Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

jpg eof


ghost's Avatar
0 0

Ok This sorta has to do with php because I want to use pictures with comments as the source code for files. To keep people guessing :-]

So I want to remove the bulk of the jpg I have and then put in some php. The problem I have is when I remove all of the jpg is says it's not valid. Understandable It probably has some sort of buffer data. I then remove the bulk of the bottom and it tells me there is a premature EOF.

I'm using "edjpgcom" to insert comments but i'll probably try to do it manually.

EDIT: I actually just made a 1x1 pixel jpg with lowest qaulity and no color. Gimp automatically edits a comment in. The total image looks like this in notepad:

ÿØÿà JFIF  H H  ÿá Exif  MM *         ÿþ Created with The GIMPÿÛ C ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÛ CÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ   " ÿÄ                 ÿÄ                 ÿÄ                 ÿÄ                 ÿÚ  ?   ÿÙ

So i'm happy. But a lot of that is going to show up with ugly image. How would I make it so that does not appear?


ghost's Avatar
0 0

I just said fuck it and named a file "#akjsdfkasjdhk#" That's way more secure and less of a hassle than a jpg.

What is your guy's take on obscuring file names to help keep things somewhat hidden.

btw i used the file in an include.


ghost's Avatar
0 0

When I want to hide files PHP files such as those that connect to a database (and have the connection details in them), then what I do is I set PHP's include_path to something like: include_path = ".:/usr/local/php5/pear:/var/www/private" I then put the connect.php file in /var/www/private, chmod it to 400. It can be included usingmarkupinclude 'connect.php'; but without the file existing at the expected location.

To the honest the reason for doing this isn't to hide the file but for something else; When a host of a friend of mine upgraded from PHP4 to PHP5 some of the sites fucked up, my friends included. It fucked up massively in the sense that .php files were being treated as text/plain. This meant people could read his source code, of course they quickly found his database details and connected and deleted his database. He has a number of flaws. 1) He shouldn't have allowed mysql connections from any IP other than 127.0.0.1, 2) That user shouldn't have been allowed to DROP tables, of course more finely grained permissions would be better too, and would be specific to the web application and 3) Using my method of "hiding" connect.php would have made it impossible to read the file.

What you are doing is not a brilliant idea, no offence. If the .jpg file is in a public directory, then people can simply download it through their browser and the server will send it to them as image/jpeg, so they'll see the PHP source. Of course you can force the file to be treated as application/php-x (or whatever it is you set files to so Apache hands them over to the PHP module). Alternatively if the file is located in a directory not web accessible then of course people cannot download it. Still… if that it the case then I feel that your method is no more secure than what I have previously outlined. People know that PHP files don't have to end in .php and if they see "include '../db.jpg';" They won't scratch their chin and get stuck, they will look at the .jpg file, assuming they are able to.

If you're on a shared hosting server and you're worried about other users browsing your files then at least prefix your filename with a dot. On a *nix machine this makes the file hidden and it won't show up to a simple ls unless the user specifically asks ls to list hidden files too. I always alias ls to ls -lah, but I know others who don't.


ghost's Avatar
0 0

I just tested in trying to download the file directly. When I go to it the index.php there redirects to my homepage. So I disabled javascript and tried again. This time I could download the file however all that shows up is: markup<html><head></head><body></body></html>


ghost's Avatar
0 0

Can you link me to the image?


ghost's Avatar
0 0

edjpgcom i use that tool to include code in jpg images if that can help.


ghost's Avatar
0 0

Yeah I said that.

I am having trouble creating a filter for user input. I want to filter out everything except numbers and letters. Most things leave all the @%#$#% crap in and I just don't want that.

whitacid check your pm's


ghost's Avatar
0 0

At least now you know to stick with .php files, no odd tricks tha make yourself insecure

As a filter try:markup$valid = preg_match("/^([\w\d]+)$/", $string); if ($valid === 0) { //$string contains non alphanumeric characters }


ghost's Avatar
0 0

Thanks. Yeah you could have pwned my site so fast had I made too much on that site. And thanks for the help with the filter.