Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was able to get access to the '' php script [outside
the web folder] and all the stuff inside
Based on my current knowledge, my security breaches are probably big
enough to drive a truck through :(
how can I prevent this ?
I am VERY new at the whole 'security' thing so any help is appreciated
Just looking briefly at the below script; NEVER trust user input!
Sanatize it, escape it, check to see it's what you expect, and do it
again. Doing things like this...
is just asking for trouble.
this is the script within the web folder:
$thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER ['SCRIPT_NAME']);
// This PHP script is performing three tasks
// 1) Creates a SMIL playlist of Quicktime movies from a database call
// 2) Reads each requested movie file from outside the web folder
// Movies are downloaded by passing the GET variable, 'path', to
the 'freadMovie()' function
// This function is located in the script,
'', located outside the web folder
// The movie files are fread chunk by chunk in binary
format and loaded into the the Quicktime Player
// 3) Build the Actual Quicktime Media Link with all the EMBED
attributes like KIOSKMODE and QUITWHENDONE
// Flow of the Code:
// If the GET variable, 'cmd', equals 'makesmil'
// Build the SMIL playlist
// ElseIf the GET variable, 'cmd', equals 'getmovie'
// Send the requested url [with the encrypted movie file path]
to the freadmovie() function
// which freads the requested movie file data to the
Quicktime Player
// Else
// Build the Quicktime Media Link that generated the Headers
and Embed tags
// where the 'src' attribute points to the SMIL Playlist
Movie function in THIS script
// Endif
// any variable there ?
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
// Ok, there is a 'cmd' and/or 'path' variable, what are they ?
//make the SMIL playlist of movie
if( trim(decrypt( $_REQUEST['cmd'])) =="makesmil")
//fread a movie file in the playlist and send to QuickTime
// No commands were given
// So make the Quicktime Media Link with all the EMBED attributes
// The 'src' attribute is going to call the 'makesmil' function
to generate the SMIL playlist movie
buildQTMediaLinkForSMILPlaylist( $autoplay="true",
$moviename="Commercial Reel 2005",
// Output the Correct QuickTime Headers and the Embed Tags and
send the movie to QuickTime
echo $finalQTMovie;
// Local Functions
function makesmil($thisScriptURL)
buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel");
// format the SMIL playlist
buildSMILPlaylist( $timeslider="true",
$width = "352",
$fit= "fill",
$title = "Commercial Reel
$moviename="Commercial Reel
// Santize the variables to prevent mysql injection and trim them
function sanitizeVars()
$path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
$cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
// Output Player or Browser Content-Type Header
function OutputHeaders($userAgent)
global $finalQTMovie;
// Player
header('Content-Type: application/x-quicktimeplayer');
header('Content-Type: video/quicktime');
//output any of the other headers
header ("Content-Length:".strlen($finalQTMovie));
John C. Nichel
PHP General Mailing List (
To unsubscribe, visit: