Re: [PHP] munge / obfuscate ?
On Mar 28, 2008, at 7:15 PM, "Jack Sasportas" <[EMAIL PROTECTED] > wrote: -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2008 10:02 PM To: Joey Cc: PHP Subject: RE: [PHP] munge / obfuscate ? Hi Joey, Please keep responses on the list so others can also benefit from the learning process. Comments below... On Thu, 2008-03-27 at 21:46 -0400, Joey wrote: -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2008 9:28 PM To: Joey Cc: PHP Subject: Re: [PHP] munge / obfuscate ? On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: Hi All, I have written an app to allow a person to go online and see a picture we take of them. When we link to the picture I don't want it to be obvious that the URL is Domain.Com/Pix/123.jpg because the next person we take a picture of may be 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. That should have been: if( $key == sha1( $id.':'.$sekret ) ) { header( 'Content-Type: image/jpg' ); readfile( "/images/not/in/web/path/$id.jpg" ) exit(); } // // Failure... tell them to bugger off :) // header( 'Content-Type: image/jpg' ); readfile( '/images/wherever/you/please/buggerOff.jpg' ); exit(); ?> Sorry to be such a newbie... I basically would call this function lets say like: munge( $url ); end in the end be returned the munged url, however, I don't understand the values you have like the readfile with that url -vs- failure? I didn't munge... I provided code for a script that sends the requested image if it was requested with the appropriate key (presumably set wherever the image was linked). If the key doesn't validate then another image is presented. It can say "bugger off", it can say "not found", it can say whatever you please. By placing the images outside the web root and using a script like this you are virtually guaranteed the visitor can't just request images by making a lucky guess. Let's say the above script was called: getUserImage.php Then you might have the following in your HTML: src="getUserImage.php? id=123&key=4fad1fea72565105d84cb187d1a3ed3bfb9 aba3b" /> I understand what is happening here, however I really want something simple like: $link ="http://www.whataver.com/whateverpath/";; $image = "123456"; new_image = munge($image); new_link = $link . $new_image; or maybe new_link = munge($link . $image); Which would encode the whole link. Either way this is what would go into the email message we send out. Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You could use base64_encode/decode. Or... function bitshift_encode($i) { return $i << 3; } function bitshift_decode($i) { return $i >> 3; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On 29 Mar 2008, at 02:15, Jack Sasportas wrote: I understand what is happening here, however I really want something simple like: $link ="http://www.whataver.com/whateverpath/";; $image = "123456"; new_image = munge($image); new_link = $link . $new_image; or maybe new_link = munge($link . $image); Which would encode the whole link. Either way this is what would go into the email message we send out. Encode in what way? What are you actually trying to stop people doing? If all you're wanting to do is make sure people can't write a script that simply requests n.jpg over and over again with an incrementing n then all you need to do is obfuscate the filename when you store it on your server. You then store that filename in the database alongside the data it relates to. $filename = sha1(time()).'.jpg'; Obviously that's just an example. You can generate the filename in any way you choose as long as you check for duplicates before using it. If that's not the reason please explain exactly what you're trying to achieve rather than how you want to achieve it. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] munge / obfuscate ?
> -Original Message- > From: Robert Cummings [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 27, 2008 10:02 PM > To: Joey > Cc: PHP > Subject: RE: [PHP] munge / obfuscate ? > > Hi Joey, > > Please keep responses on the list so others can also benefit from the > learning process. > > Comments below... > > On Thu, 2008-03-27 at 21:46 -0400, Joey wrote: > > > -Original Message- > > > From: Robert Cummings [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, March 27, 2008 9:28 PM > > > To: Joey > > > Cc: PHP > > > Subject: Re: [PHP] munge / obfuscate ? > > > > > > > > > On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: > > > > Hi All, > > > > > > > > > > > > > > > > I have written an app to allow a person to go online and see a picture > > we > > > > take of them. When we link to the picture I don't want it to be obvious > > > > that the URL is > > > > > > > > Domain.Com/Pix/123.jpg because the next person we take a picture of may > > be > > > > 123.jpg, so I am trying to munge/obfuscate the URL to make it less > > obvious. > > > > > > > > > > > $sekret = 'the brown cow stomped on the wittle bug'; > > > > > > $id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0; > > > $key = isset( $_GET['key'] ) ? (string)$_GET['key'] : ''; > > > > > > if( $key == sha1( $key.':'.$sekret ) ) > > > That should have been: > > if( $key == sha1( $id.':'.$sekret ) ) > > > > { > > > header( 'Content-Type: image/jpg' ); > > > readfile( "/images/not/in/web/path/$id.jpg" ) > > > exit(); > > > } > > > > > > // > > > // Failure... tell them to bugger off :) > > > // > > > header( 'Content-Type: image/jpg' ); > > > readfile( '/images/wherever/you/please/buggerOff.jpg' ); > > > exit(); > > > > > > ?> > > > > Sorry to be such a newbie... > > > > I basically would call this function lets say like: > > munge( $url ); > > > > end in the end be returned the munged url, however, I don't understand the > > values you have like the readfile with that url -vs- failure? > > I didn't munge... I provided code for a script that sends the requested > image if it was requested with the appropriate key (presumably set > wherever the image was linked). If the key doesn't validate then another > image is presented. It can say "bugger off", it can say "not found", it > can say whatever you please. By placing the images outside the web root > and using a script like this you are virtually guaranteed the visitor > can't just request images by making a lucky guess. > > Let's say the above script was called: getUserImage.php > > Then you might have the following in your HTML: > > src="getUserImage.php?id=123&key=4fad1fea72565105d84cb187d1a3ed3bfb9 aba3b" > /> I understand what is happening here, however I really want something simple like: $link ="http://www.whataver.com/whateverpath/";; $image = "123456"; new_image = munge($image); new_link = $link . $new_image; or maybe new_link = munge($link . $image); Which would encode the whole link. Either way this is what would go into the email message we send out. Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
At 9:27 PM -0400 3/27/08, Robert Cummings wrote: $sekret = 'the brown cow stomped on the wittle bug'; :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] munge / obfuscate ?
On Fri, 2008-03-28 at 10:37 -0400, Bastien Koert wrote: > [snip]> Save yourself the database trip and just stick the id AND the > hash in > > the URL and validate upon request. > > > > Cheers, > > Rob. > [/snip] > > The only reason I suggest a database look up is that in my application > there is further security checks to see if the user is allowed to view > the image. > > Both solutions are totally valid. Certainly, but without your added qualifier about checking permissions then querying the database would just be wasted cycles. Although, one would presume that if the link was presented with the key then the user is allowed to view it ;) If you're worried about other users viewing it too then just encode the user ID into the hash key. You can still validate on retrieval at the other end without hitting the database. You can even time limit access to the image via the url by adding a timestamp parameter and encoding that into the key also. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, Mar 27, 2008 at 9:27 PM, Robert Cummings <[EMAIL PROTECTED]> wrote: > > $sekret = 'the brown cow stomped on the wittle bug'; > > $id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0; > $key = isset( $_GET['key'] ) ? (string)$_GET['key'] : ''; > > if( $key == sha1( $id.':'.$sekret ) ) > { > header( 'Content-Type: image/jpg' ); > readfile( "/images/not/in/web/path/$id.jpg" ) > exit(); > } > > // > // Failure... tell them to bugger off :) > // > header( 'Content-Type: image/jpg' ); > readfile( '/images/wherever/you/please/buggerOff.jpg' ); > exit(); > > ?> I'd add on to this a bit like so: -- Forensic Services, Senior Unix Engineer 1+ (570-) 362-0283 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 22:48 -0700, robert wrote: > I like this and never would have thought to do this. > > What kind performance hit does this have, if there were 100 images, > for example? Well... it would be like requesting 101 PHP pages :/ It would be heavy. It's not something I'd generally use to load 100 images. The original poster wanted it for what I presumed was a single image. If I were to use it for 100 images I would use a different (but similar) technique that would incurr the heavy lifting on first request and afterwards would be as fast as a direct request to the webserver. Cheers, Rob. > On Mar 27, 2008, at 7:02 PM, Robert Cummings wrote: > > Hi Joey, > > > > Please keep responses on the list so others can also benefit from > the > > learning process. > > > > Comments below... > > > > On Thu, 2008-03-27 at 21:46 -0400, Joey wrote: > >>> -Original Message- > >>> From: Robert Cummings [mailto:[EMAIL PROTECTED] > >>> Sent: Thursday, March 27, 2008 9:28 PM > >>> To: Joey > >>> Cc: PHP > >>> Subject: Re: [PHP] munge / obfuscate ? > >>> > >>> > >>> On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: > >>>> Hi All, > >>>> > >>>> > >>>> > >>>> I have written an app to allow a person to go online and see a > >>>> picture > >> we > >>>> take of them. When we link to the picture I don't want it to > be > >>>> obvious > >>>> that the URL is > >>>> > >>>> Domain.Com/Pix/123.jpg because the next person we take a > picture > >>>> of may > >> be > >>>> 123.jpg, so I am trying to munge/obfuscate the URL to make it > less > >> obvious. > >>> > >>> >>> > >>>$sekret = 'the brown cow stomped on the wittle bug'; > >>> > >>>$id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0; > >>>$key = isset( $_GET['key'] ) ? (string)$_GET['key'] : ''; > >>> > >>>if( $key == sha1( $key.':'.$sekret ) ) > > > > > > That should have been: > > > >if( $key == sha1( $id.':'.$sekret ) ) > > > >>>{ > >>>header( 'Content-Type: image/jpg' ); > >>>readfile( "/images/not/in/web/path/$id.jpg" ) > >>>exit(); > >>>} > >>> > >>>// > >>>// Failure... tell them to bugger off :) > >>>// > >>>header( 'Content-Type: image/jpg' ); > >>>readfile( '/images/wherever/you/please/buggerOff.jpg' ); > >>>exit(); > >>> > >>> ?> > >> > >> Sorry to be such a newbie... > >> > >> I basically would call this function lets say like: > >> munge( $url ); > >> > >> end in the end be returned the munged url, however, I don't > >> understand the > >> values you have like the readfile with that url -vs- failure? > > > > I didn't munge... I provided code for a script that sends the > > requested > > image if it was requested with the appropriate key (presumably set > > wherever the image was linked). If the key doesn't validate then > > another > > image is presented. It can say "bugger off", it can say "not > found", > > it > > can say whatever you please. By placing the images outside the web > > root > > and using a script like this you are virtually guaranteed the > visitor > > can't just request images by making a lucky guess. > > > > Let's say the above script was called: getUserImage.php > > > > Then you might have the following in your HTML: > > > > > src="getUserImage.php? > > id=123&key=4fad1fea72565105d84cb187d1a3ed3bfb9aba3b" /> > > > > Cheers, > > Rob. > > -- > > http://www.interjinn.com > > Application and Templating Framework for PHP > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
I like this and never would have thought to do this. What kind performance hit does this have, if there were 100 images, for example? On Mar 27, 2008, at 7:02 PM, Robert Cummings wrote: Hi Joey, Please keep responses on the list so others can also benefit from the learning process. Comments below... On Thu, 2008-03-27 at 21:46 -0400, Joey wrote: -Original Message- From: Robert Cummings [mailto:[EMAIL PROTECTED] Sent: Thursday, March 27, 2008 9:28 PM To: Joey Cc: PHP Subject: Re: [PHP] munge / obfuscate ? On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: Hi All, I have written an app to allow a person to go online and see a picture we take of them. When we link to the picture I don't want it to be obvious that the URL is Domain.Com/Pix/123.jpg because the next person we take a picture of may be 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. That should have been: if( $key == sha1( $id.':'.$sekret ) ) { header( 'Content-Type: image/jpg' ); readfile( "/images/not/in/web/path/$id.jpg" ) exit(); } // // Failure... tell them to bugger off :) // header( 'Content-Type: image/jpg' ); readfile( '/images/wherever/you/please/buggerOff.jpg' ); exit(); ?> Sorry to be such a newbie... I basically would call this function lets say like: munge( $url ); end in the end be returned the munged url, however, I don't understand the values you have like the readfile with that url -vs- failure? I didn't munge... I provided code for a script that sends the requested image if it was requested with the appropriate key (presumably set wherever the image was linked). If the key doesn't validate then another image is presented. It can say "bugger off", it can say "not found", it can say whatever you please. By placing the images outside the web root and using a script like this you are virtually guaranteed the visitor can't just request images by making a lucky guess. Let's say the above script was called: getUserImage.php Then you might have the following in your HTML: src="getUserImage.php? id=123&key=4fad1fea72565105d84cb187d1a3ed3bfb9aba3b" /> Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 22:36 -0400, Bastien Koert wrote: > On Thu, Mar 27, 2008 at 9:10 PM, Joey <[EMAIL PROTECTED]> wrote: > > > Hi All, > > > > > > > > I have written an app to allow a person to go online and see a picture we > > take of them. When we link to the picture I don't want it to be obvious > > that the URL is > > > > Domain.Com/Pix/123.jpg because the next person we take a picture of may be > > 123.jpg, so I am trying to munge/obfuscate the URL to make it less > > obvious. > > > > > > > > Of course coders can figure it out, but we just want to keep out the > > normal > > people. > > > > > > > > Does someone have an obfuscate function which still allows the URL to > > work, > > but doesn't allow the person to figure it out? > > > > > > > > Thanks! > > > > > > > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > The solution here is to store the images in a folder above the web root and > then use a php page to read in the requested image ( a hash value should be > sufficient (eg src='show_image.php?i=a1d3200086d3ec14dae1e40c50f6374f'>Click for image > > The show_image page can query the database for the true image name, read it > in from the folder and pass it to the page Save yourself the database trip and just stick the id AND the hash in the URL and validate upon request. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, Mar 27, 2008 at 9:10 PM, Joey <[EMAIL PROTECTED]> wrote: > Hi All, > > > > I have written an app to allow a person to go online and see a picture we > take of them. When we link to the picture I don't want it to be obvious > that the URL is > > Domain.Com/Pix/123.jpg because the next person we take a picture of may be > 123.jpg, so I am trying to munge/obfuscate the URL to make it less > obvious. > > > > Of course coders can figure it out, but we just want to keep out the > normal > people. > > > > Does someone have an obfuscate function which still allows the URL to > work, > but doesn't allow the person to figure it out? > > > > Thanks! > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The solution here is to store the images in a folder above the web root and then use a php page to read in the requested image ( a hash value should be sufficient (eg Click for image The show_image page can query the database for the true image name, read it in from the folder and pass it to the page hth -- Bastien Cat, the other other white meat
RE: [PHP] munge / obfuscate ?
Hi Joey, Please keep responses on the list so others can also benefit from the learning process. Comments below... On Thu, 2008-03-27 at 21:46 -0400, Joey wrote: > > -Original Message- > > From: Robert Cummings [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 27, 2008 9:28 PM > > To: Joey > > Cc: PHP > > Subject: Re: [PHP] munge / obfuscate ? > > > > > > On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: > > > Hi All, > > > > > > > > > > > > I have written an app to allow a person to go online and see a picture > we > > > take of them. When we link to the picture I don't want it to be obvious > > > that the URL is > > > > > > Domain.Com/Pix/123.jpg because the next person we take a picture of may > be > > > 123.jpg, so I am trying to munge/obfuscate the URL to make it less > obvious. > > > > > > > $sekret = 'the brown cow stomped on the wittle bug'; > > > > $id = isset( $_GET['id'] ) ? (int)$_GET['id'] : 0; > > $key = isset( $_GET['key'] ) ? (string)$_GET['key'] : ''; > > > > if( $key == sha1( $key.':'.$sekret ) ) That should have been: if( $key == sha1( $id.':'.$sekret ) ) > > { > > header( 'Content-Type: image/jpg' ); > > readfile( "/images/not/in/web/path/$id.jpg" ) > > exit(); > > } > > > > // > > // Failure... tell them to bugger off :) > > // > > header( 'Content-Type: image/jpg' ); > > readfile( '/images/wherever/you/please/buggerOff.jpg' ); > > exit(); > > > > ?> > > Sorry to be such a newbie... > > I basically would call this function lets say like: > munge( $url ); > > end in the end be returned the munged url, however, I don't understand the > values you have like the readfile with that url -vs- failure? I didn't munge... I provided code for a script that sends the requested image if it was requested with the appropriate key (presumably set wherever the image was linked). If the key doesn't validate then another image is presented. It can say "bugger off", it can say "not found", it can say whatever you please. By placing the images outside the web root and using a script like this you are virtually guaranteed the visitor can't just request images by making a lucky guess. Let's say the above script was called: getUserImage.php Then you might have the following in your HTML: Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] munge / obfuscate ?
On Thu, 2008-03-27 at 21:10 -0400, Joey wrote: > Hi All, > > > > I have written an app to allow a person to go online and see a picture we > take of them. When we link to the picture I don't want it to be obvious > that the URL is > > Domain.Com/Pix/123.jpg because the next person we take a picture of may be > 123.jpg, so I am trying to munge/obfuscate the URL to make it less obvious. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php