I want to encode my codes with ionCube. But I do not know exactly how to prevent users from cracking it without encoding.
So I need some tips.
My project is a MVC.
Everything starts in index.php and it calls core.php and running goes.
How should I include files. How can I ensure that when a file is called it is the original one?
I know there is some PHP functions that print out function names, etc. I need to prevent this.
Users include index.php file from another file and try to get variables like using var_dump($_GLOBALS);
You can use the get_included_files function to see if there are other files included. But the best way is of course to trust your customers and regulate what they can and cannot do with your code through contracts.
Related
I would like to write a script to edit a css file or maybe even a slideshow for instance where a form will update the variables in my php document. I've been doing some reading and some say editing a php file directly is bad news due to security issues and to use xml.
I am not connecting to databases or anything like that. So my question is is this correct to write script to directly write/update a php file to changes its variables?
Thank you.
if you can correctly sanitize your input then it is a usable aproach. The worst that can happen is code injection. So do check for variable length and content very strictly. It is like eval(); only worse, as everyone else will run it to. If there are only variables to change you might consider using an .ini file for configuration. And Use the data in that from your PHP script
In general you should not run PHP scripts as a user with permissions to write to its own executable code; it means any file write vulnerability immediately escalates to a code execution vulnerability.
Writing dynamic data into a PHP file is risky. You would need to know how to serialise/escape any value to a PHP literal exactly; any error could result in code execution. Watertight code generation is in general a tricky thing.
There is almost certainly a better way to approach whatever it is you are doing. Putting data in a static store such as a config file or database, and reading the data at run-time, would seem to be the place to start.
I'm currently developing a Web platform app in HTML and PHP stuff. I have to develop a registration/login system, and I'm asking myself a question.
I wrote a login form, and I would like to know if is it better to store it in a php function (with a simple echo("all my login form")) or to store it in a .html file. Obviously, the call or the concerned include() will be written in a if($_session()) statement.
I'm just asking about the correct and logical architecture aspect I should follow.
Because you're designing something serious i recommend you to use include instead of functions. Why?
the html is separated from php stuff
cleaner, highlighted html files in web editors
you avoid once and for all those double quotes/escapes and such
you give designers a way to change your file at will; a designer will not touch PHPs.
easier to update files; think templates
an include() can still go onto a function if you insist :)
IMHO, and regardless of language, an include should never have side effects other than importing variables and functions into the current scope.
Hence if you do use an include, it should contain a function that when called produces output. The mere act of calling include should not generate any output.
Include would "include" new code every time it is called. The normal way is to define a function in a php file and require it, before you use it anywhere with require_once, so you would only load the functiondefinition once and could use it everywhere.
You should put in a .html file, it's always better to separate your applications logic and presentation code.
Also, consider using a template engine.
It is better to include in most cases but it depends on how big the file is that u have called
well calling functions again and again each time you wont even like .
well in one of cases u can call a function if its short and not called on other pages
but if u want to implement a logic everywhere like check login ,logout then include is the way to go .
It is better to use include() for your registration system by which you can get a function just by calling it and you don't have to create it at any other pages .just include it and all work is done.this method reduce the redundancy problem and make you code short & simple.
I use include() but tend to name the files blah.template.php instead of .html.
Then, within the template, I can use simple looping, variable substitution, and simple if-else statements.
If the project is larger, I use a minimal templating class that wraps the call to include(). This class, among other things, wraps the call with ob_start() and ob_get_clean() (I think those are the calls) and allows getting the template's output as a string.
Also, for repetitive bits of HTML code, I think it's legit to use "picture functions" that return the HTML code. Picture functions allow you to parameterize the code and add some logic.
I am making a custom CMS in PHP and I want to know what the best way would be to create a config file for it. I want it where I can change the variables from within the admin panel I am going to add. I have not messed with the filesystem functions before or any other file functions so I am not sure what would be the best approach.
Thanks!
An .ini file can be structured quite well and you'll be able to update just sections of. Compared to a straight PHP configuration it can be edited with an easier syntax.
To parse the .ini file into a PHP array, use the function parse_ini_file()
If you want a human-readable config file format then look into parse_ini_file(). You'll need to be able to write to the file too, see: create ini file, write values in PHP.
There's a PEAR Package Config_Lite that seems like it should work too.
If readability doesn't matter then save it to a database.
If you want the variables to be changeable via an admin web interface, store those variables in the database like any other CRUD data.
The best idea I think is to use MySQL to store the data.
However, if you cannot do that for some reasons, then I would suggest to make it an XML file and then you can get variables from SimpleXML, and such, you can view all and put their values to a form. Then, the destination PHP could easily make a string like "<val1>".$_POST["value1"]."</val1><val2>".$_POST["value2"]."</val2>". Finally, it would save the file through simple file system functions, which you can learn with googling "php file write".
Or another idea is the parse_ini_file() which is already mentioned.
If you don't understand something, ask. Or Google!
i have been given a php application as an internship project to clean up. The developer before has declared stuff like dbhost,dbuser so many times. On each script page. I was wondering what sort of design php developers use to get around this. i.e making a property file ? etc..
Generally most applications have a common include file, usually named something like "bootstrap", that defines global options and values and sets up some initialisation code. Then each page that is requested includes this file first.
In your case you'd put your database configuration in this bootstrap (perhaps traditionally in /includes/bootstrap.php), then for each page where it is required require "./includes/bootstrap.php";.
As an example, phpBB includes its 'kernel bootstrapper' on each page.
In order to avoid errors you should use require_once:
require_once "./includes/bootstrap.php";
This way even if multiple scripts try to include that specific file it is only included once.
Do not make a property file, or, if you insist, be certain that it cannot be downloaded through HTTP. The advantage of a PHP file is that, even if hackers guess the file name, it won't reveal much.
Put all DB credentials into a separate .PHP file, e.g. db_settings.php and then insert everywhere
<?
...
include "db_settings.php";
... ?>
You may even insert database connection code into the same file.
Hey all. i was wondering what is the best practice to include a footer
in all of my pages. i mean i have about 1000 of them. should i use the
php "include" function: include 'static_footer.html' or is it a bad practice ?
If you have 1000 .php file pages, you may want to look into using an Model-View-Controller solution (like storing the page information in a database and using Code Igniter or something similar to display the information), or a Content Management System of some description.
But, as far as I know, your best bet would be to use the include() function.
include 'footer.php';
There is always the option of using the auto_append_file directive in php.ini to automatically include a file rather than modifying every single page
I believe it is perfectly fine to use an include function. This way, you'll be mimicking a sort of template engine, and it is a good way to avoid using the same code over and over again.
I would say that is definitely a good idea, as it helps adhere to the DRY principle.
Depending on your scenario, it might be worth looking at some php_value setting in a .htaccess file (if you're in a web environment). You can auto_prepend a file to the output, which would save you adding an include statement to every file. This might not suit your needs, but for simple applications, it can.