|
Confirmed User
Join Date: May 2005
Posts: 2,737
|
Quote:
Originally Posted by GrouchyAdmin
Awesome! We're almost Web2.0 ready but lets add some security:
Code:
<?php // Beginning of PHP code
set_locale('LC_TIME', 'en_US'); // US time
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
$time_start = microtime_float(); // find the time we start
$admin=($_GET['admin'] ? TRUE : FALSE); // we're only an administrator if we are.
$safedate = sprintf("%2d", date("d")); // Make sure the string is safe and padded.
$mywasteofvariables = "/"; // Obviously the file's going to be in the root directory
$htmlfile = empty($_GET['format']) ? "html" : $_GET['format']; // HTML is .html.
$htmlfile = preg_replace("/[^a-z0-9\\040\\.\\-\\_\\\\]/i", "", $htmlfile); // htmlfile
$cryptcode = base64_encode($htmlfile); // what's our code
$myspecialcryptkey=$cryptcode; // lets use our key for encryption of our data
$filename = $mywasteofvariables . $safedate . '.' . $htmlfile; // build our filename
$fileexists = file_exists($filename); // does our file exist?
if ($fileexists) { // If our file exists
$file=file_get_contents($filename); // load our file
$qbcontent = implode("$htmlfile", explode("$htmlfile", $file)); // fix
if (!$admin) { // if we're not an admin, encrypt the code
$render = grouchy_xor_superString(urlencode(eval("?>".stripslashes($qbcontent)."<? ")), $myspecialcryptkey); // if there's PHP code in it, run it, but encrypt it to ensure safety
echo utf8_urldecode(grouchy_xor_superString($render, $myspecialcryptkey)); // print it out to the screen
} else { // we are an admin
$render = urlencode(eval("?>".stripslashes($qbcontent)."<? ")); // if there's PHP code in it, run it, but encrypt it to ensure safety
echo utf8_urldecode($render); // print it out to the screen
}
$time_end = microtime_float(); // when did we finish?
$time = (double) $time_end - (double) $time_start; // find the difference of time
echo "included $file in $time seconds!!!"; //killer stats
echo "IT IS NOW " . strftime("%H:%M:%S") . "!!!\n";
} // end of function
exit; // quit PHP
// copied from PHP.net or something I dont really know what it does
if (!function_exists('file_get_contents')) {
function file_get_contents($filename, $incpath = false, $resource_context = null)
{
if (false === $fh = fopen($filename, 'rb', $incpath)) {
trigger_error('file_get_contents() failed to open stream: No such file or directory', E_USER_WARNING);
return false;
}
clearstatcache();
if ($fsize = @filesize($filename)) {
$data = fread($fh, $fsize);
} else {
$data = '';
while (!feof($fh)) {
$data .= fread($fh, 8192);
}
}
fclose($fh);
return $data;
}
}
// something else i found on php.net - we can now time this function!!!!
function microtime_float()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
// php.met is neat - what's all these squiggly things tho
function utf8_urldecode($str) {
$str = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($str));
return html_entity_decode($str,null,'UTF-8');;
}
// This is mine. Donot steel.
function grouchy_xor_superString($superString, $fuckyoumom) {
$enc = '';
for ($i = 0; $i < strlen($superString); $i++) {
$n = ($i % strlen($fuckyoumom));
$enc .= substr($fuckyoumom, $n, 1) ^ substr($superString, $i, 1);
}
return $enc;
}
?>
|
Fantastic! Only problem is its getting messy, lets modernize this code, OOP style!
Code:
// MODERNIZED CODE, NOW WITH SPINNER ACTION!
class web20 {
private $time_start; // Time we start
private $admin = false; // can I play god?
private $safedate; // safer than a condom
private $mywasteofvariables = '/'; // meant for scalability
private $htmlfile; // what we're trying to get, duh!
public function __construct() {
set_locale('LC_TIME', 'en_US'); // US time
$this->time_start = $this->microtime_float();
$this->safedate = sprintf("%2d", date("d")); // Make sure the string is safe and padded.
$this->is_admin = ($_GET['admin'] ? TRUE : FALSE); // we're only an administrator if we are.
$this->htmlfile = empty($_GET['format']) ? "html" : $_GET['format']; // HTML is .html.
$this->htmlfile = preg_replace("/[^a-z0-9\\040\\.\\-\\_\\\\]/i", "", $this->htmlfile); // htmlfile
}
// a helper method to display a hotlinked spinner image and do nothing for 2 seconds for simulating "processing"
public function doNothing() {
echo '<img src="http://www.mpire.com/images/sunbox_spinner.gif">';
sleep(2);
}
public function process() {
$filename = $this->mywasteofvariables . $this->safedate . '.' . $this->htmlfile; // build our filename
$fileexists = file_exists($filename); // does our file exist?
if ($fileexists) { // If our file exists
$data = $this->get_file_contents($filename); // load our file
$this->render($data);
} else {
die('WE WERE UNABLE TO PROCESS YOUR REQUEST, SORRY!');
}
exit;
}
public function render($data) {
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
$time_end = $this->microtime_float(); // when did we finish?
$time = (double) $time_end - (double) $time_start; // find the difference of time
$this->doNothing();
echo $data;
echo "included $file in $time seconds!!!"; //killer stats
echo "IT IS NOW " . strftime("%H:%M:%S") . "!!!\n";
}
public function get_file_contents($filename) { // abstraction is the key to success!
$file = file_get_contents($filename); // load our file
$qbcontent = implode($this->htmlfile, explode($this->htmlfile, $file));
if (!$this->admin) {
$cryptcode = base64_encode($htmlfile); // what's our code
$myspecialcryptkey=$cryptcode; // lets use our key for encryption of our data
$render = $this->grouchy_xor_superstring(urlencode(eval("?>".stripslashes($qbcontent)."<? ")), $myspecialcryptkey); // if there's PHP code in it, run it, but encrypt!
return $this->utf8_urldecode(grouchy_xor_superString($render, $myspecialcryptkey)); // print it out to the screen
} else { // We are admin!
$render = urlencode(eval("?>".stripslashes($qbcontent)."<? ")); // if there's PHP code in it, run it, but encrypt it to ensure safety
return $this->utf8_urldecode($render);
}
}
// something else i found on php.net - we can now time this function!!!!
public function microtime_float()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
// php.met is neat - what's all these squiggly things tho
public function utf8_urldecode($str) {
$str = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($str));
return html_entity_decode($str,null,'UTF-8');;
}
// This is mine. Donot steel.
//
// SORRY, STOLEN FROM GROUCHY
public function grouchy_xor_superString($superString, $fuckyoumom) {
$enc = '';
for ($i = 0; $i < strlen($superString); $i++) {
$n = ($i % strlen($fuckyoumom));
$enc .= substr($fuckyoumom, $n, 1) ^ substr($superString, $i, 1);
}
return $enc;
}
}
if (!function_exists('file_get_contents')) {
function file_get_contents($filename, $incpath = false, $resource_context = null)
{
if (false === $fh = fopen($filename, 'rb', $incpath)) {
trigger_error('file_get_contents() failed to open stream: No such file or directory', E_USER_WARNING);
return false;
}
clearstatcache();
if ($fsize = @filesize($filename)) {
$data = fread($fh, $fsize);
} else {
$data = '';
while (!feof($fh)) {
$data .= fread($fh, 8192);
}
}
fclose($fh);
return $data;
}
}
$web20 = new web20();
$web20->process();
__________________
PHP-MySQL-Rails | ICQ: 342500546
|