vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=293453

Passing a variable into header()function.
by invitezone
31 Dec 2012 18:40

This is not a VB question exactly its a php question, but im using it in a weird way on my forum, so im hoping someone will help me out :)

First let me explain what im trying to do.

I want to hide my forum so it looks like there is no forum. The way I want to do this is to make a fake shopping site, with a search box. The search box will be fully functioning, but if the secret passwphrase is entered into the search box, the user will be redirected to the forum and a cookie set so that they don't see the fake shop instead.
The way I am thinking to do this is to use a simple password script to replace the shops search function.


this is the login script I am thinking of using

sas.php

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


This script also comes with a demo page incase anyone wishes to run this to see it working, which is as follows.

demo.php

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.




Now what I am trying to do is replace what happens when an incorrect password is entered into the script. So within sas.php we have the following code...


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I am hoping to modify this to use the header redirect() function
something like...
header("Location: http://FakeShopPage.com/search?=$submitted_pass");

This way if someone who didn't know about the forum tried to used the fake shop search function they would enter a search string into the search/password field, hit submit, and the script would see the password was incorrect and pass the submitted password variable into the search string, which would fool the user into thinking they have just searched for something and be none the wiser.

Another issue is that the password encryption in the script uses md5 hash. Being as old as it is now I would like to use something else. I have read that pbkdf2 is a good thing to use. is it possible to use that in this script?

I can use any other login script that you may be able to suggest, I am open to ideas. I want to have only 1 password for all users for this and be able to pass the submitted_pass variable into the search function. My main issue is Iobviously cant have a username involved, so this is the only script I could find.

I am not a coder, I am just trying to piece together info I have found. I did something very similar to this in the past, but cant remember how I did it, and now can't seem to get it to work. I know I am asking for a lot of help here, so I am greatful to anyone who can help me out.

Thanks everyone, reallyt appreciate it :)

kh99 01 Jan 2013 18:45

I don't have a lot of advice to give you because I'm not familiar with existing scripts that do this kind of thing, I'm only familiar with vbulletin. In any case, it seems like what you posted should work:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


if that's the right url for the shop search. Have you tried it?


About the encryption: you could replace the calls to md5() with whatever encryption function you wanted. I think the built in php crypt() function: http://us2.php.net/manual/en/function.crypt.php used to depend on what was configured on your server, but I believe as of php version 5.3, it has all of the options built in, so it seems like if you want to use something more secure, that's an easy choice.

But looking at the script you posted, it seems the encrypted password is only used to set the password in the cookie. (I really don't know why the script even bothers to encrypt the password before checking it since it's got the plain text password available - maybe the author thought it might be modified to get passwords from a database or something). So I think you're really only worrying about the possibility of the cookie being obtained from the computer of someone who knew the password. I don't know how much of a security risk that is. I think the usual worry is someone stealing the encrypted passwords from a database, but in this case you don't have a database, and the password is stored in plain text in the script.

invitezone 01 Jan 2013 19:15

All great advice, I really appreciate it.
You made some good observations there that I missed being a n00b :D

Thanks KH99


All times are GMT. The time now is 10:21.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.