Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Securing Logo/Image

Sometime, you may want to secure a logo (image) on your user-interface to avoid some replacement.
In that case we can encode the image to a text-base code. To do that we need img2php class which can be downloaded from phpclasses.org or you can download it here (12.7kb including samples) 

Following are the example of steps after extracting the package:
1. write this script
<?php
require_once("img2php.class.php");
$t = new img2php;
$t->generate("images/"); //place image(s) in a subfolder
?>

2. run the script and the result should be similiar to this:
<?php
        
/**
 * gonximage class : Generated based on directory (images/)
 * 
 * @package 
 * @author Ben Yacoub Hatem <hatem@php.net>
 * @copyright Copyright (c) 2004
 * @version $Id$ - 2009-03-11 11:03:42 - gonximage.class.php
 * @access public
 **/
class gonximage{
    /**
     * Constructor
     * @access protected
     */
    function gonximage(){
        
    }
    
    /**
     * Return image based on it name
     * @access public
     * @return void 
     **/
    function getimage($img){
        switch($img){

            case "orchid_jpg": 
                gonximage::orchid_jpg();
            break;

        } // switch
    }
    function orchid_jpg() 
    {
        header("Content-type: image/jpg");
        header("Content-length: 3980");
        echo base64_decode(
'/9j/4AAQSkZJRgABAgAAAQABAAD/4QDmRXhpZgAASUkqAAgAAAAFABIBAwAB'.
'AAAAAQAAADEBAgAcAAAASgAAADIBAgAUAAAAZgAAABMCAwABAAAAAQAAAGmH'.
'BAABAAAAegAAAAAAAABBQ0QgU3lzdGVtcyBEaWdpdGFsIEltYWdpbmcAMjAw'.
'OTowMToxMiAyMjoyOTo0MwAFAACQBwAEAAAAMDIyMJCSAgAEAAAANDE4AAKg'.
'BAABAAAAjAAAAAOgBAABAAAAtAAAAAWgBAABAAAAvAAAAAAAAAACAAEAAgAE'.
'AAAAUjk4AAIABwAEAAAAMDEwMAAAAAAAAAAA/8AAEQgAtACMAwEhAAIRAQMR'.
'Af/bAIQAEw0OEQ4MExEPERUUExcdMB8dGhodOyotIzBGPkpJRT5EQ05XcF9O'.
'UmpUQ0RhhGJqc3d9fn1LXYmTiHmScHt9eAEfISEsJixWLy9Wtnlneba2tra2'.
'tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2tra2'.
'/8QAfQAAAwEBAQEAAAAAAAAAAAAAAgMEAQUABhAAAgEDAwMDAwIFAgcAAAAA'.
'AQIRAAMhBBIxIkFRE2FxBTKBUpEUI0KhwWLwJDNTgrHR4QEBAQEBAAAAAAAA'.
'AAAAAAAAAQACAxEBAQACAwEBAQAAAAAAAAAAAAERMQIhQRJRcf/aAAwDAQAC'.
'EQMRAD8A+Z27Z2z+9TvMnP70EEZFVWDkoNxLHAUSTUlbaXWEqnpNJHcgUGo0'.
'OotWTddITuQQRTgkJdYFU25HvVmlABJ2kmDAB5NZUW20Ny2Oob2wYMwa5mss'.
'ulxpuM6ziaoQh2stNsEMVwVNWAJeVXuXkJVRgdh4ihNt27aEujQQJWDg0u2w'.
'fUJniSe3aoM0OxpDuVYnEGKsuWNiH0wNwMjMH8UKJtLq7670tKqiYI3ZFeur'.
'eYgq63BESQeacJAVYJIPSfepW5rQpulsNqdVasoQC7RJ4FfV2PpVnSs3pKN7'.
'AdTGSBSjGt2wwV0LgZHsfak/WbUaUskKsdS+ak+fNolCVE7cz3irNKVu4mIg'.
'xMTWaYdeuPatuqgm48FXUQB+KUbY9A22YzPJ7+9FuJlJy1knYoYieO1MNq1A'.
'YWyrg8HI/NEytml2AXaUBmGBH96l1LGcRkT0056QdJYfUXgiR5JPAFX6nTW8'.
'FLm+B0v7+KyEmmO7VFNuWQhiTn3pyuqCEJRey+K0XLvXNywuFpKqWaBWg6n0'.
'i36d/wBTp3CIJ4Hmvpdz4KERzNSA0m4HCqGmJnkUvX77mkuLG6RxExUnMura'.
'tkJaZciWgf5pFpQLoYHacRmAaK1HRvulth6ZyIYHb/nxU8+mEuXllbslSe+a'.
'57o9eVbLFzaSSMkqYoAVKjcu2RwDMVvJKZV3STDeIg1Ldy5Az4qorrfT7Oy0'.
'bTpbAYHcwMk0q8hRQyMNhP2gd4q8V05+tyi3F8waG1qwEAeZHeidwSo2iKAG'.
'DIradn6FcIvOpkg8ECYrsKdkxPwJmhMe8ysBbUufkRVGnu3Cx3IsjHPIqKP6'.
'npdMGHpMttoACREz3moLe2yYvITCmARVaQXr29QxG0QABMxTnu+tobKm4OnK'.
'qF7d5Nc+O8sFDU2reAN3v2NaNSbpJNsKAfMzWpKZl4FDhTj8mljb/EAttCqZ'.
'JPGKqVVvU6f1J3S5IgjAodX/AC1CNG4HI71K6TFBctlSCfzFRtZhiJGKeOhx'.
'Tv7dqCtJ2PoaEXnYKSIg+1drcA0HGJyc1It1AclVcmMHsPmt07/zCCruR3PA'.
'+B3rOSn+tEpqxbcFbYSVAPPz+a5dtepg0zg/imoF5uxqzSacHR3n2boXie3e'.
'scYzCLqWXO+0nphvtWeKTuviZuEDiK3toxGa4yBoI/amhU/iMHoJgg0JWtqy'.
'ok7Qf3qPWX/X1BYRAEfNFop+lQOpJMHt8VzPqF3dq2KYBA4p4rxMxzWKYYE9'.
'jWk7305iPUuIpYv1Ae3k0+5buuAVRF7FgZrNzUXd09y0ktcESAINGNBf+62Z'.
'HYzFY+BhPqWe422+SzoNoLGStSKGW5/MMk8GqXymUFwTdFdT6OzkXVFtrig5'.
'AHtWuIc/UPt1VxYKwxEeKAvJ+4kfFarR2nEFjBgftQjqvkiBPk0Iy8w08xBd'.
'lgY4qe2hcwO3JovbNX/xFuzaLFVWcoQ0wRj/AHNcW4xe4zQMntWo1S25rBk0'.
'h9B9Ihm6iV6IxiuqLW1Zlo92oKLWujWQqtPVOTTRc9EP6VwNuEQW4o9Dl3lI'.
'1F5nbG6cGZpfqKTBBHfNYszcs0piDcBBrpfRruy/cQ94IrXFI/qqEa664jqa'.
'QO/FTKxJgqa6VpSpe3psdzJrdHYVldrwMROe9ZiTNl/0jsvgVdp1A05KMp8g'.
'DNChGuVTb3qI8gcVzjSaWfetTDg+DSH0H0tgAbjQoHJ8Vbe1xIK20keTms2i'.
'1NdW4be9yIHArz2bSaI3t0tH21n+pzr7XbV3YUjpBiPIxSy7RJCmMExFanHp'.
'YLw0sDwacjPb1QdGCyMGKJ1RgLXN2pbfxxzNZt9RkXJPBIroR6tiibRxxSl1'.
'IW0UAMtzNZJa3QrZUEVRb1luACjKeN4af7UEWq1G+ztLA8RAioDE0xANFaE3'.
'UB/UKQ7emtEyqHAJPtV9tb+2FKKvMBZrM7E/S2F4q2+P2z8VNecjStaYKMg5'.
'5+Kaah11/wBfWM4IEACV4wKmDbt3UT3x5pgaoi3mcnnzV2l2OFkCRjNHLrtE'.
'am2F1lxSCscT2xWWztuE4kGcUp6+5uhS0AA8ipGA34qmi9E1m2BNBbkjNYak'.
'X2p2nQ7w/YVXTLq6dbjrCPtnPzTES8uU3YPaud41Na+4lb0knyYNK1Ny16AC'.
'ElyZJimXypBfSTuXhhM+KWAQRwBGZNdJpNLCJDETwO1O0N4C7sYAg5E9jVy0'.
'of8AUri3dcLkGCgk+SKQud0c1Z6RdyBg/FKMHirwiVl4YfmsOfighmO1ZUnr'.
'NsXLqqTA5J9qM3N14EYWYA8Cpl39LY9TT2yHAAzx2qxQUlVUkN24qKUvZ3Ot'.
'44HZhx+a5Ope0brGwCE4A80XtAtxcQ22kdxipn6SQce1PH8DRBAJbNN0ybtQ'.
'g88mm6SjV2ybf+pDB+KTbuemoSARR4SiSxMKBmvKATEgfNaTdkSIojaKqDz5'.
'IzQSmFATUmWjDkExuBE0KSD8Gpl9Noyz6W0VU9IIBBP70yLhBDdQ7E0FzdUh'.
'N4sDt7R71MzG3G2J81bQBq7g5g96cqW9Zb+8I9Zx83ISXbfpXyjCCDHHNUaJ'.
'guqXd2BwDW7pKtXcF+87ICo2iQT3qEIQ59qJ2WSAZOc0BHkT7VqqGephQqx+'.
'qc1623pPI4J/FBLvOCzQQc8ilVAlua1DBikPotDetDRormTk9Jz+1He1FoAi'.
'30tGIb/FZaRXifVAYjil2yhvKHAOcDzVAicje3bNarFXlJArV7C9Wt6yyLbD'.
'beUdDE5PsalsqVvLHIMGeaz5hKbsjUOo/RUxuFfzzVIggT8mmFYWc+8itUwe'.
'0QCYIPcGsujYkE89jWSiwK380gp+aEUh2rGm3KjqWDBRB4imsbuFN1GAzgzH'.
'zWWisv8A0sfn/fFT7AbkEwQCRBmkJWHV5rwwczmkDt7/AFAbYZiOwrqGxb1B'.
'W+7i3eWAV/Vjmi9IDSly41uC3ABM4qK+mxp3AqcA+9UQJjpJmjFzGwzAyM1U'.
'wPqm3clIg8ituvv6gecDFBI2zQwRxSAPzXrab3C+TSHfBkqtxnuKFEAHFZfZ'.
'iem2oAwBOKzGk7bWMOjk/wCk/wCKXjcxW3G1Seo5NIThAbJYkyrBSPkf/KNr'.
'PUI7fdJpCsXLaAqjBCB+mmWthsNctyGRgGg9vNZ2ShcQXCSJ3H7iOa81i3ca'.
'UaFjgfbjmqIu2AwIUCP/ADSL2nuqGZQWRRJI7VraTTOa0H9qE2SOa0MPNST0'.
'3TwLykmADSHURmu37aWxCwMd6s9E7txhT2JzWY0y3tJYsWbEiO5qHWsnVsVh'.
'7mlEaUFkdCCVOcdiKbZS7dJZV6eQGyW+KgW79cSUPecU/wCnvsveqIIVgDnt'.
'QhXLatddYARbuY8TS9BdNy69tgCCWdR481JruC+1FiMye/5plqzfaTkeAMVL'.
'CHXFRqXVbartMSBE1PNKbM4mtGB5qRNNsD+YJqDp/T3Fq4xAUuRgt2qh3OVa'.
'5zkxxQ0TduKSFAiBG5TNBfQHSBgQSzHHepEIVs2JYgk/aoPHuaYmrLNb3ZH2'.
'8R+aqG6tWcExIB2yRXtPstWkRxDOTM578VJt0+k52loDTExuP/qjt2VtTfAg'.
'mCrXG796kFrwt3i1na4bCqRge5NFeYukBjtcHaFPJ8VFzXZjh2YxjJpZFIYO'.
'aMTGDSC6ZZ/5q0J09KP5hNpASO0zNUm0bn3LsJ5E1NFtYffChf8AtM0rUJsg'.
'HDHDeSKEjS2r3Nu6BPfis6PVChscA0hWxLaJFcxcuHcR5AxS/wCFdihJMgcj'.
't+akbf8ATtohzdcKeeDUt03NQwLsW+aojtOCpFpoKET8fmp72o/pX7fBHej1'.
'J3uNcMsSaCtBoEmjmMVINahgg+KE62hUQXYOe3TzVTqSubYVAeWMn80NF2yi'.
'7mBPEAxUl4yJA9ppSRpEzWW7fqXEtjG4gUsryy3dQWW2zW0wpmAAMCtO9rpV'.
'rgZQJAHjtiskGoG1kMgAiBU7MQohBnkgRUjbd1ltm2m0TnjJHcTXPeWYk0xU'.
'NaKQPAFYBNSYK0UF2/p4Dactv9Pb5ODThcRV22wXnlu1BR6vcz9TLPtU119q'.
'qQeo0ikdqdpRta5e/wCkhI+TgUh4qqKqtdF3wiExVN656FlNwXeE7D+1BSX7'.
'j7/SJxgmexivWrxtXGK5BEc4qQLbuL28RMznihu2SssIAOY8VAmK8BUm96YA'.
'IpIOK0ChOvZtyioZJCzAHFUekFX7o+eaIU1zYDltznuDgVFeGcCY5pgpXYCi'.
'FxhZNqRsZtxxk+KQ2yAjBzkLmnrF9LW5TL3SOcAYmgkXnS4zsBBZifx2pPya'.
'k2TtPtS97EQWJFIZXu1CaOaaaiXRJlh81J1NGGF9yC2QRg5NPF1P6gXnHMCg'.
'prlxVB2ruY9+AtSXAWPME5OaQHvt4oWEZPekPAYnFX2Rt06uYiyrEgfqbAFC'.
'c6OkV7kQKk8eDQqmc1J51igqQ0HWKZUSxWrUlqsRicHBqstssEqqz8UETWw9'.
'gseR4qJ7am0W7gUolz1/igbO4eKgJAN0e1Ux/wALYXtcutu94gCkJHADECh7'.
'VJ5hFBuM80J5uaGpDT7hRVF//9k='.
'');
    }


}
?> 

3. copy and save the result above (for instance encode.class.php)
4. write a script to show the image (show.php):
<?php
include "encode.class.php";
$img = new gonximage();
$imgfile = "orchid_jpg";
$img->getimage($imgfile);
 ?>


Obfuscating php codes

Sometimes we may want to obfuscate our php scripts so that it 's no longer human-readable. We can use trasher class freely downloaded from phpclasses.org or you can download here (3kb including example files).

Below is the example of how to use it (before and after obfuscated):

test.php (script which will be confuscated)
<?php
$x = 5;
$y = 10;
$z = $x * $y;
echo ("X * Y = $z");
 ?>

sample.php (script which will confuscate test.php)
<?php 
// include the phptrasher class
require_once('phptrasher.class.php');
// create a new object 
$phptrasher = new phptrasher();
// initialize the class
$phptrasher->initialize();
// setup the class
$phptrasher->removecomments = true;
$phptrasher->removelinebreaks = true;
$phptrasher->obfuscateclass = true;
$phptrasher->obfuscatefunction = true;
$phptrasher->obfuscatevariable = true;
// get the obfuscated code
$obfuscated = $phptrasher->trash('test.php');
// print the formatted code in a beautiful way
highlight_string($obfuscated);
?>

run sample.php to get obfuscated codes of test.php

test1.php (after confuscated)
<?php $_ccc819a68916c3ef4fd822abb9366846 = 5; $_9870ddd74d75773009cf509800565c6f = 10; $_b7739f51732251c6470ac18757649a94 = $_ccc819a68916c3ef4fd822abb9366846 * $_9870ddd74d75773009cf509800565c6f; echo ("X * Y = $_b7739f51732251c6470ac18757649a94"); ?>


PHPSS

We may want to apply secutiry system to our web by having users log in. When we want to quickly develop a authentication system like that we can use phpSS class made by Erik Grinaker. 


phpSecureSite is an authentication and session-handling system for PHP. It is primarily intended for use in closed web-applications, where a user is required to enter a username and password to enter the site. It is made to be fully integrated with the web-application, which means that you will have to code a frontend (such as login screens etc) for it yourself.

Authentication is done with the widely used username and password scheme, where a user first identifies himself (the username) and then provides a secret known only to the user (the password) to prove that he is who is he claims to be.

To understand what a session handling system is, we need to take a look at how the web-server sees the world. The HTTP protocol, which is the language that your computer and the web-server uses to communicate, is a so-called stateless protocol. What this means is that when the web-server gets a request for a page it simply returns that page, no questions asked. It does not know, nor does it care, which user a request comes from. A session handling system determines which user makes a request, so that the page returned to the client can be dynamically built for that user.

The most basic use of phpSecureSite is obviously to protect access to an application or a set of
web-pages, but you can also do alot more with it. It comes with a set of modules which provides
functionality such as session variables (which lets you store a piece of data for a session, and retrieve that data in any page), access control lists (for setting which users/groups should be allowed access to a specific page) and much more.

The only downside with phpSecureSite is that it stores all its data in a database. This means that each and every request will result in at least one lookup in the database, which is not good for performance. But to do everything phpSecureSite does there is really no other way to do this. If you just need a light-weight session-handling system, you may be better off with some other package.