function _user_encrypt_cookie() { $plain_text = $GLOBALS['user']['username'] . ':' . $GLOBALS['user']['password'] . ':' . $GLOBALS['user']['type']; /* $td = mcrypt_module_open('blowfish', '', 'cfb', ''); $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); mcrypt_generic_init($td, _user_encryption_key(), $iv); $crypt_text = mcrypt_generic($td, $plain_text); mcrypt_generic_deinit($td); return base64_encode($iv.$crypt_text); */ return base64_encode($plain_text); } function _user_decrypt_cookie($crypt_text) { $plain_text = base64_decode($crypt_text); /* $td = mcrypt_module_open('blowfish', '', 'cfb', ''); $ivsize = mcrypt_enc_get_iv_size($td); $iv = substr($crypt_text, 0, $ivsize); $crypt_text = substr($crypt_text, $ivsize); mcrypt_generic_init($td, _user_encryption_key(), $iv); $plain_text = mdecrypt_generic($td, $crypt_text); mcrypt_generic_deinit($td); list($GLOBALS['user']['username'], $GLOBALS['user']['password'], $GLOBALS['user']['type']) = explode(':', $plain_text); */ list($GLOBALS['user']['username'], $GLOBALS['user']['password'], $GLOBALS['user']['type']) = explode(':', $plain_text); }That's it, very easy. But the risk is that your Twitter user name and password are saved as cookies in plain text.
Wednesday, September 23, 2009
Deploy dabr on byethost
You may know that dabr requires the PHP module mcrypt to run, but byethost does not support it. so I modify the /dabr/common/user.php to bypass it:
Subscribe to:
Post Comments (Atom)
thank you for this tip
ReplyDelete