Securing Data with PHP
Securing Data with PHP
Lets say you have some files on your site that you don't want users to see. This could be a header or in this case logs. So first, lets make the log script.
$today = date(\"F j, Y, g:i a\"); //The time down to the minute.
$date = date(\"F, j, Y\"); //each day a new log file will be created.
$lookatlogs = 0;
$code = \"<?php if($\" .\"lookatlogs != 1){ die(\'\'); } ?>\"; //
$location = \"./logs/\"; // location the logs should be created.
$fp = fopen($location .$date .\".php\", \"a\"); // creates the file.
$line = $code .\"IP: $_SERVER[\'REMOTE_ADDR\'] | Time: $today | Agent: $agent | URI: $uri | REF: $ref <br>\" . \"\\n\"; //this is what gets added to the file.
$size = strlen($line);
fputs($fp, $line, $size); //adds $line to the file.
fclose($fp); //closes it.
And now the code to view the logs:
<?php
$lookatlogs = 1;
?>
<textarea cols=\"120\" rows=\"40\" wrap=\"off\">
<?php
include(\"./logs/September, 18, 2006.php\");
?>
</textarea>
The first code will creat a folder in the root directory called logs. Then each day it creates a file in logs. So, since today is 9/18/2006, it will create a log named September, 18, 2006.php. And in the log you will have this code:
<?php if($lookatlogs != 1){ die(\'\'); } ?>127.0.0.1|September 18, 2006, 12:05 am | Agent: Opera/9.01 (Windows NT 5.1; U; en) | URI: /kjl | REF: <br>
And if someone views it in the browser, $lookatlogs will = 0, and 0 != 1. So it will die. But in the code to view the logs, $lookatlogs = 1, so it will not die. Enjoy.
–Adlez
ghost 18 years ago
I messed up. $location = "./logs/"; // location the logs should be created. should be $location = "logs/" unless not in root dir, then its = "../logs/"; same as include("./logs/September, 18, 2006.php");
SySTeM 18 years ago
hehe, nice article, one thing though, if someone knows they're being logged, they can set their referer/user agent as a string of html/php depending on how it's saved, if the logs are saved as .php, people could exploit your site with php injection (maybe), or just input some evil html, so yea, you might wanna not keep it in a php/html file and just stick to .txt ;)
ghost 18 years ago
@chislam, I don't believe so. @system_meltdown, ya, but if it was .txt, anyone could view it. But, since you have the logs being viewed in a <textarea>, html is not exicuted. Unless they type in </textarea>. So to stop this, $agent = htmlentities($agent); $uri = htmlentities($uri); $ref = htmlentities($ref); So now, even if they do know that they're viewed in a textarea, they still can't do anything.
ghost 18 years ago
I agree with god text file is much more simple, you just need to add a htaccess to secure the file and it's done. Also if you still want to do it with a PHP file you can also use my trick to protect the file …
http://www.hellboundhackers.org/readarticle.php?article_id=487