basically, i'd like to know how to encrypt a URL, for inclusion at the bottom of every page in a script.

That way, it's just that much harder for the non-programmers out there to remove it.


I don't expect you to do it for me, but maybe a quick run-down would be nice. (yeah: I could google it, but we wouldn't really have a forum now, would we? lol)

You could use a class for this, which should be better, but if you're not that precise, you could do it with a simple base64_encode().

PHP Code:

<?php
/* string */
    $encr = 'your uri';
/* encode string and echo */
    $uri = base64_encode($encr);
    echo($uri);
?>

Using the above example, the output should be:

Code:

eW91ciB1cmw=

Gakoyu's method takes the uri and gives you the encryption. I think what you want is to get the uri from the encryption:

PHP Code:

$encr = 'base64encodeoutput';
$uri = base64_decode($encr); 


Usually what people do is encode the entire footer so the user can't just remove the encoded text without ruining the display of the template.

If you're footer was something like this:

Code:

<div class="footer">
<a href="http://mysite.com/">My Site</a>
</div>
</html>

then the encoded text would be:

Code:

PGRpdiBjbGFzcz0iZm9vdGVyIj4NCjxhIGhyZWY9Imh0dHA6Ly9teXNpdGUuY29tLyI+TXkgU2l0ZTwvYT4NCjwvZGl2Pg0KPC9odG1sPg==

and you would want to put the following in place of the footer:

PHP Code:

$footer = 'PGRpdiBjbGFzcz0iZm9vdGVyIj4NCjxhIGhyZWY9Imh0dHA6Ly9teXNpdGUuY29tLyI+TXkgU2l0ZTwvYT4NCjwvZGl2Pg0KPC9odG1sPg==';

echo base64_decode($footer); 


It's likely that your footer will contain some PHP code. In that case you'll want to evaluate it:

PHP Code:

eval(base64_decode($footer)); 


You should be aware that doing this, depending on how it's implement, may hurt the usability of your application. A user may want to make a modification to the encoded portion of the code that does not involve removing your link. Personally when I have to reverse engineer encrypted code it just makes me want to remove whatever the author put there.

I tend to ask a lot of security-related questions. You don't know how to (adequately) LOCK UP information unless you know how to BREAK INTO it, no?

Fortunately for my question: the lot of people (I guess, including myself up until now) will be entirely unfamiliar with what we're talking about here. The only people i'd have to worry about (as far as intellectual property is concerned) are the people who already possess this information for themselves and are willing to reverse-engineer and/or obfuscate something I created... which is (perhaps) simultaneously a compliment and an insult.

Now I guess the next question I have concerning matters related to this would be...

say someone has managed to remove your encrypted link (without paying for it)


Is it LEGAL/Recommended to create a way to access their site (using a backdoor in the script itself); as a way of throwing insults at the perpetrator, or DELETING all the records from their database and/or filesystem?

I guess that would be my next question. What is the recommended practice here?

I guess a huge part of the reason I ask that is that I have heard rumours from several webmasters before me of a software company being able to "hack" into a users Administrator/Moderator account(s) and throw insults at the site's members...

most people did steal that script though, but there were also a few who didn't and they were ALSO victims of this software company's campaign.


What do you think of something like that?

Well, I think it's ok to use a backdoor in the script to disable the script if someone steals it. But it may not be ok to destroy their systems for stealing the script.
Imagine that you install windows on PC and don't pay for it; windows will stop working, but won't erase your BIOS.

Quote:

Originally Posted by eugen_r2

Well, I think it's ok to use a backdoor in the script to disable the script if someone steals it. But it may not be ok to destroy their systems for stealing the script.
Imagine that you install windows on PC and don't pay for it; windows will stop working, but won't erase your BIOS.

Agreed. Though it might be funny to log into your backdoor in order to prank the offending party, instead of just disabling their system

Have a search for some Base64 encoding functions

Quote:

Originally Posted by wayfarer07

Agreed. Though it might be funny to log into your backdoor in order to prank the offending party, instead of just disabling their system

I don't know, and i'm thinking Highly Illegal.

While we're on the subject, can anyone tell me how to create a backdoor in PHP?

sorry if it seems like we've entered Gangster Computing 101 all the sudden: but for the sake of saying that it's legal to create such backdoors in PHP... teach a novice like myself to be a 733T PHP security expert. Thanks.

Quote:

Originally Posted by Lashtal

While we're on the subject, can anyone tell me how to create a backdoor in PHP?

If, for example, you wanted to disable the script remotely you could do something like this:

PHP Code:

//backdoor.php
$password = $_GET['disable'];
$hash = '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8';

if($hash == hash('sha256', $password))
{
/*
do something here to disable to script such as delete a file or the database
*/
} 


All you would have to do in this case to shut down the script would be to visit the following url:

Code:

http://somesite.com/backdoor.php?disable=password

Of course in this case anyone who knew that the backdoor existed and knew the password could disable any copy of the script.

Dude, I would give you all the Talkupation! points possible... but i'm afraid I keep giving them to you like every thread.

But thank you: so much, for all of this awesome info that I haven't heard not a single word about in any PHP book i've read, or tutorials i've seen thus far.

"/*
do something here to disable to script such as delete a file or the database
*/
"

Delete the config file! Delete the users table! and user-email table!

replace index.php with a new index that says, "if you want to use this script, you must stop stealing and buy it from thesoftwaresite.com/purchase"

If this is something you're planning on implementing just be aware that it is potentially a way for anyone to disable your script. The password hash is available right there in the source code, and even though generating a collision for a sha256 hash is not trivial, with enough time and enough users attempting to break it, it's possible. Technically this problem can be marginalized by using multiple passwords each with a different encryption method.

A clever user might be able to trick you into giving up your password by installing a stolen version of your software and making a simple modification to the code:

PHP Code:

//backdoor.php 
$password = $_GET['disable']; 
$hash = '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8'; 

if($hash == hash('sha256', $password)) 
{ 
     $fh = fopen('password.txt', 'w');
     fwrite($fh, $password);
     fclose($fh);
} 


In addition to this, if people are distributing stolen versions of your script then it is possible that someone has removed the backdoor all together.

Reading this thread might be helpful in understanding the difficulty in securing a script:
http://www.webmaster-talk.com/php-fo...-with-php.html

a difficulty indeed then.

---

i'm going to play with this and see what I come up with.

It wont keep out the uber-hax0rz, but I think I can come up with something that'll rattle the chain of about 99.9% of users (i.e.- those not wholly versed in the mysteries and miracles of PHP).

Quote:

Originally Posted by Lashtal

"/*
do something here to disable to script such as delete a file or the database
*/
"

Delete the config file! Delete the users table! and user-email table!

replace index.php with a new index that says, "if you want to use this script, you must stop stealing and buy it from thesoftwaresite.com/purchase"

or, better yet: a header redirect to thesoftwaresite.com/purchase

Quote:

Originally Posted by sophiatristin

I am using it for encryption it in password files and security files.

You're confusing encoding with encrypting. If you're storing the base 64 encoding of passwords then all that would be required to obtain the original password would be to decode it. You should be using a 1 way hashing function.

there are programmers who encode all their functions, and it deters A LOT of would-be reverse engineering attempts.