hisoka Posted February 12, 2016 Share Posted February 12, 2016 There are some lines I would like to understand in this php code : <?php$john = "jim.php";if (isset($HTTP_GET_VARS["action"])){if ($HTTP_GET_VARS["action"]=="register"){if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){$file = fopen($john, "a");$that_file = file_get_contents($john);if (strpos($that_file, "::".$HTTP_GET_VARS["nick"])){}$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));fputs($file, "::".$sessionuser['user']."::".$nick."::".$id."\n");fclose($file);}if ($HTTP_GET_VARS["action"]=="login"){if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){$file = fopen($target, "r");$i = 0;while (!feof ($file)){$line[$i] = fgets ($hfile, 1024);$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);if ($cntrl){$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::member"){header('Location:bbb.php');}else{header('Location:ccc.php');}}$i += 1;}?> Now I will tell you what are the lines that I could not understand :1)if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])) In the context of the line above , I cannot understand what does the "::" do ? and what does the strpos do ? I read about it in php manual and know what it does but I cannot figure out what it does in the line above .2)$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");the urldecode decodes an url encoded string but what is its role in the lines above ? why it is used ? and why substr is used ? and what does urldecode does when combined with substr ? again what does "::" do in the line above ? and what does the colon "." after "::" does ?3)$i = 0;while (!feof ($hfile)){$line[$i] = fgets ($hfile, 1024);$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);if ($cntrl){$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){header('Location:bbb.php');}else{header('Location:ccc.php');}}$i += 1;what is $i = 0; ? and why is used ?what does this do :while (!feof ($hfile)){$line[$i] = fgets ($hfile, 1024);$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);??what is the role of strlen here :strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); and what does the whole line mean with the "::"???????finally which is the more complicated , what is the meaning of this line :if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::member")I could not understand it at allJustsomeguy , A lot of questions . Could you please reply them one by one and in a simple way so that I could understand . Or you can give me some simplified articles that help me understand the code above besides your own explanation . I looked for all of them in the PHP manual but I could not understandBest regards Link to comment Share on other sites More sharing options...
Ingolme Posted February 12, 2016 Share Posted February 12, 2016 That code is really old and outdated, $HTTP_GET_VARS was replaced with $_GET years ago. 1) That line looks for a particular string in the contents of the file. The string starts with "::" and is followed by whatever is in the "nick" GET variable. The problem is that if it happens to be the first thing in the file, the code will think it doesn't exist, since strpos() returns both zero and false values. 2) It's using the first 20 characters of the GET variable called "nick". Because $HTTP_GET_VARS takes data from the URL, some of the characters will be encoded in the form "%XX" where XX represents the hexadecimal ASCII code for the character. $_GET doesn't have this problem, so if you used $_GET you wouldn't need urldecode(). This line has nothing to do with the "::" from before. It looks to me like "::" is used as a separator in whichever file data is being loaded from. This is really old code and doesn't look very good. 3) $i is just a number which is used to keep count of how many lines have been read from the file. That code is wrong, the $i += 1 should actually be before the closing brace "}". while (!feof ($hfile)){ continues the loop as long as the end of a file has not been reached. $line[$i] = fgets ($hfile, 1024); will load a line from the file, but only the first 1024 characters of that line. $cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); This line of code gets the part of the data from $line[$i] that matches the format given by the GET variables and everything that follows it. strlen() is used to count how long the string is that was just retrieved. if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::member") This line, which is way too convoluted for its own good, just checks that the last 8 characters of the line spell out "::member". I don't think there's a way I can simplify this for you, since you already need to be familiar with file reading and string manipulation to understand it. This code is really badly written could probably be done with half the lines of code in a cleaner and simpler way. What the code does is read a file which has data about users, the data is stored a format similar to this: user1::field1::field2::field3::field4 user2::field1::field2::field3::field4 It reads line by line until it finds a line that matches the current data that is being searched for in the HTTP_GET_VARS variable. When it finds the line, it checks whether "::admin" exists and redirects you based on it. It also checks whether "::member" exists and redirects to somewhere else. I can't repeat enough that this is terrible code, though, and I don't think it's a good idea to store user information in a plain text file. 1 Link to comment Share on other sites More sharing options...
hisoka Posted February 12, 2016 Author Share Posted February 12, 2016 thank you from the bottom of my heart . Your explanation is wonderful . I would like to ask some further questions 1) In this line : $file = fopen($john, "a"); the "a" is used for writing only . Does this mean that when the page is opened I can write something in it like writing my id or nick or password or username ?? 2)$that_file = file_get_contents($john); file_get_contents — Reads entire file into a string( php manual and w3schools manual too) . Sorry but I did not understand what does it mean by Reads entire file into a string?? 3)$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20)); . in the URL get form or when we send data in URL through get form , why are characters encoded in hexadecimal ? "It's using the first 20 characters of the GET variable called "nick"" . No user will give a nick of 20 characters or more so why the length is put to 20 characters ??? and if it use the first 20 characters of the Get variable what does it do with rest ? discard it ? 4) Generally , What is the need to use this : $line[$i] = fgets ($hfile, 1024)???? what do you mean by "LOAD" (will load a line from the file, but only the first 1024 characters of that line) why should 1024 characters of a line loaded ? and finally could you tell me more about this : strlen($line[$i])-1-$len ? Link to comment Share on other sites More sharing options...
Ingolme Posted February 12, 2016 Share Posted February 12, 2016 1) The "a" flag means that when calling fwrite() on the file handler the content will be added at the end of the file. 2) file_get_contents() returns a string containing all the data from the file. I don't know how else to explain it. 3) It's a web standard. Read more about it here: https://en.wikipedia.org/wiki/Percent-encoding I don't know why they chose to only use 20 characters. The rest of the characters are not used, those 20 characters are the only ones used. 4) By load I mean it reads the file and takes those characters and puts it into a variable. I don't know why they decided to limit the line length to 1024 character, you should as the person who gave you the code. In the file they're reading, each line has the data for one use, that's why they read it line by line. strlen($line[$i]) gives the length of the show line. 1 is subtracted from that because the pointer can only go as far as one character before the length. $len is the size of the data they wanted to extract. If the full line was 100 characters and the string they're reading from was 20 characters long, the resulting value of that expression would be 100 - 1 - 20 which is 79 and the substr() function would be equivalent to substr($line[$i], 92, 79) which actually doesn't make sense, their code seems to be wrong and probably only works because the length they're providing exceeds the length of the string they're reading from. Link to comment Share on other sites More sharing options...
hisoka Posted February 12, 2016 Author Share Posted February 12, 2016 1)It reads line by line until it finds a line that matches the current data that is being searched for in the HTTP_GET_VARS variable. When it finds the line, it checks whether "::admin" exists and redirects you based on it. It also checks whether "::member" exists and redirects to somewhere else. the variable being given to GET is admin not ::admin so normally it checks whether admin exist or not and based on it redirects ?? so why you wrote it checks whether "::admin" exists and not admin exists 2) "This line, which is way too convoluted for its own good, just checks that the last 8 characters of the line spell out "::member"" actually the line was "if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin")" So how could the last 8 characters of the line spell ::admin if "::admin" is only 7 characters ?? 3)if we take in consideration the line above and that the data , in the server side in the context of our code , are written and stored in such format USER:field1:field2 and that the last 8 characters should spell out ::admin , so what is the order in which they are stored is it like this : USER:NICK:ID or like this USER:ID:NICK ???? when we count the last characters is the separator included ? may be the last characters should spell admin and not ::admin ? 4) what does it mean that last characters should spell ::admin ? does it mean that the nickname submitted in the login form should be ::admin or should be admin?? 5) how can we exploit that vulnerability if we know that the server checks if admin exists then redirects us based on it then we know that admin is a username so how can we login as an admin ??? I would like to know that for educational purpose of course Link to comment Share on other sites More sharing options...
justsomeguy Posted February 12, 2016 Share Posted February 12, 2016 so why you wrote it checks whether "::admin" exists and not admin existsBecause that's what it's checking for: if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ So how could the last 8 characters of the line spell ::admin if "::admin" is only 7 characters ??I think you can probably answer most of your questions yourself if you write some code to print out what it's doing. e.g.: echo 'line[$i]: ' . $line[$i] . '<br>'; echo 'strlen($line[$i]): ' . strlen($line[$i]) . '<br>'; echo '$len: ' . $len . '<br>'; echo "substr('$line[$i]', " . strlen($line[$i])-8 . ", " . strlen($line[$i])-1-$len . ") is " . substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) . '<br>';Run that and watch what it prints. so what is the order in which they are storedThis is where it writes the line: fputs($file, "::".$sessionuser['user']."::".$nick."::".$id."\n"); what does it mean that last characters should spell ::admin ? does it mean that the nickname submitted in the login form should be ::admin or should be admin??That's a question for whoever wrote the code. They can use that value to mean whatever they want it to mean. Maybe it's the type of user account. In all, that code is really old, poorly designed for whatever it's trying to do, and shouldn't be used. It sounds like some sort of user registration system which really should be using a database and not passing things around through the URL. Link to comment Share on other sites More sharing options...
hisoka Posted February 15, 2016 Author Share Posted February 15, 2016 (edited) I never studied PHP programming language or any other programming language at school or university and I have no one , in real life , to help me . I can understand some lines with some researches . However , I cant understand some other lines . The internet is powerful weapon but you cannot solve all your problems only with the internet . That is why I put the code here so that I got some explanations about some lines that I could not understand by myself . So Justsomeguy you have , absolutely no need to tell me things like : "I think you can probably answer most of your questions yourself if you write some code to print out what it's doing." "That's a question for whoever wrote the code. They can use that value to mean whatever they want it to mean. Maybe it's the type of user account." Neither the code is written by me nor could I ask the one who writes it what he/she means by that line and that line for the simple reason that it is a challenge . He/she challenging me and others to understand the code above and I have to figure out myself what he/she means . The code is poorly designed and bad . This is intentional , so that to make it hard for the challenger to solve it easily and quickly . So could you please help me or not ? The explanation of Foxy Mod is wonderful and I could almost understand the code except for these last lines : if ($HTTP_GET_VARS["action"]=="login"){ if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){ $hfile = fopen($target, "r"); $i = 0; while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ header('Location:bbb.php'); }else{ header('Location:ccc.php'); } } $i += 1; } I could not understand this : if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin") Could you please tell me what does it mean ? Edited February 24, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted February 15, 2016 Share Posted February 15, 2016 That line gets a portion of the text inside $line[$i], and compares it with "::admin". If you look up substr in the manual, you can see how it's used. If you look up strlen you can see what it returns also. If you have modified the code like I showed then you would see specifically what that line is doing, but it sounds like you don't want to do that. I don't understand the point of this. Are you supposed to figure out what some PHP code does without understanding PHP code? What's the point? How about learning PHP first, then trying to figure out the code? That's what this forum is here for, to help people who are learning how to program. If you are trying to solve a "challenge" that involves understanding what some PHP code is doing, then why wasn't your first step learning about PHP? It sounds like studying PHP is exactly the way to solve this challenge, unless for some reason the point is to figure out what that code does without actually learning about PHP. But, if you're not learning about PHP, then why are you trying to figure out what PHP code does? I don't get it. How about you provide a link to this challenge on the other website so we can see exactly what they're trying to do? Link to comment Share on other sites More sharing options...
hisoka Posted February 16, 2016 Author Share Posted February 16, 2016 (edited) "but it sounds like you don't want to do that" I want . It is only that I do not have Apache and PHP installed in my PC . But , as long as , you accept to be my teacher in PHP ; then I will install them right now , modify the code as you told me then run it and see what it does . You are right . I need , first , learn PHP . Edited February 24, 2016 by hisoka Link to comment Share on other sites More sharing options...
hisoka Posted February 16, 2016 Author Share Posted February 16, 2016 I downloaded apache and php and they run correctly . Then I took the code above and made little change on it . I changed the $target and where the data are submitted so it becomes like this : <?php$target = "key.txt";if (isset($HTTP_GET_VARS["action"])){ if ($HTTP_GET_VARS["action"]=="register"){ if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){ $hfile = fopen($target, "a"); $con_file = file_get_contents($target); if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){ $script='<script type="text/javascript">'; $script.="alert(\"Sorry that nick already exist!\");"; $script.='window.location.href="hack3.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } $nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20)); $id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20)); fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n"); fclose($hfile); $script='<script type="text/javascript">'; $script.="alert(\"You are registered now!\");"; $script.='window.location.href="hack3.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }else{ $script='<script type="text/javascript">'; $script.="alert(\"You have to fill out the whole form!\");"; $script.='window.location.href="hack3.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } } if ($HTTP_GET_VARS["action"]=="login"){ if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){ $hfile = fopen($target, "r"); $i = 0; while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ header('Location:bbb.php'); }else{ header('Location:ccc.php'); } } $i += 1; } $script='<script type="text/javascript">'; $script.="alert(\"Sorry but your nick or your ID are wrong!\");"; $script.='window.location.href="hack3.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } else{ echo "Sorry but your input was incorrect. You can't log in without nick or pin!"; } }}else{?> <form action="hack3.php" method="get"> <table width="60%" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center" class="text"> <br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit"> <br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit"> <br /><input type="radio" name="action" value="register">register <br /><input type="radio" name="action" value="login">login <br /><br /> <input type=submit class="challenge_submit" value="Execute"> <br /><br /> </td> </tr> </table></form><?php//some stuff?><?php }?> When I run it in my PC localhost/hack3.php, I got an input form under which there is the register and login options with execute button . When I put the nick and ID and choose the register option nothing happens and I got an url like this : http://localhost/hack3.php?nick=nick&id=ID&action=register the code is wrong and must be corrected . This is why I cannot run the code you gave me Justsomeguy ::: I mean this : echo 'line[$i]: ' . $line[$i] . '<br>';echo 'strlen($line[$i]): ' . strlen($line[$i]) . '<br>';echo '$len: ' . $len . '<br>';echo "substr('$line[$i]', " . strlen($line[$i])-8 . ", " . strlen($line[$i])-1-$len . ") is " . substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) . '<br>'; Before I correct the whole code because that little piece of code above , you told me to modify and run , is a part of the big code and cannot be isolated and run alone . The problem is I cannot correct the code above because I do not know what are the errors . I know only that it does not function properly : For example it does not alert you are now registered or you have to fill the form ..... and the data I submitted are not written to the file key.txt and so on ... So what should I do now ? Link to comment Share on other sites More sharing options...
justsomeguy Posted February 16, 2016 Share Posted February 16, 2016 The first thing you should do is go through and replace every instance of $HTTP_GET_VARS with $_GET. They hold the same information but $HTTP_GET_VARS has been deprecated and replaced since PHP 4.1 (released in 2001). So, for example, $HTTP_GET_VARS["action"] would be $_GET["action"]. Go through and make those replacements first. Also, add this to the top of your PHP code on every page to make sure that all error messages will be displayed, it might point to other issues: ini_set('display_errors', 1); error_reporting(E_ALL);The code I told you to add should go before the line you're wondering about. So you have this if statement: if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){put the code above it: echo 'line[$i]: ' . $line[$i] . '<br>'; echo 'strlen($line[$i]): ' . strlen($line[$i]) . '<br>'; echo '$len: ' . $len . '<br>'; echo "substr('$line[$i]', " . strlen($line[$i])-8 . ", " . strlen($line[$i])-1-$len . ") is " . substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) . '<br>'; if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){Note that all of those echo statements will break the header redirect and show an error message, but that's ok. The point is to just have it print that stuff out so you can see what it's doing, once you understand you can remove it again. Link to comment Share on other sites More sharing options...
hisoka Posted February 18, 2016 Author Share Posted February 18, 2016 Thank you Justsomeguy . I did what you told me to do and I repaired all the errors in the code :<?phpini_set('display_errors', 1);error_reporting(E_ALL);$target = "key.txt";if (isset($_GET["action"])){ if ($_GET["action"]=="register"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "a"); $con_file = file_get_contents($target); if (strpos($con_file, "::".$_GET["nick"])){ $script='<script type="text/javascript">'; $script.="alert(\"Sorry that nick already exist!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } $nick = urldecode(substr($_GET["nick"], 0, 20)); $id = urldecode(substr($_GET["id"], 0, 20)); fputs($hfile, $nick."::".$id."\n"); fclose($hfile); $script='<script type="text/javascript">'; $script.="alert(\"You are registered now!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }else{ $script='<script type="text/javascript">'; $script.="alert(\"You have to fill out the whole form!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } } if ($_GET["action"]=="login"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "r"); $i = 0; $len;$line; while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen($_GET["nick"]."::".$_GET["id"]) ; echo substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len); } $i += 1; } } else{ echo "Sorry but your input was incorrect. You can't log in without nick or pin!"; } }}?> <form action="index.php" method="get"> <table width="60%" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center" class="text"> <br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit"> <br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit"> <br /><input type="radio" name="action" value="register">register <br /><input type="radio" name="action" value="login">login <br /><br /> <input type=submit class="challenge_submit" value="Execute"> <br /><br /> </td> </tr> </table></form>I understood exactly what these lines did by using echo but not as you told me justsomeguy but in a simpler way like this : echo $line[$i] = fgets ($hfile, 1024);echo $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]);echo $len = strlen($_GET["nick"]."::".$_GET["id"]); echo substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) ; and get this : $line[$i] = fgets ($hfile, 1024); read the file this is the output I got user::78 user2::79 john::12 admin::45 admin1::46 each nickname and id are concatenated together with the double semi colon . $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]); I got admin1::46 goes to the last nickname::id in the file$len = strlen($_GET["nick"]."::".$_GET["id"]); I got 10 (the length of the last nickname and id in the file ) but for echo substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) ; 1) I did not get any output although there was absolutely no error . Please tell me Justsomeguy why I did not get any output in that one meanwhile I got output in the other ones. 2) I would like to know in for example $len = strlen($_GET["nick"]."::".$_GET["id"]) ; what is the role of the point ( I mean the point immediately before the "::" and after Link to comment Share on other sites More sharing options...
justsomeguy Posted February 18, 2016 Share Posted February 18, 2016 If you want to know what that line is doing then add the line I suggested: echo "substr('$line[$i]', " . strlen($line[$i])-8 . ", " . strlen($line[$i])-1-$len . ") is " . substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) . '<br>';That will print exactly what it's doing and what the result is. I would like to know in for example $len = strlen($_GET["nick"]."::".$_GET["id"]) ; what is the role of the point ( I mean the point immediately before the "::" and afterIt's the string concatenation operator, it joins strings. http://php.net/manual/en/language.operators.string.php Link to comment Share on other sites More sharing options...
hisoka Posted February 18, 2016 Author Share Posted February 18, 2016 (edited) I tried two versions : one like this : while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen($_GET["nick"]."::".$_GET["id"]) ; } echo substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len); $i += 1; } I put the echo after the parenthesis and got this result : in1::46 so I think it gives the last 7 characters from right to left in the last registered nickname::id pair yours : while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen($_GET["nick"]."::".$_GET["id"]) ; echo "substr('$line[$i]', " . strlen($line[$i])-8 . ", " . strlen($line[$i])-1-$len . ") is " . substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) . '<br>'; } $i += 1; } gave me this result : -19) is what does the minus with the number with ) means and what is the problem with it why it did not output the result otherwise a random weird string of characters what is the problem with it ? Also could you please answer the previous question : "1) I did not get any output although there was absolutely no error . Please tell me Justsomeguy why I did not get any output in that one meanwhile I got output in the other ones" I mean echo $line[$i] = fgets ($hfile, 1024);echo $cntrl = strstr($line[$i], $_GET["nick"]."::".$_GET["id"]);echo $len = strlen($_GET["nick"]."::".$_GET["id"]); echo substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) ; What is the problem with the fourth echo why it did not output anything ??? meanwhile the other three did output the result with echo . !!!!!!!!!!!!!!???? Edited February 18, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted February 18, 2016 Share Posted February 18, 2016 Let's try that line again, with some parentheses so PHP knows what the point is: echo "substr('{$line[$i]}', " . (strlen($line[$i])-8) . ", " . (strlen($line[$i])-1-$len) . ") is " . (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)) . '<br>'; Make sure you put that line either right before or after the other substr line. Link to comment Share on other sites More sharing options...
hisoka Posted February 22, 2016 Author Share Posted February 22, 2016 (edited) now I added a session user in the code : <?phpini_set('display_errors', 1);error_reporting(E_ALL);$target = "key.txt";if (isset($_GET["action"])){ if ($_GET["action"]=="register"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "a"); $con_file = file_get_contents($target); if (strpos($con_file, "::".$_GET["nick"])){ $script='<script type="text/javascript">'; $script.="alert(\"Sorry that nick already exist!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }$sessionuser['user'] = "d0c5258e830e2e23c190d04428cb0fac"; $nick = urldecode(substr($_GET["nick"], 0, 20)); $id = urldecode(substr($_GET["id"], 0, 20)); fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n"); fclose($hfile); $script='<script type="text/javascript">'; $script.="alert(\"You are registered now!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }else{ $script='<script type="text/javascript">'; $script.="alert(\"You have to fill out the whole form!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } } if ($_GET["action"]=="login"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "r"); $i = 0; $len;$line; while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::" $_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$_GET["nick"]."::".$_GET["id"]) ; if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ echo "good job"; }else{ header('Location:ccc.php'); } } $i += 1; } } else{ echo "Sorry but your input was incorrect. You can't log in without nick or pin!"; } }}?> <form action="index.php" method="get"> <table width="60%" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center" class="text"> <br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit"> <br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit"> <br /><input type="radio" name="action" value="register">register <br /><input type="radio" name="action" value="login">login <br /><br /> <input type=submit class="challenge_submit" value="Execute"> <br /><br /> </td> </tr> </table></form> after adding the session user and running the code , an error is provoked : PHP Parse error: parse error, unexpected T_VARIABLE in C:\\Program Files\\Apache Software Foundation\\Apache2.2\\htdocs\\index.php on line 51 this is the line 51 in the code above : $cntrl = strstr($line[$i], "::".$sessionuser['user']."::" $_GET["nick"]."::".$_GET["id"]); I do not know what is the problem in that line ???!!!!!!! Edited February 22, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted February 22, 2016 Share Posted February 22, 2016 You're missing a dot before $_GET['nick']. Link to comment Share on other sites More sharing options...
hisoka Posted February 22, 2016 Author Share Posted February 22, 2016 now after adding the dot before $_GET['nick'] , again another error is shown : Undefined variable: sessionuser in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\index.php on line 51 again this is the line 51 : $cntrl = strstr($line[$i], "::".$sessionuser['user']."::". $_GET["nick"]."::".$_GET["id"]); I see that the sessionuser is defined here : $sessionuser['user'] = "d0c5258e830e2e23c190d04428cb0fac"; What is the problem ? !!!!!!!! Link to comment Share on other sites More sharing options...
justsomeguy Posted February 22, 2016 Share Posted February 22, 2016 That definition is inside several if statements, so I imagine that at least one of them isn't true. Link to comment Share on other sites More sharing options...
hisoka Posted February 22, 2016 Author Share Posted February 22, 2016 Now I corrected it and the error disappeared . So the code is now like this : <?phpini_set('display_errors', 1);error_reporting(E_ALL);$target = "key.txt";$sessionuser['user'] = "d0c5258e830e2e23c190d04428cb0fac";if (isset($_GET["action"])){ if ($_GET["action"]=="register"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "a"); $con_file = file_get_contents($target); if (strpos($con_file, "::".$_GET["nick"])){ $script='<script type="text/javascript">'; $script.="alert(\"Sorry that nick already exist!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } $nick = urldecode(substr($_GET["nick"], 0, 20)); $id = urldecode(substr($_GET["id"], 0, 20)); fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n"); fclose($hfile); $script='<script type="text/javascript">'; $script.="alert(\"You are registered now!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }else{ $script='<script type="text/javascript">'; $script.="alert(\"You have to fill out the whole form!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } } if ($_GET["action"]=="login"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "r"); $i = 0; $len;$line; while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::" .$_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$_GET["nick"]."::".$_GET["id"]) ; echo "substr('{$line[$i]}', " . (strlen($line[$i])-8) . ", " . (strlen($line[$i])-1-$len) . ") is " . (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)) . '<br>'; } $i += 1; } } else{ echo "Sorry but your input was incorrect. You can't log in without nick or pin!"; } }}?> <form action="index.php" method="get"> <table width="60%" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center" class="text"> <br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit"> <br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit"> <br /><input type="radio" name="action" value="register">register <br /><input type="radio" name="action" value="login">login <br /><br /> <input type=submit class="challenge_submit" value="Execute"> <br /><br /> </td> </tr> </table></form>This is now the most important : Once I register the information about me are stored in the key.txt file in this form : ::sessionuser::nickname::id So I registered with nickname as hordi and admin as id and I got this : ::d0c5258e830e2e23c190d04428cb0fac::hordi::admin stored in my key.txt file . So now when we analyzing this part of the code : while (!feof ($hfile)){ $line[$i] = fgets ($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::" .$_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$_GET["nick"]."::".$_GET["id"]) ; substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) } $i += 1; } } this is what we get : $line[$i] = fgets ($hfile, 1024); reads the file and when it reaches the end of it , it takes the length of the last ::sessionid::nickname::id which is ::d0c5258e830e2e23c190d04428cb0fac::hordi::admin Now this line substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) which is the most important , normally does this substr(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin , strlen(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin)-8 , strlen(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin)-1-$len) it becomes substr(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin , 48-8 , 48-1-48) because the strlen of this ::d0c5258e830e2e23c190d04428cb0fac::hordi::admin is 48 and the $len of ::d0c5258e830e2e23c190d04428cb0fac::hordi::admin is 48 so we have substr(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin , 40 , -1) which gives i::admi However your line Justsomeguy echo "substr('{$line[$i]}', " . (strlen($line[$i])-8) . ", " . (strlen($line[$i])-1-$len) . ") is " . (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)) . '<br>'; gave me this result : substr(::d0c5258e830e2e23c190d04428cb0fac::hordi::admin , 41, 0) which gives nothing or an empty string why it gives an empty string because the length is zero and all the result I tried with your line gives me an empty string http://php.net/manual/en/function.substr.php If length is given and is 0, FALSE or NULL, an empty string will be returned So I am confused now . If I am wrong could you please tell me what is wrong in my analysis about the little code above ? what am I missing ? Link to comment Share on other sites More sharing options...
justsomeguy Posted February 23, 2016 Share Posted February 23, 2016 $line[$i] = fgets ($hfile, 1024); reads the file and when it reaches the end of it , it takes the length of the last ::sessionid::nickname::id which is ::d0c5258e830e2e23c190d04428cb0fac::hordi::adminIt reads each line in the file, one at a time, and runs the rest of the code inside the loop on every line. It's looking for a particular line. It doesn't only look at the last one. I believe that fgets returns the trailing line break along with the line, so the length would be 49. You can verify that with var_dump: var_dump($line[$i]); 1 Link to comment Share on other sites More sharing options...
hisoka Posted February 23, 2016 Author Share Posted February 23, 2016 (edited) So I did as you told me Justsomeguy and used the var_dump which was very very instructive and useful for me and find those results for the data stored in my key.txt file . These are , first, the fata stored in my key.txt file ::d0c5258e830e2e23c190d04428cb0fac::rrrrrrrrrrr::ttt::d0c5258e830e2e23c190d04428cb0fac::nick78::78::d0c5258e830e2e23c190d04428cb0fac::jordi::admin::d0c5258e830e2e23c190d04428cb0fac::nickkl::tz::d0c5258e830e2e23c190d04428cb0fac::gordi::admin and this is what I got for var_dump(strlen($line[$i])); int(53) int(47) int(49) int(47) int(49) as you exactly told me the fgets returns the trailing line break along with the line meanwhile $len = strlen("::".$sessionuser['user']."::".$_GET["nick"]."::".$_GET["id"]) ; var_dump($len); returns int(52) int(46) int(48) int(46) int(48) So in substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len) the length is always zero and for this : $go= substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len); var_dump($go); I get string(0) "" empty string because the length is zero What follows that this condition : if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin") is always false I say it should be reversed like this so that we do not get an empty string : if (substr(($line[$i]), strlen($line[$i])-1-$len , strlen($line[$i])-8) =="::admin") What do you think Justsomeguy ? if I am wrong please correct me . Edited February 23, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted February 23, 2016 Share Posted February 23, 2016 I would start by using trim to remove the excess whitespace from the lines you get from the file. The line break isn't part of what you want to use to compare. http://php.net/manual/en/function.trim.php 1 Link to comment Share on other sites More sharing options...
hisoka Posted February 23, 2016 Author Share Posted February 23, 2016 (edited) <?phpini_set('display_errors', 1);error_reporting(E_ALL);$target = "key.txt";$sessionuser['user'] = "d0c5258e830e2e23c190d04428cb0fac";if (isset($_GET["action"])){ if ($_GET["action"]=="register"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "a"); $con_file = file_get_contents($target); if (strpos($con_file, "::".$_GET["nick"])){ $script='<script type="text/javascript">'; $script.="alert(\"Sorry that nick already exist!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } $nick = urldecode(substr($_GET["nick"], 0, 20)); $id = urldecode(substr($_GET["id"], 0, 20)); fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n"); fclose($hfile); $script='<script type="text/javascript">'; $script.="alert(\"You are registered now!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; }else{ $script='<script type="text/javascript">'; $script.="alert(\"You have to fill out the whole form!\");"; $script.='window.location.href="index.php";'; $script.='</script>'; $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>'; echo $html; } } if ($_GET["action"]=="login"){ if(isset($_GET["nick"]) and isset($_GET["id"])){ $hfile = fopen($target, "r"); $i = 0; $len;$line; while (!feof ($hfile)){ $line[$i] = fgets($hfile, 1024); $cntrl = strstr($line[$i], "::".$sessionuser['user']."::" .$_GET["nick"]."::".$_GET["id"]); if ($cntrl){ $len = strlen("::".$sessionuser['user']."::".$_GET["nick"]."::".$_GET["id"]) ; if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){echo "good job";}else{header('Location:ccc.php');} } $i += 1; } } else{ echo "Sorry but your input was incorrect. You can't log in without nick or pin!"; } }}?> <form action="index.php" method="get"> <table width="60%" align="center" cellpadding="0" cellspacing="1"> <tr> <td align="center" class="text"> <br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit"> <br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit"> <br /><input type="radio" name="action" value="register">register <br /><input type="radio" name="action" value="login">login <br /><br /> <input type=submit class="challenge_submit" value="Execute"> <br /><br /> </td> </tr> </table></form> Edited February 24, 2016 by hisoka Link to comment Share on other sites More sharing options...
justsomeguy Posted February 23, 2016 Share Posted February 23, 2016 I don't know how that site works, maybe the site isn't correct in the first place. Using things like $HTTP_GET_VARS isn't a very good sign. I don't really have much time to go through and do something like that. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now