Hacking the Source
Moderator: General Moderators
Hacking the Source
I found a reference for compiling PHP 5.2 on Windows, but where can I find a tutorial for hacking the source? I need to make some custom modifications to source for a Windows IIS installation.
I did try google with "PHP hacking the source", "hacking PHP source", "customising php source", etc. and all I get are instructions on compiling, but no source editing. Should I assume I need C tutorials?
Thanks
I did try google with "PHP hacking the source", "hacking PHP source", "customising php source", etc. and all I get are instructions on compiling, but no source editing. Should I assume I need C tutorials?
Thanks
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Thanks for the replies guys...
I want to create a custom method for the PHP interpreter to first decrypt a PHP script using a private key that is stored in the binary itself, and *then* execute the script.
The "big idea"...
1. A console application that runs on a Windows workstation that encrypts the contents of PHP files; not just the PHP script but the entire files contents. (Not save as a binary, but the entire text contents encrypted and re-saved as encrypted text). This I have already accomplished.
2. Edit the PHP source and add a method for decrypting the PHP file before executing it's contents. Still a "todo".
I could go about this in several different ways, but this seems to be the easiest to cope with post development, so actual development will be the real challenge.
The point in this all: To access my companies enterprise database from a public web server without the credentials stored in plain text. The added bonus in pursuing the posted goals is that an encrypted PHP file will be completely useless without the custom PHP interpreter, and if somehow the server was hacked and a non-native PHP file was uploaded to the server for execution (seen this happen with a PHP based socket server at another company) the process would fail.
I got the idea from a sourceforge "PHP encoder" project, although I couldn't tell you the exact project name as it was quite a while ago that I ran across it.
I want to create a custom method for the PHP interpreter to first decrypt a PHP script using a private key that is stored in the binary itself, and *then* execute the script.
The "big idea"...
1. A console application that runs on a Windows workstation that encrypts the contents of PHP files; not just the PHP script but the entire files contents. (Not save as a binary, but the entire text contents encrypted and re-saved as encrypted text). This I have already accomplished.
2. Edit the PHP source and add a method for decrypting the PHP file before executing it's contents. Still a "todo".
I could go about this in several different ways, but this seems to be the easiest to cope with post development, so actual development will be the real challenge.
The point in this all: To access my companies enterprise database from a public web server without the credentials stored in plain text. The added bonus in pursuing the posted goals is that an encrypted PHP file will be completely useless without the custom PHP interpreter, and if somehow the server was hacked and a non-native PHP file was uploaded to the server for execution (seen this happen with a PHP based socket server at another company) the process would fail.
I got the idea from a sourceforge "PHP encoder" project, although I couldn't tell you the exact project name as it was quite a while ago that I ran across it.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
So that the PHP is not in plain text in the event that the server is compromised from outside.
The web server is really of no concern to be honest -- I mean, we can have a new server up and running in less than 15min from backup.
What is critical is the connection information to my companies enterprise database -- it can not be stored in plain text on the server. This was dictated by our senior analyst and I am just following the rules.
BUT...what I am suggesting could be over the top. I am looking at ZendGuard now.
EDIT: I need to clarify some things I think... When I said "public server" I meant "can be accessed from the internet", but this server is in-house, as well as the DB.
The web server is really of no concern to be honest -- I mean, we can have a new server up and running in less than 15min from backup.
What is critical is the connection information to my companies enterprise database -- it can not be stored in plain text on the server. This was dictated by our senior analyst and I am just following the rules.
BUT...what I am suggesting could be over the top. I am looking at ZendGuard now.
EDIT: I need to clarify some things I think... When I said "public server" I meant "can be accessed from the internet", but this server is in-house, as well as the DB.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Can you set your database server to allow connections only from with your network? Also, the account that connects to your enterprise database server should have a very restrictive set of permissions on it so in the event the source is ever compromised, the only thing they will be able to do is execute a few stored procedures from a script executed within the network.
Thanks for the tips.
The DB is locked down pretty tight, but I have suggested a dedicated DB with a dedicated user restricted to that DB with very limited permissions -- read (SELECT) only actually. The DB will be populated by another internal server so this is all I really need.
I just submitted a proposal for the use of Zend products. I can say that my company, unlike most companies I have ever worked for, will get you what you need even if it cost $$$. But coming from a mixed MS/open source background I try to find inexpensive alternatives, but for enterpise situations it's best to use enterprise solutions like the ones that Zend offer. I mean heck ahy not? They are "the" PHP company.
If they get me what I want then I will have no excuse for getting things done!
I'll let you guys know how it went, and thanks for all the replies.
EDIT: Now to go pick up the new drum kit on lunch!
The DB is locked down pretty tight, but I have suggested a dedicated DB with a dedicated user restricted to that DB with very limited permissions -- read (SELECT) only actually. The DB will be populated by another internal server so this is all I really need.
I just submitted a proposal for the use of Zend products. I can say that my company, unlike most companies I have ever worked for, will get you what you need even if it cost $$$. But coming from a mixed MS/open source background I try to find inexpensive alternatives, but for enterpise situations it's best to use enterprise solutions like the ones that Zend offer. I mean heck ahy not? They are "the" PHP company.
If they get me what I want then I will have no excuse for getting things done!
I'll let you guys know how it went, and thanks for all the replies.
EDIT: Now to go pick up the new drum kit on lunch!
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Cool. Just so you know, our online account management tool that we have at work (for our customers and admins) is set up in the way that I described in my earlier post. We hit two different database servers (one is dedicated, one is on a shared web server - both are different database server applications) using a user whose only permission is execute privileges on the stored procedures we give it permission to. We don't allow direct access to the tables or anything else. We allow it access to the procedures we make for the app. This helps make the application a lot more secure inherently. That is not to say that you should not seek out ways to give your clients what they want, but it is something to look at as an additional layer of security.
Agreed -- stored procedures are good and most likely what we will end up using when it's all said and done. For dev I always keep everything in the code on an internal server locked down to my workstation's IP, and right before I move to production I create stored procedures based on the SQL in my code.
In this scenario though the senior analyst will be the one writing the procedures per spec.
Question: Do your stored procedures use variable input? Just curious if they were totally static or accept input, and how you go about sanitizing the input before preparing a statement if indeed it allows variables. (New thread?)
In this scenario though the senior analyst will be the one writing the procedures per spec.
Question: Do your stored procedures use variable input? Just curious if they were totally static or accept input, and how you go about sanitizing the input before preparing a statement if indeed it allows variables. (New thread?)
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Yes, stored procs take input and provide output params. What databaser server are you using? And why would you code all your database interaction directly in the code then convert them to procedures before going into production? That totally mixes your development to production coding and makes management a little more difficult. Why not start at the beginning and reduce conversion times later?