redarrow Posted February 6, 2009 Share Posted February 6, 2009 Advance thank you for helping. I have made this example for a website for the cms part in a list format. I have added md5 for security on the links as you can see below. now i have added the md5, The script wont show the echoed information. This is the full example code , please see it on your server as a example. Remember every think works without the md5. <html> <head> <title>Testing List</title> </head> <body> <dl> <?php $admin_title=array("Admin controls"); $admin_sub_title=array("Add Admin","Delete Admin","Admin Passwords","Admin Requests"); $user_title=array("User controls"); $user_sub_title=array("Add Users","Delete Users","Edit Users","Users Requests","Users Passwords"); $info_table=array( "Add_Admin"=>"We add a admin on this page!", "Delete_Admin"=>"We delete a admin on this page!", "Admin_Passwords"=>"We can see all the admin passwords on this page!", "Admin_Requests"=>"We can see who wants to be a admin on ths page", "Add_Users"=>"We add user's on this page!", "Delete_Users"=>"We delete users on this page!", "Edit_Users"=>"we edit users on this page!", "Users_Requests"=>"Users request to be a user on this page!", "Users_Passwords"=>"We can see the user's passwords on this page"); echo"<table border='0'><tr><td align='left'>"; for($t=0; $t<count($admin_title); $t++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=".md5('admin')."'><b>{$admin_title[$t]}</b><a/></dt>\n </td><tr></table>"; } if($_GET['cmd']==md5('admin')){ for($st=0; $st<count($admin_sub_title); $st++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',md5($admin_sub_title[$st])))."'>{$admin_sub_title[$st]}<a/></dd>\n </td></tr></table>"; } } for($ut=0; $ut<count($user_title); $ut++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=".md5('user')."'><b>{$user_title[$ut]}</b><a/></dt>\n </td></tr></table>"; } if($_GET['cmd']==md5('user')){ for($ust=0; $ust<count($user_sub_title); $ust++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',md5($user_sub_title[$ust])))."'>{$user_sub_title[$ust]}<a/></dd>\n </tr></td></table>"; } } echo"</td><td valign='top' align='center' width='1200px'>"; $merged=array_merge($admin_sub_title,$user_sub_title); $new_array=str_replace(' ','_',$merged); foreach ($new_array as $a){ if($_GET['cmd']==md5($a)){ echo " <b> ".str_replace('_',' ',$a)." </b> <br/><br/> $info_table[$a]"; } } echo"</td></tr></table>"; ?> </dl> </body> </html> Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 6, 2009 Author Share Posted February 6, 2009 Here a working example, but the sub list is not md5, on the links, but i need them. please help. some think very simple. <html> <head> <title>Testing List</title> </head> <body> <dl> <?php $admin_title=array("Admin controls"); $admin_sub_title=array("Add Admin","Delete Admin","Admin Passwords","Admin Requests"); $user_title=array("User controls"); $user_sub_title=array("Add Users","Delete Users","Edit Users","Users Requests","Users Passwords"); $info_table=array( "Add_Admin"=>"We add a admin on this page!", "Delete_Admin"=>"We delete a admin on this page!", "Admin_Passwords"=>"We can see all the admin passwords on this page!", "Admin_Requests"=>"We can see who wants to be a admin on ths page", "Add_Users"=>"We add user's on this page!", "Delete_Users"=>"We delete users on this page!", "Edit_Users"=>"we edit users on this page!", "Users_Requests"=>"Users request to be a user on this page!", "Users_Passwords"=>"We can see the user's passwords on this page"); echo"<table border='0'><tr><td align='left'>"; for($t=0; $t<count($admin_title); $t++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=".md5('admin')."'><b>{$admin_title[$t]}</b><a/></dt>\n </td><tr></table>"; } if($_GET['cmd']==md5('admin')){ for($st=0; $st<count($admin_sub_title); $st++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',$admin_sub_title[$st]))."'>{$admin_sub_title[$st]}<a/></dd>\n </td></tr></table>"; } } for($ut=0; $ut<count($user_title); $ut++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=".md5('user')."'><b>{$user_title[$ut]}</b><a/></dt>\n </td></tr></table>"; } if($_GET['cmd']==md5('user')){ for($ust=0; $ust<count($user_sub_title); $ust++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',$user_sub_title[$ust]))."'>{$user_sub_title[$ust]}<a/></dd>\n </tr></td></table>"; } } echo"</td><td valign='top' align='center' width='1200px'>"; $merged=array_merge($admin_sub_title,$user_sub_title); $new_array=str_replace(' ','_',$merged); foreach ($new_array as $a){ if($_GET['cmd']==($a)){ echo " <b> ".str_replace('_',' ',$a)." </b> <br/><br/> $info_table[$a]"; } } echo"</td></tr></table>"; ?> </dl> </body> </html> Quote Link to comment Share on other sites More sharing options...
corbin Posted February 6, 2009 Share Posted February 6, 2009 If the hashes don't match, you're not encrypting the same thing. Make sure what you're encrypting is the same thing both times. Quote Link to comment Share on other sites More sharing options...
TheLoveableMonty Posted February 6, 2009 Share Posted February 6, 2009 What's supposed to display when you click the admin link? All four items are appearing for me. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 6, 2009 Author Share Posted February 6, 2009 here the full code mate but there no md5 or hash on the links as i can not work it out at all. all the code does is show a title link then sub links with more links. look here http://simpleforum.ath.cx/testing_list.php <html> <head> <title>Testing List</title> </head> <body> <dl> <?php $admin_title=array("Admin controls"); $admin_sub_title=array("Add Admin","Delete Admin","Admin Passwords","Admin Requests"); $user_title=array("User controls"); $user_sub_title=array("Add Users","Delete Users","Edit Users","Users Requests","Users Passwords"); $info_table=array( "Add_Admin"=>"We add a admin on this page!", "Delete_Admin"=>"We delete a admin on this page!", "Admin_Passwords"=>"We can see all the admin passwords on this page!", "Admin_Requests"=>"We can see who wants to be a admin on ths page", "Add_Users"=>"We add user's on this page!", "Delete_Users"=>"We delete users on this page!", "Edit_Users"=>"we edit users on this page!", "Users_Requests"=>"Users request to be a user on this page!", "Users_Passwords"=>"We can see the user's passwords on this page"); echo"<table border='0'><tr><td align='left'>"; for($t=0; $t<count($admin_title); $t++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=admin'><b>{$admin_title[$t]}</b><a/></dt>\n </td><tr></table>"; } if($_GET['cmd']=='admin'){ for($st=0; $st<count($admin_sub_title); $st++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',$admin_sub_title[$st]))."'>{$admin_sub_title[$st]}<a/></dd>\n </td></tr></table>"; } } for($ut=0; $ut<count($user_title); $ut++){ echo"<table width='120px' border='0'><tr><td align='left'> <dt><a href='".$_SERVER['PHP_SELF']."?cmd=user'><b>{$user_title[$ut]}</b><a/></dt>\n </td></tr></table>"; } if($_GET['cmd']=='user'){ for($ust=0; $ust<count($user_sub_title); $ust++){ echo"<table width='180px' border='0'><tr><td align='left'> <dd><a href='".$_SERVER['PHP_SELF']."?cmd=".urlencode(str_replace(' ','_',$user_sub_title[$ust]))."'>{$user_sub_title[$ust]}<a/></dd>\n </tr></td></table>"; } } echo"</td><td valign='top' align='center' width='1200px'>"; $merged=array_merge($admin_sub_title,$user_sub_title); $new_array=str_replace(' ','_',$merged); foreach ($new_array as $a){ if($_GET['cmd']==$a){ echo " <b> ".str_replace('_',' ',$a)." </b> <br/><br/> ".$info_table[$a]." "; } } echo"</td></tr></table>"; ?> </dl> </body> </html> Quote Link to comment Share on other sites More sharing options...
TheLoveableMonty Posted February 6, 2009 Share Posted February 6, 2009 The four sub links worked fine for me when the md5 was in place. The reason no further links are working after the Admin links is you've not scripted anything to handle the new links. You're much, much better off encoding a series of login functions using md5 and cookies. There's numerous tutorials available. Encrypting the url with md5 is too daunting and unnecessary. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 6, 2009 Author Share Posted February 6, 2009 yes i understand the user will be logged in to use the new cms, be nice to encrypt the url theo. like you say it a bugger but worth it. ill have to use mod_rewrite in the end just fort php was better to use. thanks anyway. Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 6, 2009 Share Posted February 6, 2009 I'm not sure what it is that you're trying to accomplish by calling md5() all over the place. You are accomplishing absolutely nothing at the expense of a huge number of hash calls. All that you could possibly hope to accomplish is to obscure the fact that you are passing a url param with the same name as the menu item? It's not like I can't take the md5 hash and just use that if I want to try and exploit your controller code. It doesn't matter if I don't know what it hashes to -- the hash is in the link and you're accepting it. This approach provides no security whatsoever. Quote Link to comment Share on other sites More sharing options...
TheLoveableMonty Posted February 6, 2009 Share Posted February 6, 2009 Good point, actually. It somehow didn't dawn on me the the ecryption was a direct hash of the corresponding array element used to print the link's name. It's possible to do using the switch function and a bunch of cases for every instance, but you ARE better off scripting a login. They've become considerably easy to create. Just find a tutorial on cookie-based login systems for PHP and you're on your way. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 6, 2009 Author Share Posted February 6, 2009 it will be setup via the database, but i wanted a example so i can see it work as it is. i understand there be logging in, but hashing the url while the user is logged is good as well. just extra security. Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 6, 2009 Share Posted February 6, 2009 it will be setup via the database, but i wanted a example so i can see it work as it is. i understand there be logging in, but hashing the url while the user is logged is good as well. just extra security. No it's not. There is no security, and a lot of processing power required. I say again --- you have not secured anything just because you generate a hash and pass that because there is no secret involved, since the url param has the hash value IN THE URL! Where people make the argument for that technique is when they are trying to prevent people from randomly guessing id numbers, say for example in a system where you might have something like: showprofile.php?userid=4 And this lets a user see their profile. So naturally someone thinks --- let me try showprofile.php?userid=5 and they get the profile page of someone else. Regardless of whether or not they hash the userid in some way, that's still not security, if the requirement is that nobody should be able to see and edit a profile page other than their own. The solution to that problem is not to user url params at all and use session vars instead, and have the script pull the appropriate information from the database for the logged in user. Since that resides serverside, there's no need to even have url params. Quote Link to comment Share on other sites More sharing options...
redarrow Posted February 6, 2009 Author Share Posted February 6, 2009 So me trying to encode the url is a wast off time anyway, so in essence a good secure login system is best and forget the url encoding rubbish. just use the code without the url encoded. Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 6, 2009 Share Posted February 6, 2009 So me trying to encode the url is a wast off time anyway, so in essence a good secure login system is best and forget the url encoding rubbish. just use the code without the url encoded. Yes. Concentrate on getting your login system going, which is non-trivial. If a user should not be able to access a url unless logged in, then this needs to be handled in your authentication logic, which is typically done with an include at the top of the script, or in a class you create for the purpose. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.