Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12

Thread: php 5.2

  1. #1
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,172
    Thanks
    19
    Thanked 65 Times in 64 Posts

    php 5.2

    This morning - without warning, our server was upgraded to php 5.2 - which subsequently broke our credit card encryption/decryption system - no errors, just the encryption/decryption were no longer right. I cant see anything obvious in the change log that would break this code

    These are the functions

    PHP Code:
      function getKey()
      {
         
    $arrSalt explode("\r\n",chunk_split(md5(substr($this->name01)), 15));
         
    $arrPepper explode("\r\n"chunk_split(md5(substr($this->name, -11)),15));
         
    $k[] = $arrSalt[0];
         
    $k[] = $arrSalt[1];
         
    $k[] = $arrPepper[0];
         
    $k[] = $arrPepper[1];
         return 
    $k;
      }
      
    function 
    str2long($data)
        {
        
    $n strlen($data);
        
    $tmp unpack('N*'$data);
        
    $data_long = array();
         
    $j 0;

        foreach (
    $tmp as $value$data_long[$j++] = $value;
        return 
    $data_long;
        }

    function 
    long2str($l)
        {
        return 
    pack('N'$l);
        }


    function 
    xteaEncrypt($v$k)
        {
        
    $v0=$v[0];
        
    $v1=$v[1];
        
    $sum=0;
        
    $delta=0x9e3779b9;


        for (
    $i=0$i<32$i++)
            {
            
    $v0 += ($v1<<$v1>>5) +  $v1 $sum $k[$sum 3];
            
    $sum += $delta;
            
    $v1 += ($v0 << $v0 >> 5) + $v0 $sum $k[$sum>>11 3];
            }

        
    $v[0]=$v0;
        
    $v[1]=$v1;

        return 
    $v;
        }

    function 
    xteaDecrypt($v$k)
        {
        
    $v0=$v[0];
        
    $v1=$v[1];
        
    $delta=0x9e3779b9;
        
    $sum=0xC6EF3720;

        for (
    $i=0$i<32$i++)
            {
            
    $v1 -= ($v0 << $v0 >> 5) + $v0 $sum $k[$sum>>11 3];
            
    $sum -= $delta;
            
    $v0 -= ($v1 << $v1 >> 5) + $v1 $sum $k[$sum&3];
            }

        
    $v[0]=$v0;
        
    $v[1]=$v1;

        return 
    $v;
        }


    function 
    encrypt()
        {
       
    $key $this->getKey();
        
    $text $this->number;
        
    $n strlen($text);
        if(
    $n%!= 0$lng = ($n+(8-($n%8)));
        
    $text str_pad($text$lng' ');

        
    $secret[0][0] = (double)microtime()*1000000;
        
    $secret[0][1] = time();;


        
    $v $this->str2long($text);
        
    $a 1;
        for(
    $i 0$i<count($v); $i+=2)
           {

           
    $v[$i] ^= $secret[$a-1][0];
           
    $v[$i+1] ^= $secret[$a-1][1];

           
    $secret[] = $this->xteaEncrypt(array($v[$i],$v[$i+1]),$key);
           
    $a++;
           }



        for(
    $i 0$i<count($secret); $i++)
          {
          
    $decrypted .= $this->long2str($secret[$i][0]);
          
    $decrypted .= $this->long2str($secret[$i][1]);
          }

       
    $this->encryptedNumber strrev(base64_encode(md5($this->secCode)).base64_encode($decrypted));
        }


    function 
    decrypt()
        {
        
    $key $this->getKey();
        
    $text str_replace(base64_encode(md5($this->secCode)), '',strrev($this->encryptedNumber));

        
    $secret $this->str2long(base64_decode($text));
        
    $clear = array();
        for(
    $i 2$i<count($secret); $i+=2)
            {
            
    $return $this->xteaDecrypt(array($secret[$i],$secret[$i+1]),$key);
            
    $clear[] = array($return[0]^$secret[$i-2],$return[1]^$secret[$i-1]);
            }

        for(
    $i 0$i<count($clear); $i++)
           {
           
    $decrypted .= $this->long2str($clear[$i][0]);
           
    $decrypted .= $this->long2str($clear[$i][1]);
           }

       
    $this->number $decrypted;
        } 

  • #2
    Regular Coder
    Join Date
    Jun 2004
    Posts
    565
    Thanks
    0
    Thanked 18 Times in 18 Posts
    Where are you defining $secret in the method encrypt()?

    dumpfi
    "Failure is not an option. It comes bundled with the software."
    ....../)/)..(\__/).(\(\................../)_/)......
    .....(-.-).(='.'=).(-.-)................(o.O)...../<)
    ....(.).(.)("}_("}(.)(.)...............(.)_(.))Ż/.
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    Little did the bunnies suspect that one of them was a psychotic mass murderer with a 6 ft. axe.

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,026
    Thanks
    2
    Thanked 315 Times in 307 Posts
    Hmm. What version of PHP was it before the unannounced upgrade?

    I took a quick look at the 5.2 changes - http://www.php.net/UPDATE_5_2.txt and nothing stands out as affecting your code.

    My first thought was a php.ini configuration difference, but nothing in your code stands out as being affected by a feature being turned on/off, that would have still allowed the code to execute without an error.

    I assume that you have set error_reporting to E_ALL and/or checked server logs...
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,172
    Thanks
    19
    Thanked 65 Times in 64 Posts
    the script doesnt fail - it produces output but the encryption and decryption are not producing the correct/expected values as if the values of one of the functions was different to what it should be. I will have to upgrade my local version for more thorough testing, was just wondering if anyone had a similar problem or knew what it was.

  • #5
    Regular Coder
    Join Date
    Jun 2004
    Posts
    565
    Thanks
    0
    Thanked 18 Times in 18 Posts
    You should set your error reporting level to E_ALL | E_STRICT. Then you will get at least some notices about using undeclared variables.

    dumpfi
    "Failure is not an option. It comes bundled with the software."
    ....../)/)..(\__/).(\(\................../)_/)......
    .....(-.-).(='.'=).(-.-)................(o.O)...../<)
    ....(.).(.)("}_("}(.)(.)...............(.)_(.))Ż/.
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    Little did the bunnies suspect that one of them was a psychotic mass murderer with a 6 ft. axe.

  • #6
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    The title could be a bit more descriptive...

    These functions look like they're class members. If you switched form PHP4 there could be a lot of differences.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #7
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,172
    Thanks
    19
    Thanked 65 Times in 64 Posts
    this was just upgrading to 5.2 from 5.14

  • #8
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Did anything else change on the server (or the server)?
    Can you decrypt things that you have encrypted under PHP5.2?

    You might actually have the honor of finding a bug in PHP5.2!
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #9
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,172
    Thanks
    19
    Thanked 65 Times in 64 Posts
    As far as I know nothing else changed - as I said they did this completely without consulting us first - you can imagine the screaming at my account manager got
    No, stuff encrypted under 5.2 wouldnt decrypt either. I'm going to upgrade my local version and work it all out today with full error reporting turned on. See what I can find out.
    Might have to go through it step by step and see where it changes.

  • #10
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,026
    Thanks
    2
    Thanked 315 Times in 307 Posts
    I was just browsing through the PHP change log and the following item stood out as something that would effect the operation of your code -
    - Fixed bug #37244 (Added strict flag to base64_decode() that enforces RFC3548 compliance). (Ilia)
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #11
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,172
    Thanks
    19
    Thanked 65 Times in 64 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    I was just browsing through the PHP change log and the following item stood out as something that would effect the operation of your code -
    I saw that too, but the default is false - so it should operate as in 5.14

  • #12
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    you have only posted the relevant functions, is there more in your class or its heirarchy? , I see that the internals of _toString() have been played around with , if this is called implicitly or otherwise that may have some effect on values such as

    $text = $this->number;

    etc, what about trying the methods outside of a class as simple functions, if that makes the difference then at least you know where to start looking.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •