Page 1 of 1

Posted: Wed Mar 05, 2003 1:58 pm
by *JaH*
Hmmm everything yur saying doesn't make any sense :) The only way that people could grab yur php-file is by hacking yur server, but then they would also have the encrypt/decrypt-php-file :roll: ..it doesn't hurt to encrypt the passwords stored in your mysql db though :)


but the easyness of 'hacking a php file' really depends on the script itselve....if you for example do this:

"SELECT name WHERE id=$_POST['id']"

then it's quite easy to grab the admin username/password of the sql-server...

also if you have register global variables on, it's dead simple to get control over the server....

just validate every variable that has been posted by the visitor...:) and try to avoid using cookies for logging, use session-control.

Re: hacking PHP files

Posted: Thu Mar 06, 2003 12:07 am
by WiZARD
Hi argonauta!
Mainly I'm a flash designer, DataWarehouse Developer, java programmer (now im learnin that). Anyway, i just know a few about PHP

PHP too good for programming for web with combine PHP<-->Flash
So, Im a member at http://www.flashkit.com I was having a discussion with another member about how to put make scripts using passwords for database access, etc.

My suggestion is to have an additional phpscript, that encrypts decrypts passwords, so, inside you PHP script, you won't write your password like "babybaby", but "HGYUW&)4%$/8799jkjll" (encrypted)....that way if somebody hacks the phpscript, it will still be hard to know the password. Am i right, or am i inventing bullsh.... here?

My dear friend, if you think that some body hacking your PHP script, you wrong, but in some situation some hareck may intrude to server and get all info about youre script :!:
If you want to protect only script you may use next:
ZendEncoder by Zend.com or
PHP Accelerator by IonCube.com
The other thing is, that i'm pretty sure once i saw a tool that let you download the original PHP scripts from a server, no matter what (so u wouldn't get the output html code, but the original scripts with the original php tags), does that really exist, or am i inventing it??????


In PHP version 4.x.x you may set in apache
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php-source .phps
[/quote]
The last question, just for reasons of security, i'd like to know how easy it is to hack php files (if you want, don't tell me how, just tell me if it's possible or not). And what are the best ways to protect the data of your phpscripts??????
[quote]
Actually No, but if you good programmer and bad admin any who want may hack you server and get all info as i said before.....

Posted: Thu Mar 06, 2003 2:48 am
by Oleg Butuzov
ZEND is RULLES!!!!

Posted: Fri Mar 07, 2003 1:46 am
by WiZARD
Youre Welcome! :^)

Posted: Tue May 27, 2003 12:58 am
by Ihoss
there must be some way of viewing php files. lycos .co.uk lets u make php files on your website, so there must be some way of viewing them.

there is a php script which letsu see all the files in a folder and another one which lets u see the file source code, but im not sure if the script have to be saved on the same server as the folder u want to view.

Posted: Tue May 27, 2003 6:20 am
by liquedus
Ihoss, im pretty sure what you are talking about has to be on the same server, because if that was not the case, then I could run that script on my machine and access anyones php scripts on the www

Posted: Wed May 28, 2003 12:34 am
by Oleg Butuzov
liquedus wrote:Ihoss, im pretty sure what you are talking about has to be on the same server, because if that was not the case, then I could run that script on my machine and access anyones php scripts on the www

only if you have ftp login and password.

and noone cannt see sourse file if sourse have extension assosiated with php...

Posted: Wed May 28, 2003 12:56 am
by bezmond
if you want to cut down on idiots out there finding your scripts so easily, use a .php3 extension... I know it's outdated, but I know there are idiots out there who don't try .php3

Andrew

Posted: Wed May 28, 2003 2:04 am
by WiZARD
bezmond wrote:if you want to cut down on idiots out there finding your scripts so easily, use a .php3 extension... I know it's outdated, but I know there are idiots out there who don't try .php3

Andrew

in more situations, one little mistake of programmer have a very big problem for owner of site! :wink: