Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Senior Coder
    Join Date
    May 2006
    Posts
    1,673
    Thanks
    28
    Thanked 4 Times in 4 Posts

    Problem using base64_decode()

    Hi,
    I am using base64_decode() to check and debug my script which is not working
    but can not get it to decode and display

    I am trying to do it with a simple echo:

    PHP Code:
    echo base64_decode('Pz48P3BocAokb3AgPSAkX1JFUVVFU1RbJ29wJ10gPSAnY3Jhd2xwcm9jJzsKaWYoaXNzZXQoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10pKQp7CmVjaG8gJ1RoaXMgdG9vbCBjYW4gYmUgZXhlY3V0ZWQgaW4gY29tbWFuZCBsaW5lIG1vZGUgb25seSc7CmV4aXQ7Cn0KJGRWXzBqVXpMTDhlT0MydnJ0QW4gPSB0cnVlOwpjaGRpcihkaXJuYW1lKF9fRklMRV9fKSk7CiRfUkVRVUVTVFsnYmcnXSA9IHRydWU7CiRfUkVRVUVTVFsncmVzdW1lJ10gPSB0cnVlOwppbmNsdWRlICcuL2luZGV4LnBocCc7Cj8+'); 
    All I get as output is:
    "?>" - not particularly useful !

    What am I doing wrong ?


    .
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #2
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    If you are viewing the result in a browser, you would need to view the page source code. It would show:
    Code:
    ?><?php
    $op = $_REQUEST['op'] = 'crawlproc';
    if(isset($_SERVER['REQUEST_METHOD']))
    {
    echo 'This tool can be executed in command line mode only';
    exit;
    }
    $dV_0jUzLL8eOC2vrtAn = true;
    chdir(dirname(__FILE__));
    $_REQUEST['bg'] = true;
    $_REQUEST['resume'] = true;
    include './index.php';
    ?>
    Browser hides everything between < and > considering it as a tag.

    Or if you really need to see the result in the browser, you could encode HTML special characters and echo the string:
    PHP Code:
    $str = (base64_decode('Pz48P3BocAokb3AgPSAkX1JFUVVFU1RbJ29wJ10gPSAnY3Jhd2xwcm9jJzsKaWYoaXNzZXQoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10pKQp7CmVjaG8gJ1RoaXMgdG9vbCBjYW4gYmUgZXhlY3V0ZWQgaW4gY29tbWFuZCBsaW5lIG1vZGUgb25seSc7CmV4aXQ7Cn0KJGRWXzBqVXpMTDhlT0MydnJ0QW4gPSB0cnVlOwpjaGRpcihkaXJuYW1lKF9fRklMRV9fKSk7CiRfUkVRVUVTVFsnYmcnXSA9IHRydWU7CiRfUkVRVUVTVFsncmVzdW1lJ10gPSB0cnVlOwppbmNsdWRlICcuL2luZGV4LnBocCc7Cj8+'));
    echo 
    '<pre>' htmlspecialchars($str) . '</pre>'
    Still could you tell me please: what generally you are trying to do ? Why are you storing the PHP code as a base64-encoded string ? If you are executing it later by eval(), please be very careful. eval() is a very dangerous function. It is necessary to be absolutely sure there is no way someone could inject his own code there.
    Last edited by SKDevelopment; 02-06-2010 at 10:24 AM.

  • #3
    Senior Coder
    Join Date
    May 2006
    Posts
    1,673
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Yer - I don't like it but this guy wants the code "hidden" so noone could see it !!!

    I told him that the php is not seen in the browser anyway but I guess he is paranoid !
    So I thought I would use base64 encode.

    Anyway, thanks for your help, I can see the bug now.

    Oh, and yes I was going to use eval().
    I don't think anyone can inject code into it can they ?


    .
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #4
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    Do you mean you would like to store the PHP code in a cookie and then eval() it ? And the only protection is base64 encoding ? If this is true, any average hacker would be able to execute absolutely any his own PHP code at your system using this eval().

    Cookies are stored at the client side. Browser sends them. You have no control over them. It is not too difficult to fake a cookie. It is sent as part of HTTP document - in the HTTP headers. So it is enough to connect to the server, pretend this is a browser and send any PHP code via cookie (using the corresponding HTTP header).

    Cookies are considered as a potential user input. Which is not more difficult to abuse than GET or POST.

    base64 encoding is no protection at all. It is too easily decoded.

    In my opinion cookies must never be used for such a task.

    And in my opinion eval() must be avoided whenever possible.
    Last edited by SKDevelopment; 02-06-2010 at 04:29 PM.

  • #5
    Senior Coder
    Join Date
    May 2006
    Posts
    1,673
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Thankls for your concern but this script is
    not going in a cookie but resides on the server.

    That's why I told him - the code would not be seen
    by anyone. As you can see the code is the "doorway" to the
    ./index.php. It also sets some variables that are checked later
    to ensure the the program was started by this script.

    It is just a waste of time really, but he likes the idea that the
    starting "doorway" script is encoded making it look unreadable.

    However as we have just proved a programmer can easily open it up !!

    Anyway, if he keeps him happy !!!

    Thanks for your help.
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #6
    Codeasaurus Rex
    Join Date
    Jun 2008
    Location
    Redmond, WA
    Posts
    659
    Thanks
    31
    Thanked 100 Times in 94 Posts
    If you want something super secure and, in my opinion, more fun you can look into AES. If you set a key on the server side then you can encrypt whatever you want and store it whatever you want. You can also encrypt it using an identification hash of your own so that you can check the integrity of the string on decryption.

    But that would be getting NSA level paranoid :P
    Unless otherwise stated, any code posted is most likely untested and may contain syntax errors.
    My posts, comments, code, and suggestions reflect only my personal views.
    Web Portfolio and Code Snippets: http://shanechism.com


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •