Re: [PHP] munge / obfuscate ?
On Thu, Mar 27, 2008 at 9:27 PM, Robert Cummings [EMAIL PROTECTED] wrote:
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
I'd add on to this a bit like so:
?php
// Rob's code up to here.
$path = /images/not/in/web/path/;
if($key == sha1($id.':'.$sekret)) {
if(file_exists($path.$id) is_file($path.$id)
is_readable($path.$h)) {
header('Content-Type: image/jpg');
readfile($path.$id);
exit(0);
} else {
header('Content-Type: image/jpg');
readfile($path.'image-does-not-exist.jpg');
exit(1);
}
} else {
header('Content-Type: image/jpg');
readfile($path.'incorrect-id.jpg');
exit(1);
}
?
--
/Daniel P. Brown
Forensic Services, Senior Unix Engineer
1+ (570-) 362-0283
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] munge / obfuscate ?
On Fri, 2008-03-28 at 10:37 -0400, Bastien Koert wrote: [snip] Save yourself the database trip and just stick the id AND the hash in the URL and validate upon request. Cheers, Rob. [/snip] The only reason I suggest a database look up is that in my application there is further security checks to see if the user is allowed to view the image. Both solutions are totally valid. Certainly, but without your added qualifier about checking permissions then querying the database would just be wasted cycles. Although, one would presume that if the link was presented with the key then the user is allowed to view it ;) If you're worried about other users viewing it too then just encode the user ID into the hash key. You can still validate on retrieval at the other end without hitting the database. You can even time limit access to the image via the url by adding a timestamp parameter and encoding that into the key also. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
At 9:27 PM -0400 3/27/08, Robert Cummings wrote: $sekret = 'the brown cow stomped on the wittle bug'; :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] munge / obfuscate ?
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 10:02 PM
To: Joey
Cc: PHP
Subject: RE: [PHP] munge / obfuscate ?
Hi Joey,
Please keep responses on the list so others can also benefit from the
learning process.
Comments below...
On Thu, 2008-03-27 at 21:46 -0400, Joey wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 9:28 PM
To: Joey
Cc: PHP
Subject: Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a
picture
we
take of them. When we link to the picture I don't want it to be
obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a picture
of may
be
123.jpg, so I am trying to munge/obfuscate the URL to make it
less
obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
That should have been:
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Sorry to be such a newbie...
I basically would call this function lets say like:
munge( $url );
end in the end be returned the munged url, however, I don't
understand the
values you have like the readfile with that url -vs- failure?
I didn't munge... I provided code for a script that sends the
requested
image if it was requested with the appropriate key (presumably set
wherever the image was linked). If the key doesn't validate then
another
image is presented. It can say bugger off, it can say not found,
it
can say whatever you please. By placing the images outside the web
root
and using a script like this you are virtually guaranteed the visitor
can't just request images by making a lucky guess.
Let's say the above script was called: getUserImage.php
Then you might have the following in your HTML:
img
src=getUserImage.php?id=123amp;key=4fad1fea72565105d84cb187d1a3ed3bfb9
aba3b
/
I understand what is happening here, however I really want something
simple like:
$link =http://www.whataver.com/whateverpath/;;
$image = 123456;
new_image = munge($image);
new_link = $link . $new_image;
or maybe
new_link = munge($link . $image);
Which would encode the whole link.
Either way this is what would go into the email message we send out.
Thanks!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On 29 Mar 2008, at 02:15, Jack Sasportas wrote: I understand what is happening here, however I really want something simple like: $link =http://www.whataver.com/whateverpath/;; $image = 123456; new_image = munge($image); new_link = $link . $new_image; or maybe new_link = munge($link . $image); Which would encode the whole link. Either way this is what would go into the email message we send out. Encode in what way? What are you actually trying to stop people doing? If all you're wanting to do is make sure people can't write a script that simply requests n.jpg over and over again with an incrementing n then all you need to do is obfuscate the filename when you store it on your server. You then store that filename in the database alongside the data it relates to. $filename = sha1(time()).'.jpg'; Obviously that's just an example. You can generate the filename in any way you choose as long as you check for duplicates before using it. If that's not the reason please explain exactly what you're trying to achieve rather than how you want to achieve it. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Mar 28, 2008, at 7:15 PM, Jack Sasportas [EMAIL PROTECTED]
wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 10:02 PM
To: Joey
Cc: PHP
Subject: RE: [PHP] munge / obfuscate ?
Hi Joey,
Please keep responses on the list so others can also benefit from the
learning process.
Comments below...
On Thu, 2008-03-27 at 21:46 -0400, Joey wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 9:28 PM
To: Joey
Cc: PHP
Subject: Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a
picture
we
take of them. When we link to the picture I don't want it to be
obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a picture
of may
be
123.jpg, so I am trying to munge/obfuscate the URL to make it
less
obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
That should have been:
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Sorry to be such a newbie...
I basically would call this function lets say like:
munge( $url );
end in the end be returned the munged url, however, I don't
understand the
values you have like the readfile with that url -vs- failure?
I didn't munge... I provided code for a script that sends the
requested
image if it was requested with the appropriate key (presumably set
wherever the image was linked). If the key doesn't validate then
another
image is presented. It can say bugger off, it can say not found,
it
can say whatever you please. By placing the images outside the web
root
and using a script like this you are virtually guaranteed the visitor
can't just request images by making a lucky guess.
Let's say the above script was called: getUserImage.php
Then you might have the following in your HTML:
img
src=getUserImage.php?
id=123amp;key=4fad1fea72565105d84cb187d1a3ed3bfb9
aba3b
/
I understand what is happening here, however I really want something
simple like:
$link =http://www.whataver.com/whateverpath/;;
$image = 123456;
new_image = munge($image);
new_link = $link . $new_image;
or maybe
new_link = munge($link . $image);
Which would encode the whole link.
Either way this is what would go into the email message we send out.
Thanks!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
You could use base64_encode/decode.
Or...
function bitshift_encode($i) {
return $i 3;
}
function bitshift_decode($i) {
return $i 3;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] munge / obfuscate ?
Hi All, I have written an app to allow a person to go online and see a picture we take of them. When we link to the picture I don't want it to be obvious that the URL is Domain.Com/Pix/123.jpg because the next person we take a picture of may be 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. Of course coders can figure it out, but we just want to keep out the normal people. Does someone have an obfuscate function which still allows the URL to work, but doesn't allow the person to figure it out? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a picture we
take of them. When we link to the picture I don't want it to be obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a picture of may be
123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] munge / obfuscate ?
Hi Joey,
Please keep responses on the list so others can also benefit from the
learning process.
Comments below...
On Thu, 2008-03-27 at 21:46 -0400, Joey wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 9:28 PM
To: Joey
Cc: PHP
Subject: Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a picture
we
take of them. When we link to the picture I don't want it to be obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a picture of may
be
123.jpg, so I am trying to munge/obfuscate the URL to make it less
obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
That should have been:
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Sorry to be such a newbie...
I basically would call this function lets say like:
munge( $url );
end in the end be returned the munged url, however, I don't understand the
values you have like the readfile with that url -vs- failure?
I didn't munge... I provided code for a script that sends the requested
image if it was requested with the appropriate key (presumably set
wherever the image was linked). If the key doesn't validate then another
image is presented. It can say bugger off, it can say not found, it
can say whatever you please. By placing the images outside the web root
and using a script like this you are virtually guaranteed the visitor
can't just request images by making a lucky guess.
Let's say the above script was called: getUserImage.php
Then you might have the following in your HTML:
img
src=getUserImage.php?id=123amp;key=4fad1fea72565105d84cb187d1a3ed3bfb9aba3b
/
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, Mar 27, 2008 at 9:10 PM, Joey [EMAIL PROTECTED] wrote: Hi All, I have written an app to allow a person to go online and see a picture we take of them. When we link to the picture I don't want it to be obvious that the URL is Domain.Com/Pix/123.jpg because the next person we take a picture of may be 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. Of course coders can figure it out, but we just want to keep out the normal people. Does someone have an obfuscate function which still allows the URL to work, but doesn't allow the person to figure it out? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The solution here is to store the images in a folder above the web root and then use a php page to read in the requested image ( a hash value should be sufficient (eg img src='show_image.php?i=a1d3200086d3ec14dae1e40c50f6374f'Click for image/a The show_image page can query the database for the true image name, read it in from the folder and pass it to the page hth -- Bastien Cat, the other other white meat
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 22:36 -0400, Bastien Koert wrote: On Thu, Mar 27, 2008 at 9:10 PM, Joey [EMAIL PROTECTED] wrote: Hi All, I have written an app to allow a person to go online and see a picture we take of them. When we link to the picture I don't want it to be obvious that the URL is Domain.Com/Pix/123.jpg because the next person we take a picture of may be 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. Of course coders can figure it out, but we just want to keep out the normal people. Does someone have an obfuscate function which still allows the URL to work, but doesn't allow the person to figure it out? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The solution here is to store the images in a folder above the web root and then use a php page to read in the requested image ( a hash value should be sufficient (eg img src='show_image.php?i=a1d3200086d3ec14dae1e40c50f6374f'Click for image/a The show_image page can query the database for the true image name, read it in from the folder and pass it to the page Save yourself the database trip and just stick the id AND the hash in the URL and validate upon request. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
I like this and never would have thought to do this.
What kind performance hit does this have, if there were 100 images,
for example?
On Mar 27, 2008, at 7:02 PM, Robert Cummings wrote:
Hi Joey,
Please keep responses on the list so others can also benefit from the
learning process.
Comments below...
On Thu, 2008-03-27 at 21:46 -0400, Joey wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 9:28 PM
To: Joey
Cc: PHP
Subject: Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a
picture
we
take of them. When we link to the picture I don't want it to be
obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a picture
of may
be
123.jpg, so I am trying to munge/obfuscate the URL to make it less
obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
That should have been:
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Sorry to be such a newbie...
I basically would call this function lets say like:
munge( $url );
end in the end be returned the munged url, however, I don't
understand the
values you have like the readfile with that url -vs- failure?
I didn't munge... I provided code for a script that sends the
requested
image if it was requested with the appropriate key (presumably set
wherever the image was linked). If the key doesn't validate then
another
image is presented. It can say bugger off, it can say not found,
it
can say whatever you please. By placing the images outside the web
root
and using a script like this you are virtually guaranteed the visitor
can't just request images by making a lucky guess.
Let's say the above script was called: getUserImage.php
Then you might have the following in your HTML:
img
src=getUserImage.php?
id=123amp;key=4fad1fea72565105d84cb187d1a3ed3bfb9aba3b /
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 22:48 -0700, robert wrote:
I like this and never would have thought to do this.
What kind performance hit does this have, if there were 100 images,
for example?
Well... it would be like requesting 101 PHP pages :/ It would be heavy.
It's not something I'd generally use to load 100 images. The original
poster wanted it for what I presumed was a single image. If I were to
use it for 100 images I would use a different (but similar) technique
that would incurr the heavy lifting on first request and afterwards
would be as fast as a direct request to the webserver.
Cheers,
Rob.
On Mar 27, 2008, at 7:02 PM, Robert Cummings wrote:
Hi Joey,
Please keep responses on the list so others can also benefit from
the
learning process.
Comments below...
On Thu, 2008-03-27 at 21:46 -0400, Joey wrote:
-Original Message-
From: Robert Cummings [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 27, 2008 9:28 PM
To: Joey
Cc: PHP
Subject: Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote:
Hi All,
I have written an app to allow a person to go online and see a
picture
we
take of them. When we link to the picture I don't want it to
be
obvious
that the URL is
Domain.Com/Pix/123.jpg because the next person we take a
picture
of may
be
123.jpg, so I am trying to munge/obfuscate the URL to make it
less
obvious.
?php
$sekret = 'the brown cow stomped on the wittle bug';
$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0;
$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : '';
if( $key == sha1( $key.':'.$sekret ) )
That should have been:
if( $key == sha1( $id.':'.$sekret ) )
{
header( 'Content-Type: image/jpg' );
readfile( /images/not/in/web/path/$id.jpg )
exit();
}
//
// Failure... tell them to bugger off :)
//
header( 'Content-Type: image/jpg' );
readfile( '/images/wherever/you/please/buggerOff.jpg' );
exit();
?
Sorry to be such a newbie...
I basically would call this function lets say like:
munge( $url );
end in the end be returned the munged url, however, I don't
understand the
values you have like the readfile with that url -vs- failure?
I didn't munge... I provided code for a script that sends the
requested
image if it was requested with the appropriate key (presumably set
wherever the image was linked). If the key doesn't validate then
another
image is presented. It can say bugger off, it can say not
found,
it
can say whatever you please. By placing the images outside the web
root
and using a script like this you are virtually guaranteed the
visitor
can't just request images by making a lucky guess.
Let's say the above script was called: getUserImage.php
Then you might have the following in your HTML:
img
src=getUserImage.php?
id=123amp;key=4fad1fea72565105d84cb187d1a3ed3bfb9aba3b /
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
