virtualizing a config file

[johanyohan]

I have a PHP script that is encrypted with Ion Cube. Since I don't want to violate the license, I can't modify anything in the script.

The script makes calls to an XML based config file.

I want to create a database to store the config data and then feed it to the encrypted script based on the referer URL that made the request.

Basically, I want to "virtualize" the config XML file so I can feed the encrypted script the data I want based on the referer URL.

 

Any ideas?

[Psycho]

Can you specify a php file for the config file? If so, just do that and put all your logic into that PHP file to query the database and produce the XML output. You may need to also set the appropriate headers. Aside from that you may have to add XML files to those tat will be processed for PHP logic. If you're on a shared host you won't be able to do this.

[johanyohan]

the config file is actually an xml content, its just having a .php file extension, so injecting  logic just like u said won't be applicable in that place, am I right?

<?xml version="1.0" encoding="UTF-8"?>

<settings>

  <params>....</params>

    .... down to line 700....

</settings>

 

Yes I'm on a shared host. Do you have any other ideas?

[Psycho]

the config file is actually an xml content, its just having a .php file extension, so injecting  logic just like u said won't be applicable in that place, am I right?

No, I don't think so. It sounds as if they engineered the application to get the XML data from a php file for the specific purpose of allowing the XML data to be dynamic. If you can find the place n the application where the file is used I am guessing you will see it used within something such as file_get_contents() (which would get the result of the parse php code) as opposed to something like include() which would run that PHP code internally.

 

Have you even tried to create the XML file using PHP? As a simple test, just replace a few of the lines in the current hard-coded file with echo statements,

 

<?xml version="1.0" encoding="UTF-8"?>
<?php echo "<settings>\n"; ?>
   <params>....</params>
     .... down to line 700....
</settings>

[johanyohan]

That's the problem here because the file(myshop.php) that has been calling/using the config xml format(cfg.php) file is encrypted.

 

You are right, I have tried modifying that config file and replaced some values with php variables and adding some php code above it, the site just went down, possible reason is the config file may have returned an XML invalid format. Its really being read rather than being executed.

 

I should tell my boss about it.

 

Right bud?

[Psycho]

You should take an existing, working file and simply replace one line with an echo to try an make it work. If you try to make too big a modification you don't know if the problem is that you can't make it dynamic or if there was a problem with what you did.

[johanyohan]

Thats what I did just before this very first line (<?xml version="1.0" encoding="UTF-8"?>) , I put  <?php echo "test"; ?>. After I saved it, the site just went blank. And if I put the echo line after the xml encoding and before the xml contents itself, the echo "test" just won't work. its not even printing at all.

 

I think the file is being read rather than executed. that's why any php code just won't work.

 

What do u think?

[Psycho]

Thats what I did just before this very first line (<?xml version="1.0" encoding="UTF-8"?>) , I put  <?php echo "test"; ?>. After I saved it, the site just went blank. And if I put the echo line after the xml encoding and before the xml contents itself, the echo "test" just won't work. its not even printing at all.

 

WTF? Why would you even think that would work? It would not be a valid XML file anymore, would it. I gave you a very explicit example on how you could test whether or not you could dynamically generate the XML file and you apparently chose not to follow it. I don't know what more I can do to help you if you can't follow simple instructions. Take one line from an existing, working file and replace it with an echo of the exact same content.

 

For example, replace this line

<settings>

 

With this

<?php echo "<settings>\n"; ?>

 

If the site still works, then you know you can generate the file dynamically - but it must be a validly formatted XML file.

[johanyohan]

Oh! apologies! I misunderstood you at first. Now I did follow ur example:

I replace this first line :

<Associate-O-Matic Version="5.0.2">

to:

<?php echo '<Associate-O-Matic Version="5.0.2">'; ?>

 

now the site is blank, bug down.

 

What do u think about it?

[Psycho]

Two things to try.

 

1. Do the same thing, but add a line break at the end

<?php echo "<Associate-O-Matic Version=\"5.0.2\">\n"; ?>

 

If that doesn't work, then add the appropriate header for an XML file output at the top of the page

<?php header ("Content-Type:text/xml"); ?>

[johanyohan]

Still the same. I did what u told me so, modified the php-xml file. the site just go blank(bug down). No chance at all, isn't it?

 

<?php header ("Content-Type:text/xml"); ?>

<?xml version="1.0" encoding="UTF-8"?>

<?php echo "<Associate-O-Matic Version=\"5.0.2\">\n"; ?>

[Psycho]

I see no reason why they would have an XML file with a PHP extension unless the intent was to allow dynamically created config files. If I was working on it, there are a lot of different things I would try.

 

Have you tried contacting the author of the application?

[johanyohan]

I guess the purpose of .php extension is for the admin, the file is constantly updated whenever the user saved the settings through the admin area. I am also confused whey they're having a PHP extension with a pure xml content.

 

I am trying to post at their forums..

 

Anyway thanks for the advises. I really appreciate it.