Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder Troy297's Avatar
    Join Date
    Oct 2006
    Location
    Earth
    Posts
    314
    Thanks
    10
    Thanked 0 Times in 0 Posts

    Question file_get_contents - Return PHP?

    Hey All,

    I'm currently developing a script and am trying to integrate a "license verification" and at current its going pretty well. I've worked out most of the kinks on both ends and I've got it to produce all the right errors and stuff when the license is wrong.... except I need to go a step further.

    Basically what I want to do is be able to send back php from my "License/Update Server" to the users script installation and have it run. Like for example if this is the 20th time their has unsuccessfully had its licensed checked then I may want to send a kill process to the next panel that tried to authenticate with that license incase its a license thats been leaked somehow.

    So... heres my code:

    The Script:
    PHP Code:
    <?php
    if($content = @file_get_contents("http://members.mysite.com/")){
        echo 
    $content;
    }else{
        echo 
    "<td><img src='images/update_error.gif' /></td><td>An Error Occured!</td>";
    }
    ?>
    My Update Server:
    PHP Code:
    <?php
    echo 'This is returned.';
    ?>
    So basically 'This is returned.' is what the script prints out to the user. Now how might I do the same thing except have it so I can send back PHP code and have it run to the script?

    Sorry if I'm unclear. Feel free to ask for clarification, and thanks!
    Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
    Radio DJ Panel v3 - It's Here!

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,095
    Thanks
    11
    Thanked 101 Times in 99 Posts
    you could return plaintext PHP code and eval() it.

    but

    eval() is mostly evil , though in your case you will have control over the contents of the eval()'d file ... but then imagine someone hacks the validation server and adds malicious code to the validation script ? also anyone can look at the contents of the validation code which may give them ideas of what to return and simply change the call from your server to theirs...

    none of this is going to be easy/safe unless you use some form of encoder etc
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • Users who have thanked firepages for this post:

    Troy297 (11-01-2007)

  • #3
    Regular Coder Troy297's Avatar
    Join Date
    Oct 2006
    Location
    Earth
    Posts
    314
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Alright, thanks for the advice.... Now I've tried this out and can you just tell me how it looks or if you see any possible security flaws that would be exploitable?

    PHP Code:
    <?php
            
    if($content = @file_get_contents("http://members.mysite.com/")){
                if(
    admin() == TRUE){
                    
    $parts explode("~~~"$content);
                    echo 
    $parts[1];
                    eval(
    $parts[0]);
                }
            }
    ?>
    And I plan on encrypting that entire bit of code and more so now one can mess around with it. Also once again the update server that it contacts to get the response returns a message in this format:

    Code:
    PHP Code To Execute ~~~ License Valid... etc.
    Offtopic - When a url has "https://" in front rather than just "http://" what does it actually mean? And if it would be of any help in my case to attempt to stop any hacking attempts how do I implement it? I will Google later but just curious... Thanks
    Last edited by Troy297; 11-01-2007 at 11:34 AM.
    Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
    Radio DJ Panel v3 - It's Here!

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,095
    Thanks
    11
    Thanked 101 Times in 99 Posts
    In a worst case scenario where someone has control of your server (or can fool the client into thinking their server is yours (by messing with the clients/networks hosts file or DNS or proxy)) then any code in $parts[0] will be run on the clients machine.

    Not sure how but perhaps you could first check $parts[0] for allowed functions and not allow any PHP functions but safe ones to be run.. e.g. cancel if the code to eval includes exec,unlink, backticks, rm ... etc etc, loads of possibles, too many.

    IF, the code to be eval'd is always the same, then you could use MD5_string() or some other mechanism for checking the code to be run is that which was expected ? , would need to know more about the $parts[0] before I could comment more.

    If you use https:// then anything sent between the server and client is encrypted , that way nobody will be able to sniff the contents of $parts[0]
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    If you use https:// then anything sent between the server and client is encrypted , that way nobody will be able to sniff the contents of $parts[0]
    In other words, HTTP using SSL. (that's what the S indicates)

    Now I've tried this out and can you just tell me how it looks or if you see any possible security flaws that would be exploitable
    Your use of eval() is a possible security flaw. Even though you understand its dangers, you are still using it.

    I have never found a need for eval(). The only reason I have seen it be used is as a shortcut to a real solution. This would be such a case.

    No matter how much you encrypt your code, you can only eval() it decrypted. This means your PHP has the method of decrypting it. Meaning it's wasted effort.

    I think you'll be better off spending your development time on improving your product, than trying to build a bullet proof authentication scheme.

  • #6
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,095
    Thanks
    11
    Thanked 101 Times in 99 Posts
    Quote Originally Posted by aedrin View Post
    No matter how much you encrypt your code, you can only eval() it decrypted. This means your PHP has the method of decrypting it. Meaning it's wasted effort.
    I think we already worked out the fact that eval was dangerous ?

    I assumed that the client code will be byte-code and therefore not that easy to decompile.

    This type of activation/licence/authentication is an interesting subject and bright idea's might be more useful than `eval is evil, give up`
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #7
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    I think we already worked out the fact that eval was dangerous ?
    Since it was being considered still, not dangerous enough.

    I assumed that the client code will be byte-code and therefore not that easy to decompile.
    That's a bad assumption as I've seen no people use this technique. I'm sure there are some, but requiring your clients to install additional programs just to use your component isn't good for business.

    This type of activation/licence/authentication is an interesting subject and bright idea's might be more useful than `eval is evil, give up`
    Yes, that is a good point. But you don't think companies out there have tried to figure this out? I'd rather spend my time developing new components that are helpful and help save me time. Than develop something that will do nothing. If someone intends to pirate your component/technology, they will. If something prevents it, they will find an alternative. Either way you gain zero business.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •