ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

Can I prevent includes from untrusted scripts?

Author Message
Gator
Guest





PostPosted: Fri Jun 03, 2005 4:40 pm    Post subject: Can I prevent includes from untrusted scripts? Reply with quote

I have an encoded application but I am concerned about users including my encoded script from their own PHP script and when mine returns from executing, using PHP class functions to view my classes, their variables, and class functions.

While I haven't really tested this it seems like PHP offers a lot of functions that could be used to gain a lot of insight to how a program is architected, especially if it is object oriented. One partial solution I see is to make sure that the parent script ends with a die() command to prevent further execution of PHP commands when my script is done. But what if someone replaces one of my included and encoded script files with one of theirs and issues the same commands that way? It seems difficult to prevent this kind of hacking.

Is there a way to write your code to make sure your encoded scripts are not being included by untrusted scripts and also to make sure you are not including any untrusted scripts all at runtime? Unfortunately PHP wont let you disable these class functions at runtime, only in the INI.
Back to top
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Fri Jun 03, 2005 6:02 pm    Post subject: Reply with quote

Hi

Yes, this is possible. Using the standalone Encoder you can assign properties to files, and restrict files so that they can only be included if the file doing the including has particular properties set. In the upcoming next product release, there are also additional protection features related to this topic.
_________________
Community Admin
Back to top
View user's profile Send private message
Guest






PostPosted: Fri Jun 03, 2005 6:08 pm    Post subject: Reply with quote

I guess I found a partial answer. Use the --include-if-property switch.

if script A includes script B then I can:

- *not* prevent A from being included but I can prevent post execution of code by ending it with a die() command

- prevent B from being included by a rogue script using the above switch

But I can't prevent someone from replacing script B with their own script and dumping information about what A is doing.

I hope that script B cannot include a script C because A has defined the key property? This is true if C makes sure that the immediate parent (B) defined the property and not the grandparent script (A).
Back to top
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Fri Jun 03, 2005 6:39 pm    Post subject: Reply with quote

Quote:
I hope that script B cannot include a script C because A has defined the key property? This is true if C makes sure that the immediate parent (B) defined the property and not the grandparent script (A).


The behaviour is as you'd want, which is checking the script that does the including. In the upcoming release, this is extended to introduce mechanisms such as script substition protection.
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum