lets consider this code:
if (md5_file(__FILE__) != 'MD5 CODE')
{
echo 'fail!';
}
of corse it will always fail whatever to write to he if conditional. Or is there a solution?
-
What is the question? Your md5 output will never equal the literal string "MD5_CODE"Mike Miller– Mike Miller2015-04-05 18:45:38 +00:00Commented Apr 5, 2015 at 18:45
-
yea but what MD5 code should I write so that it always passes? How to calculate?John Smith– John Smith2015-04-05 18:46:29 +00:00Commented Apr 5, 2015 at 18:46
-
1Even if the code would work, a malicious person could edit both the code and the MD5, thus rendering the technique innefective.Cristik– Cristik2015-04-05 18:46:53 +00:00Commented Apr 5, 2015 at 18:46
-
Well you would need to precompute and store the checksum hashes somewhere. A database, key/value cache store, etc.John McMahon– John McMahon2015-04-05 18:47:50 +00:00Commented Apr 5, 2015 at 18:47
-
Still doesn't make sense. The only way to generate the hash is the way you are doing it on the left of the comparisonMike Miller– Mike Miller2015-04-05 18:47:52 +00:00Commented Apr 5, 2015 at 18:47
|
Show 1 more comment
2 Answers
You will never be able to execute that code correctly, because whenever you update the MD5_CODE, the hash of the file will change.
The only way you can check a file is from another file, but not from itself. Unless you put the hash in an external file:
$hash = file_get_contents('myhash.txt');
if (md5_file(__FILE__) != $hash) {
print "WARNING: Code modified!";
}
4 Comments
hexerei software
if you but the hash textfile somewhere, but not in the web server path, then you can make it quite secure
ByteHamster
@hexereisoftware: It will never be secure, someone who wants to modify the code can just remove the
if statement.hexerei software
Right, but what you are trying to catch here, is not somebody who rewrote your complete code, but rather simple brute force attack scripts, that just append the malicious code at the end of you files without checking content of file
hexerei software
Also you could externalize the check function in some included file give it a non transparent name like
pdir(__FILE__) which return true or false. This way one would have to check the complete code to know, what this function does.There are ways to 'self-validate' with a hash function. One of the tricks would be to store the expected md5 hash in the first line of the php script, and then validate the file after that line.
<?php
$md5Expected="md5string"; $sizeExpected=<bytes>;
<Code to validate. Includes last line.>
?>
The function to check this might look a bit like:
function validateMeContents( $md5Expected, $sizeExpected ) {
$checkFilename = basename( $_SERVER['PHP_SELF'] );
// the first 2 lines are not checked
$fileContents = array_splice( file( $checkFilename ), 2 );
$md5Contents = md5( implode( $fileContents ) );
$mySize = filesize( $checkFilename );
return( ( $md5Expected == $md5Contents ) and ( $sizeExpected == $mySize ) );
}
Note that you probably want to check the size of the file, which would take into account the first 2 lines of code.
Valid points have been raised that the validation is probably best done by an external 3rd party, such as the OS. Look into md5sum -c or sha1sum -c.
Also, you probably have bigger issues if you are worried about files on the server getting modified in an uncontrolled manner. If this is because there is a freedom to modify the files on the server, that policy may want to be re-evaluated.
