ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

Ioncube and config-file

Author Message
Poper



Joined: 15 Dec 2005
Posts: 2

PostPosted: Thu Dec 15, 2005 12:20 pm    Post subject: Ioncube and config-file Reply with quote

Hello,

we use ioncube for our application. Now we use a config.php file in a config-path. We want to prevent a
use of extraneous php-file.

How we can do this? How you implement a config file in your program with ioncube?

Thanks for your help.

cu Axel


PS: Sorry for my bad english.
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Thu Dec 15, 2005 12:42 pm    Post subject: Reply with quote

Hi

I'm not sure what you mean by use of extraneous file. Perhaps you can give an example?

The options on the command line that may be relevant to you are:

--encode
--copy
--ignore
--keep

These allow you to specify file and directory partial paths or patterns to encode, copy (without encoding), ignore entirely, or unignore. See section 3.4 of the User Guide for more details.

In the GUI, simply right click on files or folders in the source file tree and the same features are available on a popup menu. The icons in the tree will change to show the current state for any files and folders as a result of making any change.
_________________
Community Admin
Back to top
View user's profile Send private message
Poper



Joined: 15 Dec 2005
Posts: 2

PostPosted: Thu Dec 15, 2005 4:09 pm    Post subject: Reply with quote

Hi nick,

ok, here an example:
I have the following structure for my app.

/config/config.php
/functions/functions.php
index.php
search.php

I encode it with ioncube, but the config.php is excluded for change parameters.

What can I do, that nobody replace the function.php?

cu Axel
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Thu Dec 15, 2005 4:30 pm    Post subject: Reply with quote

Sorry but I'm still not sure that I understand. You say that config.php is left unencoded, but that you don't want people to change functions.php? Is that correct? How are the two related? What is the problem?

There are features in the Encoder so that you can prevent replacement of an encoded file with another file, so you could encode index.php so that it can only include encoded files that have certain properties (key/value pair metadata set by the Encoder). This does mean that index.php would then not be able to include config.php, as config.php would not have the properties defined. So you could have an encoded file wrapper (config-enc.php) that could include config.php, and have the encoded files include config-enc.php. However, a fundamental issue here is that if a PHP file is used as a config file, arbitrary code can be added to the config.php file, and this could be bad.

The better solution is not to use PHP files for config files at all, and instead to use a plain text file that is parsed by your scripts. You then encode your scripts so that all of the files will only work with each other, and you have safety from it not being possible to include any unencoded PHP file.
_________________
Community Admin
Back to top
View user's profile Send private message
Corlath



Joined: 10 Jan 2006
Posts: 1

PostPosted: Tue Jan 10, 2006 8:15 pm    Post subject: how to work with config files ? Reply with quote

Hello nick,

first a Happy New Year to you and the rest here in the form Very Happy

I must come back to this topic, because for me its still not clear.

We have the same level, I want to prevent replacement of encoded php files and for that I must encode all php files.
Now I have a php config file which include settings which must my script user later so he must be able to change that file and that means I can't encode it and so I lose my option to prevent replacement.

I'm not sure I understand your suggestion with the "wrapper", because this will still include a not included php file ?

Now you write we should use a plain text config and may be my understanding of secure and saftety is wrong, but how can I be sure that no one else than the script buyer can read it ? Twisted Evil
It includes important information like database access and so I must be really sure that it is really save for third people access !
One way code be saving it in a folder before the web root folder but beside I think its also not really save is it bad, because not every webmaster can use such folders and I think the limitation to ioncube loader is hard enought Wink

So please explain your suggestion again, I think a lot of other users must have the same problem.

Best Regards
Frank
Sorry again for my bad english Embarassed
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Fri Jan 13, 2006 12:46 am    Post subject: Reply with quote

Hi

You are correct that if the config file is plain text then it could be read. There are several things you might do though.

* You could name the config file as a .php file, putting the config settings inside comments, and processing the file as a text file. As the file ends in .php, if someone accessed it directly it would be executed and not displayed, and as it had comments, it would do nothing. This is more of a trick, and really only satisfactory if the file is written by your application and never edited by a person. It would work though.

* You could protect the config directory with a .htaccess if the web server was apache.

* If the config settings are always written by your application and not user edited, you could also store the file in an encrypted form.

Or, you could keep your config file as a .php file, which is the easiest thing to do as that is what you are doing, and encode your project so that the file including the config file is allowed to include a plain text file, but that the rest aren't. If any part of your PHP application is allowed to include unencoded PHP files then you have a weakness, but realistically, it need no be a problem.
_________________
Community Admin
Back to top
View user's profile Send private message
tajny



Joined: 15 Sep 2005
Posts: 4
Location: Poland

PostPosted: Mon Jan 16, 2006 11:47 pm    Post subject: Reply with quote

yes, for example how i did it .

for config read somewhere on top of your app.

Code:

if (file_exists('/include/config.ini.php')){
$ini_array = parse_ini_file('/include/config.ini.php');
}



and how looks this config.ini.php

Code:

--config.ini.php--
; <?php die( 'Access denied.' ); ?>
; don't remove line above
[config]
dbhost=localhost
dbname=mydbname
dbuser=tajny
dbpass=tajnypass




and print_r($ini_array) :

Code:

[dbhost] => localhost
[dbname] => mydbname
[dbuser] => tajny
[dbpass] => tajnypass


but when you want to execute config.ini.php it shows access denied.

greetz.
_________________
// A rat who gnaws at a cat's tail invites destruction. //
Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum