '" . $payer_email . "'"
    $cols = array("password", "iv");
    $table = $dl->select( $dbprefix."sec_tblusers", "", $cols, "payer_email = '$payer_email'", "" );

    if ($dl->geterror()) {
        $message = "SQL error - user.php ref 58 " . $dl->geterror();
        exit;
    }

    $IV = $table[0]['iv'];
    $password = $table[0]['password'];

    $decryption = new password($IV, $password);
    $decryption->decode();
    $decode = $decryption->getdecodedtext();

    return $decode;

}


//------------------------------------
?> 

The database table is here.

Code: [Select]
-- Table structure for table `sec_tblusers`
--

CREATE TABLE `sec_tblusers` (
  `recid` int(11) NOT NULL AUTO_INCREMENT,
  `payer_email` varchar(100) NOT NULL,
  `password` varchar(50) DEFAULT NULL,
  `iv` int(11) DEFAULT NULL,
  `signedup` int(11) NOT NULL DEFAULT '0',
  `signupdate` datetime NOT NULL,
  `lastlogin` datetime NOT NULL,
  PRIMARY KEY (`recid`),
  UNIQUE KEY `payer_email` (`payer_email`),
  KEY `password` (`password`),
  KEY `signedup` (`signedup`),
  KEY `lastlogin` (`lastlogin`),
  KEY `signupdate` (`signupdate`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=22 ;

--
-- Dumping data for table `sec_tblusers`
--

INSERT INTO `sec_tblusers` (`recid`, `payer_email`, `password`, `iv`, `signedup`, `signupdate`, `lastlogin`) VALUES
(5, 'someone@gmail.com', 'cRbeAWgN3 ', 316, 1, '0000-00-00 00:00:00', '2010-11-10 22:29:06'),
(6, 'someoneelse@gmail.com', 'cRbeAWgN3 ', 269, 1, '0000-00-00 00:00:00', '0000-00-00 00:00:00');
I suspect that there may be some other relevant code in the purchased software, and I could hunt that up if someone could tell me what I should look for.

Anyway, I'm really in need of some help, or some advice.

Cheers, everyone.

I have an ecommerce site on shared hosting enviroment. My ecommerce site stores customer data (name, address, email, phone, and item purchase) in mySQL database.

(No super private data like credit card numbers or social security numbers.)

Using openssl (openssl_cipher, iv, etc.), I've been encrypting this customer data and storing the encrypted data in mySQL.

Today, I'm thinking "what's the point." It's like having a lockbox with the key on the wall above...

My thoughts:
1. The "secret cyphers" are located on my server, so if someone hacks my server, they'll get the secret cyphers anyway.
2. Encrypting the Customer Data will add, at the most, 5 extra minutes, for the hacker to find.
3. Perhaps if mySQL was stored on a different server, encrypting may be useful... but mySQL is on same server.
4. On the flipside, if I did get hacked, at least I could demonstrate I tried my best to encrypt what I could...

What do you all think?

Sorry for my bad english. I am not from around these parts.

 

Hello all. I am very new to PHP, and I am not sure where to look or what I'm looking for in my current assignment.

My task is to take in two numbers between 0-100. Once I take in that number, it should state beside it "The __ was accepted."
The program should not accept any numbers greater than 100 or any characters.

Once I do this, I must take a second number and do a similar thing.

Finally, I must have a statement show up at the bottom stating which number is greater.

Essentially, I need help in determining what I should use to place parameters, and how I can keep the program from echo ing any statement until input has been taken and tested for parameters.

Any help you can provide will be greatly appreciated!

I am trying to allow the user to update a variable he chooses by radio buttons, which they will then input text into a box, and submit, to change some attributes. I really need some help here.  It works just fine until I add the second layer of variables on top of it, and I can't find the answer to this question anywhere.

<?PHP require('connect.php'); ?>

<form action ='' method='post'> <select name="id">

<?php
$extract = mysql_query("SELECT * FROM cars");
   
   while($row=mysql_fetch_assoc($extract)){
   $id = $row['id'];
   $make= $row['make'];
   $model= $row['model'];
   $year= $row['year'];
   $color= $row['color'];

echo "<option value=$id>$color $year $make $model</option>
";}?>

</select>

Which attribute would you like to change?<br />
<input type="radio" name="getchanged" value="make"/>Make<br />
<input type="radio" name="getchanged" value="model"/>Model<br />
<input type="radio" name="getchanged" value="year" />Year<br />
<input type="radio" name="getchanged" value="color"   />Color<br /><br />

   <br /><input type='text' value='' name='tochange'>
   <input type='submit' value='Change' name='submit'>

</form>

//This is where I need help...

<?PHP
if(isset($_POST['submit'])&&($_POST['tochange'])){
mysql_query("
   UPDATE cars
   SET '$_POST[getchanged]'='$_POST[tochange]'
   where id = '$_POST[id]'
         ");}?>

I have just re-installed Xampp and suddenly my sites are now displaying lots of:

Notice: Use of undefined constant name - assumed 'name' in ...
Notice: Use of undefined constant price - assumed 'price' in ...

this is an example of the line its refering too:

$defineProducts[1001] = array(name=>'This is a product', price=>123);

My login script stores the user's login name as $_SESSION[ 'name'] on login. For some unapparent reason, i'm getting errors stating that $user  and $priv are  undefined variables, though I've attempted to define $user as being equal to $_SESSION['name'], using $user to look up the the user's privilege level (stored as the su column ) in the SQL table, and then where the result of the sql query is $priv which is then evaluated in an if statement. I can't seem to figure out why this might not be working.

The code I'm using:

<?php
session_start();
function verify() {
	//verify that the user is logged in via the login page. Session_start has already been called. 
	if (!isset($_SESSION['loggedin'])) {
	header('Location: /index.html'); 
	exit;
	}
	//if user is logged in, we then lookup necessary privleges. $_SESSION['name'] was written with the login name upon login. Privleges   // are written in db as a single-digit integer of of 0 for users, 1 for administrators, and 2 for special users. 
        $user === $_SESSION['name'];
    //Connect to Databse
	$link = mysqli_connect("127.0.0.1", "database user", "password", "database");
	if (!$link) {
  	  echo "Error: Unable to connect to MySQL." . PHP_EOL;
    	echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    	echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    	exit;
        }
        //SQL Statement to lookup privlege information. 
       if ($result = mysqli_query($link, "SELECT su FROM accounts WHERE username = $user", MYSQLI_STORE_RESULT)) {
         //LOOP TO CYCLE THROUGH SQL RESULTS AND STORE Privlege information as vairable $priv.
            while ($row = $result->fetch_assoc()) {
           $priv === $row["su"];
            }
        }
        // close SQL connection.
        mysqli_close($link);

 // Verify privleges and take action. Only a privlege of "1" is allowed to view this page. A privlege of "2" indicates special 
//accounts used in other scripts that have certain indermediate additional functions, but are not trusted administrators. 

        if ($priv !== 1) {
        echo $_SESSION['name'];
        echo "you have privlege level of $priv";
        echo "<br>";
        echo 'Your account does not have the privleges necessary to view this page';
        exit;
        }
        
}
verify();
?>

 

I have a script that adds points together based upon the placing. This is the actual script:

Code: [Select]
<? $points = 0;

if($place === '1st') {$points = $points + 50;}
elseif($place === '2nd') {$points = $points + 45;}
elseif($place === '3rd') {$points = $points + 40;}
elseif($place === '4th') {$points = $points + 35;}
elseif($place === '5th') {$points = $points + 30;}
elseif($place === '6th') {$points = $points + 25;}
elseif($place === '7th') {$points = $points + 20;}
elseif($place === '8th') {$points = $points + 10;}
elseif($place === '9th') {$points = $points + 10;}
elseif($place === '10th') {$points = $points + 10;}
elseif($place === 'CH') {$points = $points + 50;}
elseif($place === 'RCH') {$points = $points + 40;}
elseif($place === 'TT') {$points = $points + 30;}
elseif($place === 'T5') {$points = $points + 30;}
elseif($place === 'Champion') {$points = $points + 50;}
elseif($place === 'Reserve Champion') {$points = $points + 40;}

echo "Total HF Points: $points";
?>What it *should* do (my friend's script works the same way and it works) it starts at points = 0, than if there is a first place, it adds 50, and so forth until it reaches the end.

It is included into a file, in this area:

Code: [Select]
<div class="tabbertab">
<h2>Records</h2>
<? $query92 = "SELECT * FROM THISTABLE WHERE VARIABLE='$id' OR VARIABLE = '$name' ORDER BY ABS(VARIABLE), VARIABLE";
$result92 = mysql_query($query92) or die (mysql_error());

echo "<table class='record'>
<tr><th>Show</th> <th>Class</th> <th>Place</th></tr>
";

while($row92 = mysql_fetch_array($result92)) {
$class = $row92['class'];
$place = $row92['place'];
$entries = $row92['entries'];
$race = $row92['show'];
$purse = number_format($row92['purse'],2);

echo "<tr><td>$race</td> <td>$class</td> <td>$place</td></tr>";
}
?>
<tr><td colspan='3'><div align='right'><? include('includes/points.php'); ?></div></td></tr>
</table>
</div>

This is the code that is relevant. When ended here, it echoes the last place that appears in the results (such as a 5th place echoing 30 points). When I move it to be included in the while loop, it shows Total Points: 50 Total Points: 25 Total Points: 10 (depending on the results displayed on that page). What am I doing wrong?

Hello everyone,

I can get Test 2 to successfully operate the if statement using a variable variable.

But when I try the same method using a session variable (Test 1) the if statement is not executed. Please could you tell me why the if statement in Test 1 is not being executed?

Code: [Select]

<?php
# TEST 1
$_SESSION[test_variable] = "abcd";
$session_variable_name = "_SESSION[test_variable]";
if ($$session_variable_name == "abcd")
{
echo "<br>line 373, abcd<br>";
}

# TEST 2
$test_variable = "efgh";
$test_variable_name = "test_variable";
if ($$test_variable_name == "efgh")
{
echo "<br>line 379, efgh<br>";
}

?>
Many thanks,

Stu