...

View Full Version : Problems protecting script file



JoeBobJr
01-15-2012, 03:53 AM
I've been messing with this for about half a day now and I've tried everything I can think of to make this work and it just won't work.

I'm trying to make a simple port checker to see if a port in an ip address is open. I want to protect the script file from being accessed directly and I also want it to check to see if both fields have been filled out before it will do anything if not then display a message to go back and fill both fields out first.

I've set up three different files. The form file, the script, config file. I'm out of ideas at this point even if you enter a ip address and port into the form and hit Test it displays a pursing error. I'm sure it's probably something really simple but I just can't figure it out some help would be greatly appreciated!

Error(0): Failed to parse address "" or port is closed

config.php


<?php
define('NoAccess', 1);
?>


testPort.php


<html>
<head>
<title>Port Tester</title>
</head>
<body>
<p>This is a script to test if a port is open on a certain ip address.</p>
<form method="post" action="port.php">
IP Address:<br />
<input id="ip" name="ip" type="text" size="20" /><br />
Port:<br />
<input id="port" name="port" type="text" size="10" /><br /><br />
<input type="submit" name=submit" value="Test" />
</form>

</body>
</html>


port.php


<?php

require_once('config.php');

if(!defined('NoAccess')){
exit('You cannot access this file directly.');
}

if (!isset($_POST['ip']) || !isset($_POST['port'])) {
missing("You must enter a IP Address/Hostname and port...<br><br>");
echo "<a href='testPort.php'>Go Back</a>";
}

$test = @fsockopen($ip, $port, $errno, $errstr);
$senddata = "GET / HTTP/1.0\r\n";
$senddata .= "Host: $ip\r\n";
$senddata .= "Connection: Close\r\n\r\n";

if ($test) {
echo "Port $port is currently open.";
} else {
echo "Error($errno): $errstr or port is closed";
}

function missing($msg) {
echo $msg;
exit;
}

fclose($test);

?>

12k
01-15-2012, 04:09 AM
I would just use a htaccess

_Aerospace_Eng_
01-15-2012, 04:10 AM
Remove the @ from fsockopen, it is probably giving you the real error.

JoeBobJr
01-15-2012, 04:14 AM
Remove the @ from fsockopen, it is probably giving you the real error.

It's not I have already tried that and I tried it again just now to make sure. It still goes to the


echo "Error($errno): $errstr or port is closed";

and displays that on the port.php once the form is submitted

But thanks you to mentioning that I remembered I had display_errors turned off in php.ini for when I was working on a php nuke website. That helped me figure out that my variables were missing.

JoeBobJr
01-15-2012, 04:23 AM
I just noticed that some how my variables got deleted I guess when I was changing around the code and didn't even notice it



$ip = $_POST['ip'];
$port = $_POST['port'];


That fixed one problem but now I have the issue I was having before where if I try to access the file directly it tells me I need to..

You must enter a IP Address/Hostname and port...

instead of giving the can't access this file error

I also just noticed I have to move



echo "<a href='testPort.php'>Go Back</a>";


here



function missing($msg) {
echo $msg;
echo "<a href='testPort.php'>Go Back</a>";
exit;
}

Spookster
01-15-2012, 04:53 AM
Unless i'm misunderstanding your intention would it not just be easier to move those files above the web root if you do not want someone to access the script directly? Your scripts don't have to be in your web accessible directory (public_html, www) in order for you to use them in your site.

JoeBobJr
01-15-2012, 04:57 AM
Unless i'm misunderstanding your intention would it not just be easier to move those files above the web root if you do not want someone to access the script directly? Your scripts don't have to be in your web accessible directory (public_html, www) in order for you to use them in your site.

I was eventually going to do that to be honest. I am only really messing around with php to learn how to keep a file from being accessed. In case there were to be some reason I needed it. That is definitely the best way I just wanted to learn this way just in case and just expand my learning some.

EDIT: I also plan on removing the ip address box altogether once it's finished. I don't want my code used by spammers or to scan networks without that person's permission. I know some would use it in that manner. I am going to set the ip address to 127.0.0.1 and not allow the ip address to be entered at all. I don't want to go through the trouble of trying to set up something to check if the script has been used by a particular ip address and restrict access to the script for so many seconds before it can be used again. Although that could be an option but my intentions were to make it so that anyone can check their own network to see if a port is open if they are having issues with a web service or whatever.

JoeBobJr
01-15-2012, 04:58 AM
I was able to get everything working correctly except the file access part of the code something is still wrong having issues figuring it out. Here is the new code I changed some stuff around and simplified one of the if statements.

If I access the file directly it's telling me I need to fill in ip address or port instead of saying you can't access the file directly it has to be something simple I am over looking.



<?php

require_once('config.php');

if(!defined('NoAccess')){
die('You cannot access this file directly.');
}

$ip = $_POST['ip'];
$port = $_POST['port'];

if (($ip == "") or ($port == "")) {
missing("You must enter a IP Address/Hostname and port...<br><br>");
}

$test = @fsockopen($ip, $port, $errno, $errstr);
$senddata = "GET / HTTP/1.0\r\n";
$senddata .= "Host: $ip\r\n";
$senddata .= "Connection: Close\r\n\r\n";

if ($test) {
echo "Port $port is currently open.";
} else {
echo "Port $port is closed";
}

function missing($msg) {
echo $msg;
echo "<a href='testPort.php'>Go Back</a>";
exit;
}

@fclose($test);

?>

_Aerospace_Eng_
01-15-2012, 05:14 AM
Yes it is, config.php has NoAccess defined in it so this

if(!defined('NoAccess')){
die('You cannot access this file directly.');
}
never happens. Remove it from config.php.

JoeBobJr
01-15-2012, 05:24 AM
Yes it is, config.php has NoAccess defined in it so this

if(!defined('NoAccess')){
die('You cannot access this file directly.');
}
never happens. Remove it from config.php.

If you do that then every time you hit the Test button it goes to port.php and says that you can't access the file directly. Even if you fill in the forms it breaks the whole script.

_Aerospace_Eng_
01-15-2012, 05:41 AM
I think you are going about this the wrong way. It is pretty clear that you want it to work if it comes from the form so try this

<?php

require_once('config.php');
function missing($msg) {
echo $msg;
echo "<a href='testPort.php'>Go Back</a>";
exit;
}
if(isset($_POST['ip']))
{

$ip = $_POST['ip'];
$port = $_POST['port'];

if (($ip == "") or ($port == "")) {
missing("You must enter a IP Address/Hostname and port...<br><br>");
}

$test = @fsockopen($ip, $port, $errno, $errstr);
$senddata = "GET / HTTP/1.0\r\n";
$senddata .= "Host: $ip\r\n";
$senddata .= "Connection: Close\r\n\r\n";

if ($test) {
echo "Port $port is currently open.";
} else {
echo "Port $port is closed";
}

@fclose($test);
}
?>
Now going to it will do nothing, it will only do things if the IP address is present in the $_POST array.

JoeBobJr
01-15-2012, 07:12 AM
I think you are going about this the wrong way. It is pretty clear that you want it to work if it comes from the form so try this

<?php

require_once('config.php');
function missing($msg) {
echo $msg;
echo "<a href='testPort.php'>Go Back</a>";
exit;
}
if(isset($_POST['ip']))
{

$ip = $_POST['ip'];
$port = $_POST['port'];

if (($ip == "") or ($port == "")) {
missing("You must enter a IP Address/Hostname and port...<br><br>");
}

$test = @fsockopen($ip, $port, $errno, $errstr);
$senddata = "GET / HTTP/1.0\r\n";
$senddata .= "Host: $ip\r\n";
$senddata .= "Connection: Close\r\n\r\n";

if ($test) {
echo "Port $port is currently open.";
} else {
echo "Port $port is closed";
}

@fclose($test);
}
?>
Now going to it will do nothing, it will only do things if the IP address is present in the $_POST array.

That sounds like a good idea I think I had the wrong idea how it's all done anyways. I believe in order to block access to a file you have to pull that file into another script. Instead of trying to make my form send the data to another page I'd have to call the script inside my testPort.php script then if someone where to access the file directly it would give them access denied but it would be allowed as long as the script is pulled in from another script. I believe I had the whole concept wrong altogether.

Which I have no problem with that's how I wanted to do it to begin with just have the script inside the testPort.php file also and display the results under the TEST button. I was just trying something different to see how php worked but I didn't grasp till now that if you block access to a file you can't display anything from that file directly. You have to call that file inside of another php script in order to access it I get that now I might be able to write something better.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum