this is not about how to encrypt and decrypt. I want to know if it is possible to run a function after retrieving and decrypting it from a text file.
For example I will create a function that defines database password and then encrypt it as if it was just a text string and write it to a text file.
Then I have the function that defines the db password as an encrypted un-readable mess.
When I need the password, I would get the file contents and decrypt it but at this point I need to be able to run it as a function so it will define the DB_PASSWORD constant but it is just text in a string now.
It's the same as if I just did this:
$var = "function define_password(){
if(!defined('DB_PASSWORD')){define('DB_PASSWORD', 'password');}
}";
It's pretty obvious all I can do with this is echo it out because it's just text in a variable.
So, is there any way to make php see that as a function instead of a string variable?
Thanks
Even if it's redundant, it's educational so I'm posting the result of using the eval() method Xenon pointed out. Here's the encrypted and hidden file called .nothing in a directory outside www with read only access to www-data owned by root:
Pswo0DlrEPMNEs7ExyFs8Zh2n+bSj6yr4NI9zV7gTP9qFiesrFKLxsjoo3R3CnsYJNkojeo0v2gQtI4iJGLzKUS8zdhePLElk3BwhliB3dxYwvRkJFMqbtw7k/UBo0pHPLR/jVRnWq+cTByr0xp8p7X9v8Olbfrz4zwo+VXIDwLA6GsOJTK14Hy0E4jksgeuEQ7/PDtxCgWoMPQ2OomPwjFjukdrAofbF5jxU9zCUK5Cs1UZ8+PYA79w0lccEpUA9vWBPZ6Xuwhr4KuGeyoUCchK9wGgaXDD6Oc845OsmnR/wi+EMnYacvGGeLxN96wEAt9vh/dwmYIkHmpuBtPWUP1vRT/HzTv39HfXoFFKx1kGww4Xph/cjS8joYwAgh+C+LT61sBjlfazkDRNabpmZFd2yyocD+6lQeHrmKuvYxa0cfMSYa8ScAQaBz6Ycg99ldOinEbd+mTnZKltFialAoHOvha4Surc0XZX7vtFx1TxSMctjkgCmLw4bHhJ6B3htLkhOysb6Oz5M1rniogFwEZnFaqLsqD1etpYv1RpceB8FPSss7/Zu0vGwbGeSMldr06FeHylRlB6n25QiH3qaKieHuD8ErKvQjm3YAVCshU04ydR0lTU5ckKnFGGxAGtiXjK9rV3Hle69vk7RjtYJVVuPCbmdSETdE/zHem+w1THKw4/NUROdxiOIDYQtQ6oDY0ORiwAqjU9QHlqwFyadPrDG37AYXSCzLgwFCw76J6uGyYzDsIVDUnP6Dv3yV1yvjrpxAFb5lA9APrnU8qIgNrgEoaZAznpX91QQxt6ztgJFVHyOSyUP8DkkFpsPamHwg22jb1oUZlOVsCgzMSj9G1M4sgokW6lpQjXCtuDYXVrAwoWHk6Bh+UiBXVUoOPIvEjG4PtCIRQl84lEtKiUPAQSWA/7rgN1O308j9tRtNBzho2xYMTPg2g5DOS82RRSS7/ehGxEWlbh9cqig6Xux+oyLLXK4uIp8qA4kLqvuVX9w/UAfJRRfV89t5xQsshMP8TnFn3KrAZtGJ7lQDOduzMiHXpu9Wu91IsEfbHr/v2U0CD+sMc7h9K755fYpdNUptpaRvyz0sVZW96sldPsxY26LktnQaKIAAoDNgcIFbNOmGOBnIuUVOQBUVxbC+e2cYJy8xQsjsJBe0AChfTZB+Vi0TiERyA28OCti4T4PTA=
I made it with the encrypt function in the code below which came from someone here on stackoverflow.
<?php
define('SALT', 'whateveryouwant');
function encrypt($text)
{
return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SALT, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
}
function decrypt($text)
{
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SALT, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
}
$dec_db = decrypt(file_get_contents('.nothing'));
eval($dec_db);
defineit();
echo ET_APP_USERNAME;
The encrypted part is a function that defines usernames and passwords for 3 different databases but echoing out the first username shows me it works perfectly. And of course as was pointed out, if someone has access to the server they will see the SALT constant and the encrypt/decrypt functions and know from the file_get_contents method where it is so I guess this was just educational for me.
var_dump(DB_PASSWORD)
into your code where it connects to the database. You're trying to defend an area that's already too late to be defended - deceze 2012-04-04 01:46
I'll just suppose that the benefit you hope to get here is that an attacker won't be able to read the database password, if your site was ever hacked. Based on that assumption, I'll say:
I think what you may be looking for is eval()
, which takes a string and executes it as PHP code.
Be very careful with using this, and heed the warning:
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
So, for example, you could do this:
$var = "function define_password(){
if(!defined('DB_PASSWORD')){define('DB_PASSWORD', 'password');}
}";
eval($var);
eval()
should execute the code, which would be like writing a function normally. You still have to call the function to use it - Xenon 2012-04-04 01:45
If you hadn't given the explanation of what you were trying to achieve with this, I wouldn't have said anything. However, since you're saying that what you're trying to achieve with all of this is to read a password stored in a file (inside a function for some reason), I would highly suggest you review your method of attack.
I'll direct you to the benefits of parse_in_file()
http://www.php.net/manual/en/function.parse-ini-file.php
If possible, don't store a function to simply define a variable - there are far better ways to do it, and using an ini file is a very good/better alternative. You can even have it define()
the password too if you want to make it even easier to access the information.
define()
call to define the password in to a constant - Eli Sand 2012-04-05 23:22
Try create_function(). Then call it. If it fails, it returns NULL or FALSE or smth.