I'm trying to figure out a way to program a function that will de-obfuscate a plain text url.
Something like this:
<input type="hidden" value="kjgajkwe##jktGAkjgWjkajskd" name="obsfucatedString" />
Then in the processing of that form I want to De-Obsfucate it:
$url = deObfuscate($_POST['obsfucatedString']);
so $url would become something like:
$url = 'http://domain.com/filename.zip';
Is something like that even possible?
I'm trying to hide the url from plain programmer sight.
I guess I would need to write something that would obsfucate the string as well
so
$obsfucatedStringURL = obsfucate('http://domain.com/filename.zip');
Encrypt the URL with a password stored on the server (a good algorithm to use is AES), then decrypt it when you need to obtain the value. A problem with this is that the encrypted string will not be composed of printable characters. To get around this, use base64_encode() to convert the binary encoded string to printable characters that can be added as a value in the <input> field, then use base64_decode() to get back the original value on the server.
There are many ways of encoding and reversing a plain text string. An simple way to obfuscate your string is by using the str_rot13 function once to encode and once again to decode (note: this will not give you any cryptographic security). I'd suggest encrypting using AES using a secret stored on the server to encrypt and decrypt. The following thread's answer defines functions for encrypting/decrypting that you can use.
PHP AES encrypt / decrypt
Another approach that might be worth considering vs. obfuscation is to store the URL server side as part of the user's session or persisted in a database. Then instead of sending an obfuscated string down, use a key that performs a lookup to retrieve the URL.
Related
I have an api logging system which records logins but I do not want to store passwords in the logs.
This is an example of a request string to the log:
NOTE: the string will not be exactly the same and will contain parameters in different order, so I am thinking maybe someREGEX can handle this?
api.my.geatapim/live/?action=login_user&username=joe#bloggs.com&password=PassWord&session_length=10080
What I need to do, is:
Detect if the parameter "password=" is in the string
If its in the string replace the password part with OBFUSCATED so result will be:
api.my.geatapim/live/?action=login_user&username=joe#bloggs.com&password=OBFUSCATED&session_length=10080
I have tried this but does not work: $request_string = preg_replace("/password=\d+/", "password=OBFUSCATED", $request_string);
The Expression
\d+ is for digits ([0-9]). You'll want to include more character sets for the password, considering the one you provided is using [A-Za-z].
$request_string = preg_replace("/password=\w+/", "password=OBFUSCATED", $request_string);
Though, considering a typical password will have a bigger character set than [a-zA-Z0-9_], taking into account special characters (but since it's in a URL, it'll possibly be urlencoded()'d. For example, P&ssW0rd! will become P%26ssW0rd!.)
$request_string = preg_replace("/password=[^&]+/", "password=OBFUSCATED", $request_string);
"I do not want to store passwords in the logs."
This logic won't modify what is put into your Apache/Nginx/Whatever access_log (unless you write these logs to /dev/null or another void place). You can also not write the passwords in the logs if you change it from a HTTP GET to a HTTP POST (or HTTP PUT) and have the credentials in the body, or, use HTTP Authentication headers.
Although your question is quite easy to solve, it has nothing to do with your actual problem. you simply should never transfer password data via $_GET - it's one of the big no no-s of handling credentials. — Franz Gleichmann
Try this code, it works
<?php
$request_string = "api.my.geatapim/live/?action=login_user&username=joe#bloggs.com&password=PassWord&session_length=10080";
echo $request_string = preg_replace("/password=\w+/", "password=OBFUSCATED", $request_string);
?>
Output : api.my.geatapim/live/?action=login_user&username=joe#bloggs.com&password=OBFUSCATED&session_length=10080
I am working on a simple SOAP request from a server in PHP, using the standard SOAP library calls. I do not have the required username and password for authorization; however, I do have the base64-encoded authorization string (from a database) that encoding the username and password would provide. I don't seem to be able to find an example that uses the already-encoded authorization string. Is there a) a technique I can use that allows and transmits the pre-encoded string, and/or b) a function that allows me to parse out the username and password from the encoded string so I can pass those as params?
TIA for any help you can offer!
I figured out the answer:
The base-64 encoded string is simply the login and password encoded. I just decoded the string using base64_decode and split the string on the semicolon (:) symbol. Here's what the code looks like -
$loginAry = split(":", base64_decode(my_encoded_string_here));
$login = $loginAry[0];
$pwd = $loginAry[1];
and used the decoded values to log into the application. Simple as that.
Here is my question, i am trying to hide address value in URL
URL is something like this
example.com/linkdl/preview/index.php?address='http://mysiteexample.com'
I am trying to hide, ?address='http://mysiteexample.com' part, but i am not sure, what is best way
i have an idea to use base64_encode($adresa), but i am not sure will i have problems with (encoding/decoding special) characters in URL
$click = 'OtvoriProzor("'.$file_path.'&pk='.$sesija->pk.'&adresa='.base64_encode($adresa).
'&IDIstorijaElement='.$element->GetId().'", "Prevod", 700, 500);';
This is very insecure, can add some function for encryption, to encrypt and decrypt parametar, or will md5 help me here. Also should i use function url_decode url_decode instead?
Since md5 is a hash algorithm, you won't be able to get back what you encoded.
You can use base64 and urlencode to avoid problems with some characters:
<?php
$url = urlencode(base64_encode($adresa));
?>
And you will decode it with:
<?php
$addr = base64_decode(urldecode($_GET['adresa']));
?>
I have a URL dynamically displayed with a PHP script. This URL comes to be the name of a CSS class. I need to use this class name into a jQuery script after an Ajax call response (All the HTML into this specific class has to be hidden).
The URL contains / and . and : — To make it easier in my jQuery script, I would like to convert the URL into an Integer with a PHP function (like hash("md5",)) ... and in my JavaScript, convert the URL again into an integer that will be obviously the same.
I read that How to calculate md5 hash of a file using javascript
but it doesn't look like the best solution. Does anyone have a more intelligent solution?
Regards
You are probably looking for encoding and not hashing, as you want to read the URL back. I'd try using base64 - on the server side: http://php.net/manual/en/function.base64-decode.php and http://php.net/manual/en/function.base64-encode.php
And on client (JavaScript) side: http://www.webtoolkit.info/javascript-base64.html, How can you encode a string to Base64 in JavaScript?
For example, I would like to:
require('encrypted.php')
"encrypted.php" contains php code that was encrypted with base64, and I have the key to decrypt it. Is there a way to first decrypt the file and then just load the decrypted code into PHP?
The first way that jumps to mind is:
eval("?".">".base64_decode(file_get_contents("encrypted.php"))."<"."?php");
However that's probably not a good idea (evil eval).
Why have you encrypted a PHP file anyway? Nobody can see the source code unless you mess around with things.
You would need to load the file's contents with file_get_contents() or similar, then call base64_decode() on it and eval() it as PHP. Only do this if you are certain of the contents of the file and you trust its source.
// Only do this is the file is trusted!!!
$phpcode = base64_decode(file_get_contents("trusted_encoded_file.php"));
eval($phpcode);
Note: See #Kolink's implementation if the encoded file contains <?php ?> open/close tags.
you don't need any key to decode base64 data , use base64_decode().
It is not professional solution, but take look at this : http://www.zend.com/en/products/guard/