Is there a way to encrypt or enclose my code on my Linux server after deployment? I know Zend does some kind of encryption, right? Is that what people use? Is this even possible? How do I go about keeping my code secure online?
php
security
deployment
Answers
2
I applaud your efforts. You must, friendly community member, consider decoupling your operations.
1) Have one function/routine/class/method for filtering input (filter_input_array(), strip_tags(), str_ireplace(), trim(), etc ...). You may want to create functions that use loops to do filtering. Tricks such as double encoding, one-time-strip-spoofing, and more can defeat single usage of things like strip_tags().
Here is a strip_tags() wrapper method from my Sanitizer class.
Notice how it compares the old value to the new value to see if they are equal. If they are not equal, it keeps on using strip_tags(). Although, there is quite of bit of preliminary INPUT_POST / $_POST checking done before this method is executed. Another version of this using trim() is actually executed before this one.
private function removeHtml(&$value)
{
if (is_scalar($value)) {
do {
$old = $value;
$value = strip_tags($value);
if ($value === $old) {
break;
}
} while(1);
} else if (is_array($value) && !empty($value)) {
foreach ($value as $field => &$string) {
do {
$old = $string;
$string = strip_tags($string);
if ($string === $old) {
break;
}
} while (1);
}
} else {
throw new Exception('The data being HTML sanitized is neither scalar nor in an array.');
}
return;
}
2) Have another one for validating input (filter_var_array(), preg_match(), mb_strlen, etc...)
Then, when your data needs to switch contexts ...
A) For databases, use prepared statements (PDO, preferably).
B) For returning / transmitting user input to the browser, escape the output with htmlentities() or htmlspecialchars accordingly.
In terms of magic quotes, the best thing to do is just disable that in the php.ini.
Now, with those various constructs having their own areas of responsibility, all you have to do is manage the flow of logic and data inside of your handler file. This includes providing error messages to the user (when necessary) and handling errors/exceptions.
There is no need to use htmlentities() or htmlspecialchars immediately if the data is going from the HTML form directly into the database. The point of escaping data is to prevent it from being interpreted as executable instructions inside a new context. There is no danger htmlentities() or htmlspecialchars can resolve when passing data to a SQL query engine (that is why you filter and validate the input, and use (PDO) prepared statements).
However, after the data is retrieved from database tables and is directly destined for the browser, ok, now use htmlentities() or htmlspecialchars. Create a function that uses a for or foreach loop to handle that scenario.
Here is a snippet from my Escaper class
public function superHtmlSpecialChars($html)
{
return htmlspecialchars($html, ENT_QUOTES | ENT_HTML5, 'UTF-8', false);
}
public function superHtmlEntities(&$html)
{
$html = htmlentities($html, ENT_QUOTES | ENT_HTML5, 'UTF-8', false);
}
public function htmlSpecialCharsArray(array &$html)
{
foreach ($html as &$value) {
$value = $this->superHtmlSpecialChars($value);
}
unset($value);
}
public function htmlEntitiesArray(array &$html)
{
foreach ($html as &$value) {
$this->superHtmlEntities($value);
}
unset($value);
}
You'll have to tailor your code to your own personal tastes and situation.
Note, if you plan on processing the data before sending it to the browser, do the processing first, then escape with your handy-dandy htmlentities() or htmlspecialchars looping function.
You can do it!
Wednesday, October 12, 2022
3
First if you're targeting "only" the Windows market there's a very easy to prevent the ".class to .java" decompilation: use a tool like Excelsior Jet that will transform the .jar in an .exe.
This is foolproof: it is impossible to get the .java file back if you use Excelsior Jet (so long for all the people saying "it's impossible to prevent decompilation of a .class file"). Sure, an attacker could launch SoftIce and try to trace your .exe but that will prove a bit trickier than using JAD to decompile the .class to a .java and it certainly won't allow to find the .java file back.
Now maybe you're targetting OS X and Linux too or you don't have $$$ to shell off for Excelsior Jet.
I'm writing a commercial software written in Java. That software only makes sense if there's an Internet connection. Hence we "protect" our software, amongst other, by having part of the computation happening on the server side: we have several .class that won't work unless they're generated from the server side and we send them down the wire (and what is sent on the wire is always different: we're generating unique, one-off .class files on the server side).
This requires an Internet connection but if the user doesn't like how our software works then he's free to buy one our competitor's inferior product ;)
Decompiling will not do much good: you actively need to crack the software (ie reproduce what is happening on the server side) or you won't be able to use it.
We use our own "string obfuscation" before we use Proguard. We also do source code instrumentation (we could have done bytecode instrumenation as well) where we remove lots of things from the code (like the "assert" that we comment out) and introduce some random "code flow obfuscation" [the software can take different paths yet obtain the same result, this is something that really makes the software hard to trace]).
Then we use Proguard (which is free) to flatten all our OO hierarchy and to obfuscate the already-code-flow-and-string-obfuscated code.
So our flow is:
- string obfuscation
- random code flow obfuscation
- Proguard
- final .jar that depends on .class that are (differently) dynamically generated on the server side.
In addition to that we release very regular (and automated) update which always make sure to modify a bit our client/server protection scheme (so that with each release an hypotethical attacker has to start mostly from scratch).
Of course it's easier to throw the towel in and to think: "there's nothing I can do to make an attacker's life harder because JAD can find back the .java file anyway" (which is more than very debatable and blatantly wrong in the case where you use a .class to .exe converter to protect your .class from decompiling).
Monday, September 5, 2022
1
If you are talking about someone else's server, then the short answer is no. If third parties could read your PHP source code, that would be quite a security hole, since PHP files tend to contain database passwords, hash keys, proprietary algorithms and other goodies that you don't want falling in the wrong hands.
If you are talking about your own server (ie. that you yourself have access to), then there are simple scripts that you can put on the server, that allow you to specify a path to any file on the server and have it returned as plaintext. However, you NEVER EVER want to place such a script on a production server, for the reasons mentioned above.
Monday, November 21, 2022
46
It's probably Gmail - it's designed to do that after all and does scan for viruses. I suspect using a less common compression method might work (.xz may work for a single file - zip files are checked from my very unscientific tests of Gmail), or just simply burning it onto a DVD or other media and snailmailing it might work better.
Considering you're doing incident response, would it be too much to ask for access to the site directly to download the files? That would be the simplest, and you can then observe the compromise in its native environment.
Wednesday, October 26, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
security
deployment
You are right, you can use Zend Encoder, Ion Cube or something like Source Guardian to encrypt your source code.
Its not really needed unless you are giving away your code and dont want people to steal it though.
What is it about your server that you think its insecure?