Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 8:54 pm
I am very new on this and have been desperately trying to find a way to obfuscate links (what would appear on the address bar). The following works for static pages, but not when working with databases. would there be a creative way to modify this or am I approaching it incorrectly?
Code: Select all
class linkObfuscator
{
var $seed=0;
var $referralSeed=0;
function linkObfuscator($referralSeed=false)
{
// new seed, to obfuscate new pages
srand();
$this->seed= rand();
// old seed, to check access
if($referralSeed===false or !is_numeric($referralSeed)) {
$this->referralSeed=$referralSeed;
} else if(is_numeric($_SESSION['referralSeed'])) {
$this->referralSeed=$_SESSION['referralSeed'];
$_SESSION['referralSeed']=$this->seed;
}
}
function _obfuscate($aLink,$aSeed)
{
$sep=(strpos('?',$aLink)===false)?'?':'&';
return $aLink. $sep ."go=".md5($aSeed .$aLink);
}
function obfuscate($aLink)
{
return $this->_obfuscate($aLink,$this->seed);
}
function check($anObfuscatedLink)
{
$theLink=preg_replace('/(&|\?)go=(\w)+/','',$anObfuscatedLink);
if($this->_obfuscate($theLink,$this->referralSeed)==$anObfuscatedLink)
return true;
return false;
}
}
feyd | Please use Code: Select all
tags where approriate when posting code. Read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 8:58 pm
I don't see why this would have an issue working with something from a database...
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:01 pm
It seems that the obfuscated link, returns obfuscated back to the database and is unrecognizable, causing errors
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 9:05 pm
how are you using it? Did you remember to quote the output, because it's returning a string?
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:10 pm
hmm I dont think so, could you give me a proper example?
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:11 pm
this is where we are applying the script:
<?php echo $obf->obfuscate("clasif.php","?codsubgrupo=".$row_jr_subgrupo['codsubgrupoclasificados']); ?>
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 9:13 pm
obfuscate() expects one argument, you're passing two. The second argument (your query component) will not be output.
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:24 pm
I am still having trouble, could you please give me an example or the way you would fix it?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 9:27 pm
Code: Select all
echo $obf->obfuscate('clasif.php?codsubgrupo='.$row_jr_subgrupo['codsubgrupoclasificados']);
The only real change was removing the comma seperation.
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:32 pm
I am still receiving the same error
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '?go=eaabccf037dfe25f1c635857d1635357' at line 1
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 9:36 pm
post the code you are using to for the query stuffs
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:37 pm
<a href="<?php echo $obf->obfuscate("clasif.php?codsubgrupo=".$row_jr_subgrupo['codsubgrupoclasificados']); ?>" target="framecontenido"><?php echo $row_jr_subgrupo['descripcionSG']; ?> </a>
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 9:40 pm
that wouldn't generate an SQL error. What's the code that interacts with MySQL ?
leonardobii
Forum Newbie
Posts: 17 Joined: Fri Sep 02, 2005 8:47 pm
Post
by leonardobii » Fri Sep 02, 2005 9:43 pm
if (isset($_GET['codsubgrupo'])) {
$codsubgrupo_jr_item = (get_magic_quotes_gpc()) ? $_SESSION['codsubgrupo'] : addslashes($_SESSION['codsubgrupo']);
}
mysql_select_db($database_adm, $adm);
$query_jr_item = sprintf("SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo=%s",$codsubgrupo_jr_item);
$jr_item = mysql_query($query_jr_item, $adm) or die(mysql_error());
$row_jr_item = mysql_fe
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Sep 02, 2005 10:03 pm
SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo=%s
to
SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo='%s'
and please.. start using the
Code: Select all
tags like I asked. (Read the first link in my signature to learn how and what they do)