Board index   FAQ   Search  
Register  Login
Board index PHP PHP General

hacking PHP files

General discussions related to php

Moderators: macek, egami, gesf

hacking PHP files

Postby argonauta » Wed Mar 05, 2003 11:43 am

hi there, this is my first post here :D

Mainly I'm a flash designer, DataWarehouse Developer, java programmer (now im learnin that). Anyway, i just know a few about PHP

So, Im a member at http://www.flashkit.com I was having a discussion with another member about how to put make scripts using passwords for database access, etc.

My suggestion is to have an additional phpscript, that encrypts decrypts passwords, so, inside you PHP script, you won't write your password like "babybaby", but "HGYUW&)4%$/8799jkjll" (encrypted)....that way if somebody hacks the phpscript, it will still be hard to know the password. Am i right, or am i inventing bullsh.... here?

The other thing is, that i'm pretty sure once i saw a tool that let you download the original PHP scripts from a server, no matter what (so u wouldn't get the output html code, but the original scripts with the original php tags), does that really exist, or am i inventing it??????

The last question, just for reasons of security, i'd like to know how easy it is to hack php files (if you want, don't tell me how, just tell me if it's possible or not). And what are the best ways to protect the data of your phpscripts??????

I hope you can give me some guidelines. Thanx
argonauta
New php-forum User
New php-forum User
 
Posts: 2
Joined: Wed Mar 05, 2003 11:32 am

Postby *JaH* » Wed Mar 05, 2003 1:58 pm

Hmmm everything yur saying doesn't make any sense :) The only way that people could grab yur php-file is by hacking yur server, but then they would also have the encrypt/decrypt-php-file :roll: ..it doesn't hurt to encrypt the passwords stored in your mysql db though :)


but the easyness of 'hacking a php file' really depends on the script itselve....if you for example do this:

"SELECT name WHERE id=$_POST['id']"

then it's quite easy to grab the admin username/password of the sql-server...

also if you have register global variables on, it's dead simple to get control over the server....

just validate every variable that has been posted by the visitor...:) and try to avoid using cookies for logging, use session-control.
*JaH*
New php-forum User
New php-forum User
 
Posts: 80
Joined: Fri Jan 31, 2003 4:18 pm

Re: hacking PHP files

Postby WiZARD » Thu Mar 06, 2003 12:07 am

Hi argonauta!
Mainly I'm a flash designer, DataWarehouse Developer, java programmer (now im learnin that). Anyway, i just know a few about PHP

PHP too good for programming for web with combine PHP<-->Flash
So, Im a member at http://www.flashkit.com I was having a discussion with another member about how to put make scripts using passwords for database access, etc.

My suggestion is to have an additional phpscript, that encrypts decrypts passwords, so, inside you PHP script, you won't write your password like "babybaby", but "HGYUW&)4%$/8799jkjll" (encrypted)....that way if somebody hacks the phpscript, it will still be hard to know the password. Am i right, or am i inventing bullsh.... here?

My dear friend, if you think that some body hacking your PHP script, you wrong, but in some situation some hareck may intrude to server and get all info about youre script :!:
If you want to protect only script you may use next:
ZendEncoder by Zend.com or
PHP Accelerator by IonCube.com
The other thing is, that i'm pretty sure once i saw a tool that let you download the original PHP scripts from a server, no matter what (so u wouldn't get the output html code, but the original scripts with the original php tags), does that really exist, or am i inventing it??????


In PHP version 4.x.x you may set in apache
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php-source .phps
[/quote]
The last question, just for reasons of security, i'd like to know how easy it is to hack php files (if you want, don't tell me how, just tell me if it's possible or not). And what are the best ways to protect the data of your phpscripts??????
[quote]
Actually No, but if you good programmer and bad admin any who want may hack you server and get all info as i said before.....
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Postby Oleg Butuzov » Thu Mar 06, 2003 2:48 am

ZEND is RULLES!!!!
Oleg Butuzov
Last Samuray
Last Samuray
 
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby argonauta » Thu Mar 06, 2003 11:45 am

hey, thanks for the info. I guess i gotta learn more about PHP. Gotta study :D

Your suggestions and info have been very usefull. Thank you very much!
argonauta
New php-forum User
New php-forum User
 
Posts: 2
Joined: Wed Mar 05, 2003 11:32 am

Postby WiZARD » Fri Mar 07, 2003 1:46 am

Youre Welcome! :^)
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Postby Ihoss » Tue May 27, 2003 12:58 am

there must be some way of viewing php files. lycos .co.uk lets u make php files on your website, so there must be some way of viewing them.

there is a php script which letsu see all the files in a folder and another one which lets u see the file source code, but im not sure if the script have to be saved on the same server as the folder u want to view.
Ihoss
New php-forum User
New php-forum User
 
Posts: 17
Joined: Sun Mar 30, 2003 11:41 pm

Postby liquedus » Tue May 27, 2003 6:20 am

Ihoss, im pretty sure what you are talking about has to be on the same server, because if that was not the case, then I could run that script on my machine and access anyones php scripts on the www
liquedus
php-forum Active User
php-forum Active User
 
Posts: 266
Joined: Tue Apr 08, 2003 5:18 am
Location: Ottawa, Canada

Postby Oleg Butuzov » Wed May 28, 2003 12:34 am

liquedus wrote:Ihoss, im pretty sure what you are talking about has to be on the same server, because if that was not the case, then I could run that script on my machine and access anyones php scripts on the www

only if you have ftp login and password.

and noone cannt see sourse file if sourse have extension assosiated with php...
Oleg Butuzov
Last Samuray
Last Samuray
 
Posts: 831
Joined: Sun Jun 02, 2002 3:09 am

Postby bezmond » Wed May 28, 2003 12:56 am

if you want to cut down on idiots out there finding your scripts so easily, use a .php3 extension... I know it's outdated, but I know there are idiots out there who don't try .php3

Andrew
User avatar
bezmond
Moderator
Moderator
 
Posts: 312
Joined: Sat Apr 05, 2003 4:33 am
Location: Mansfield, UK

Postby WiZARD » Wed May 28, 2003 2:04 am

bezmond wrote:if you want to cut down on idiots out there finding your scripts so easily, use a .php3 extension... I know it's outdated, but I know there are idiots out there who don't try .php3

Andrew

in more situations, one little mistake of programmer have a very big problem for owner of site! :wink:
User avatar
WiZARD
Moderator
Moderator
 
Posts: 1257
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol


Return to PHP General

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron