yeah, I tried that initially. but other parts of the site require that hash.timvw wrote:Now here is what i would have done:
Might even consider to completely delete those lines.Code: Select all
/* if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953') { echo "You are not AUTHORIZED to view this page."; //Header("Location:index.php"); exit; } */
Sessioncheck
Moderator: General Moderators
Directory Problem
OK since you guys were such a huge help with that problem maybe you could help me out with this next one. the way the company built the site my index page is inside a user directory, along with pretty much all the files that go with it and a lot of other stuff. the only way to access the index page from a user standpoint is to type in the exact url of the directory for example http://www.xxx.com/user/ I have tried to move the index page out of the user directory and do a find/replace to make sure the files find everything correctly. I even changed the base file to look for the index in the site directory. All I get are error messages when trying to access the page. I ended up having to create a spash page (which I hate having by the way) then send a link to the correct directory. This is not what we want to do. I have added an image of the directories for anyone who needs a visual like I usually do. 

- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
the index file is in the user directory and the error message is something like error error at http://......../base.php on line 35.
line here is my code for the base.php
But I'm not getting the error message now because the index fiel is in the user directory. But we want people to be able to just type in our .com name and be able to go to the site without a splah page, and without the need to type in the user directory name.
line here is my code for the base.php
Code: Select all
<?php
ob_start();
session_start();
foreach( $HTTP_GET_VARS as $key => $value )
{
if(strstr($key,"sess") == $key)
{
$key = substr($key,4);
session_register($key);
$HTTP_SESSION_VARS[$key] = $value;
}
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
$fp = fopen("../site_images/product_images/debugbas.txt","wt");
$path = $_SERVER['REQUEST_URI'];
$path = strstr(substr($path,1),"/");
if($_SERVER['REQUEST_URI'] == $_SERVER['PHP_SELF'])
$path = $path . "?param=1";
while (list ($key, $val) = each ($HTTP_SESSION_VARS))
{
$path .= "&sess" . $key . "=" . urlencode($val);
}
fwrite($fp,"Location: http://xxxxx.com" . $path);
fclose($fp);
header("Location: http://xxxxx.com" . $path);
exit();
}
//Modified @ 10th October
//Modified by Abdul Samad
//Get All Site Settings
include_once('../sources/html.php');
$html = new Html();
include_once('../sources/gpc_filter.php');
$gpc = new GPCFilter();
?>
<BASE id='mainbase' href='http://xxxx.com/user/'>
<SCRIPT>
function GetBase()
{
var bas;
bas = document.getElementById('mainbase');
return (bas.href);
}
</SCRIPT>- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
The best solution for redirects is to configure Apache (or which ever web server) to issue a 301(Moved permanently) to the new location - SEO don't like meta/header redirects and thus will damage your SEO rating.
Code: Select all
redirect 301 http://www.yoursite.com/ http://www.yoursite.com/userRe: Sessioncheck
Sorry to hear that. Just for fun, I reversed that MD5:joshm wrote:We had a website built for us, and got screwed so I am left to figure things out on my own.
82.165.130.142
What they're trying to do is make sure this code only works when it is running on a server with that IP. I agree with timvw - just remove it:
Code: Select all
<?php
session_start();
if (!isset($_SESSION['sesadmin']))
{
include './index.php';
exit;
}
?>As for your second question, can you clarify whether the http://www.xxx.com domain is hosting more than one web site? If it isn't, you can do one of the following:
1. Move everything up one directory.
2. Make your document root the user directory.
We can help with details about how to take either of these approaches. I would prefer this over any redirecting, because your URLs won't have that unnecessary user directory in them. Jenk's right about the SEO stuff, but hopefully this is a new site, so your URL structure isn't known. It's rarely a good idea to break links, but we can also help with ways to get around that, too. :-)
Hope that helps.
I brute forced it.Jenk wrote:Reversed or brute-forced the MD5?
I was trying to refrain from using any lingo, and I was misleading instead. My apologies. :-)
If you're at all curious, I wrote this little script last night, and my answer was waiting for me this morning:
Code: Select all
<?php
$counter = 0;
for ($one = 1; $one < 255; $one++)
{
for ($two = 1; $two < 255; $two++)
{
for ($three = 1; $three < 255; $three++)
{
for ($four = 1; $four < 255; $four++)
{
$counter++;
if ($counter % 100000 == 0)
{
echo "$counter IPs tried.\n";
}
if (md5("$one.$two.$three.$four") == 'd8c068d81fd577ee1ed71222f87c4953')
{
echo "Original is $one.$two.$three.$four.\n";
exit;
}
}
}
}
}
?>Code: Select all
1337600000 IPs tried.
1337700000 IPs tried.
1337800000 IPs tried.
1337900000 IPs tried.
Original is 82.165.130.142.- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
Very true, but that wouldn't have helped in this case. Since we have the code that's doing the comparison, it doesn't matter what the code does. We just need to reproduce it.AGISB wrote:Its funny that it doesnt matter what hash you use if the originating data is known or at least can be pinpointed.
Thats why you normaly include a secret passphrase to such hashes
It's true that there is very little value in what was done. I think it's just a weak attempt to write code for a client that the client cannot run without making some slight modifications. The MD5 hash is slightly less obvious than an IP address.raghavan20 wrote:I do not think there is really a necessity to md5 the ip address. You just want to make sure that the requests are from the valid server, it does not really make any difference if you hash it or not.
This is a tactic frequently debated among PHP developers, and I've heard both sides of the story plenty of times. Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.
There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).
At the risk of getting too off-topic, I'll stop here. :-) If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
That is exactly the reason why i didn't answer the OP question right on. As soon as others suggested to modify the md5 checksum there was no point in remaining silent.shiflett wrote: Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.
I believe odds are quite hight that such an employer would simply take the existing code to a new coder and try to play the same trick on him. That's why i advise to be extra careful when they show up with already existing code. How did they acquire it? What happened with the original developper? ...shiflett wrote: There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).
I've got the feeling this has a better place in the business forum, but one of the mods will beam us as soon as they think the sameshiflett wrote: At the risk of getting too off-topic, I'll stop here.If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
all of the above
In response to just about everyone's conversation about why PHP developers do that: In our case I can tell you exactly why they did that. We have a small project and a huge project. The small project which was recently completed cost us around $6,000, and the larger project was quoted us at aroun $130,000. We told the company that we were looking for a company that could handle the larger project, and that if they did a good job on the smaller one they would get the larger one. Needless to say they were pretty much depending on the larger project, and they just assumed that we would be hosting our site with them. When we told them we were not hosting with them about 5/8ths through the project they were mad. They had never asked us who we were planning on hosting with they just assumed. After our last payment was made they started to drag their feet (this is after they gave us a time guarantee). Time went on and on. Finally we just said give us what you have now, and we will see you in court. So, basically that's where we are now. And it's been a pain in my butt. I'm good with computers, I'm a Computer animation Major, but I'm no coder. I can deal with html, but past that I get lost. But again thanks to everyone for all the help. I think we might just have to hire someone to deal with the directory issue. Thanks again.
You could have at least cut the time in half that it took by not using double quotes ( your script is about the only code I've ever seen where it would really make that big of a difference, heh)shiflett wrote:I didn't time it, so I have no idea how long it took. Here are the last five lines of output:
I was also going to say an even faster way would be to PM the OP, and get the domain of his original site and ping it, but it probably didn't even have a domain anyways.