Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Securing Data with PHP

  1. Home
  2. Articles
  3. Programming
  4. Securing Data with PHP

Securing Data with PHP

By ghostghost | 3786 Reads |
0     0

Lets say you have some files on your site that you don't want users to see. This could be a header or in this case logs. So first, lets make the log script.

$today = date(\"F j, Y, g:i a\"); //The time down to the minute.
$date = date(\"F, j, Y\");  //each day a new log file will be created.
$lookatlogs = 0; 
$code = \"<?php if($\" .\"lookatlogs != 1){ die(\'\'); } ?>\"; //
$location = \"./logs/\"; // location the logs should be created.
$fp = fopen($location .$date .\".php\", \"a\"); // creates the file.
$line = $code .\"IP: $_SERVER[\'REMOTE_ADDR\'] | Time: $today | Agent: $agent | URI: $uri | REF: $ref <br>\" . \"\\n\"; //this is what gets added to the file.
$size = strlen($line);
fputs($fp, $line, $size); //adds $line to the file.
fclose($fp); //closes it.

And now the code to view the logs:

<?php
$lookatlogs = 1;
?>
<textarea cols=\"120\" rows=\"40\" wrap=\"off\">
<?php
include(\"./logs/September, 18, 2006.php\");
?>
</textarea>

The first code will creat a folder in the root directory called logs. Then each day it creates a file in logs. So, since today is 9/18/2006, it will create a log named September, 18, 2006.php. And in the log you will have this code:

<?php if($lookatlogs != 1){ die(\'\'); } ?>127.0.0.1|September 18, 2006, 12:05 am | Agent: Opera/9.01 (Windows NT 5.1; U; en) | URI: /kjl | REF: <br>

And if someone views it in the browser, $lookatlogs will = 0, and 0 != 1. So it will die. But in the code to view the logs, $lookatlogs = 1, so it will not die. Enjoy.

–Adlez

Comments
ghost's avatar
ghost 17 years ago

I messed up. $location = "./logs/"; // location the logs should be created. should be $location = "logs/" unless not in root dir, then its = "../logs/"; same as include("./logs/September, 18, 2006.php");

SySTeM's avatar
SySTeM 17 years ago

hehe, nice article, one thing though, if someone knows they're being logged, they can set their referer/user agent as a string of html/php depending on how it's saved, if the logs are saved as .php, people could exploit your site with php injection (maybe), or just input some evil html, so yea, you might wanna not keep it in a php/html file and just stick to .txt ;)

ghost's avatar
ghost 17 years ago

hehe, do i remember you doin this to one of the real chall's system?

ghost's avatar
ghost 17 years ago

@chislam, I don't believe so. @system_meltdown, ya, but if it was .txt, anyone could view it. But, since you have the logs being viewed in a <textarea>, html is not exicuted. Unless they type in </textarea>. So to stop this, $agent = htmlentities($agent); $uri = htmlentities($uri); $ref = htmlentities($ref); So now, even if they do know that they're viewed in a textarea, they still can't do anything.

ghost's avatar
ghost 17 years ago

good article, but i personally like them stored in a text file..

ghost's avatar
ghost 17 years ago

I agree with god text file is much more simple, you just need to add a htaccess to secure the file and it's done. Also if you still want to do it with a PHP file you can also use my trick to protect the file …

http://www.hellboundhackers.org/readarticle.php?article_id=487