How does it work?
A key is generated on the first page that also encrypts the string (or code if you want). The same key is used on the second page to decrypt it. Consider the functions below for more information. On the bottom you’ll find a test script to see the effect of the functions.

Generating a random string value in PHP (e.g a Captcha code):

function CreateRandomStringPHP() {
  $code = substr(str_shuffle('abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'),0,5);
  return $code;
}

If you are using another language, consider using a function like this:

function CreateRandomString() {
  $Characters = array(
  'a','b','c','d','e','f','g','h','i','j','k','m','n','p','q','r','s','t','u','v','w','x','y','z',
  'A','B','C','D','E','F','G','H','J','K','L','M','N','P','Q','R','S','T','U','V','W','X','Y','Z',
  '2','3','4','5','6','7','8','9');

  $Code = '';
  for( $loop_b = 1; $loop_b <= 5; $loop_b++ ) {
    $Code .= $Characters[mt_rand(0,count($Characters)-1)];
  }

  return $Code;
}

Both of the above functions will generate a 5-length value. This will provide one value out of 550731776 possible combinations which should be enough for most needs.

The lock (or encrypt) function:

/*
  str LockCode(str $code, str $key)

  A codelock function (or encryption if you want).
  I wrote because I wanted a nice solution for keeping codes
  such as Captcha codes safe and secure for transferring between
  sites.

  It takes a $code of random length and locking $key as parameters.
  You'll need to use the same key to unlock it.

  The value this function returns, is simply a set of location
  coordinates in the key where the characters of the $code is found.
  This is again merged together with the lengths of every coordinate,
  since every coordinate can be 1 or 2 in length as long as the $key
  is under 100 characters in length (0-99).

  In the end, it should provide a safely locked $code, based on that
  you keep the $key hidden. Do NOT show it in your HTML. The key
  used in this example, with 56 alphanumeric characters where I have
  stripped out the following chars: 1, I, l, o, O and 0 (they are
  unpractical) has 7,9164324866862966607842406018063e+97
  combinations. This should be enough to keep the $code safe...
*/
function LockCode($code,$key) {
  $key_chars = str_split($key);
  $code_chars = str_split($code);
  $LockedKeyCoords = '';
  $LockedCoordLengths = '';

  foreach($code_chars as $c_char) {
    for($loop_a=0; $loop_a<count($key_chars); $loop_a++) {
      if($c_char==$key_chars[$loop_a]) {
        $LockedKeyCoords .= (string)$loop_a;
        $LockedCoordLengths .= (string)strlen($loop_a);
      }
    }
  }

  return $LockedKeyCoords . $LockedCoordLengths;
}

The unlock (or decrypt) function:

/*
  str UnlockCode(str $coords, str $key, int $keylength)

  The unlock function introduces a new parameter: $Keylength.
  This defines how many characters your $code was before you locked it.
*/
function UnlockCode($coords,$key,$keylength) {
  $key_chars = str_split($key);
  $keylengths = str_split(substr($coords,-$keylength));
  $UnlockedCode = '';

  foreach($keylengths as $length) {
    $UnlockedCode .= $key_chars[(int)substr($coords,0,(int)$length)];
    $coords = substr($coords,(int)$length);
  }

  return $UnlockedCode;
}

PHP code to test with:

/*
  The $Key MUST contain the characters you use to create the
  code with. Using the same string as you did to make the $Code
  with is a good choice. Generate a key on a standalone page,
  then use the same key on the page that locks the string, and
  on the page that unlocks the string.

  If you want a new random key every time you use the locking
  functions, you'll have to use a database system to store and
  retrieve them. And use sessions for identifying the keys. This
  would make a separate article, so I won't explain how to do it
  here.
*/
$Key = str_shuffle('abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789');

// Test it out.
$Code = CreateRandomStringPHP();
$LockedCode = LockCode($Code,$Key);
echo 'Key used: '. $Key .'<br><br>';
echo 'New code: '. $Code .'<br>';
echo 'Locked code: '. $LockedCode .'<br>';
echo 'Unlocked code: '. UnlockCode($LockedCode,$Key,5) .'<br><br>';
echo 'Reload this page to generate new results.';

The above testing code would produce something like this:

Key used: F7AYMQTscfHEPvSBXw5C3eWhj6kUxbn2ayrtGzNiqDV4m9ugJLKZpR8d

New code: c42yV
Locked code: 84331334212222
Unlocked code: c42yV

You can try it out yourself here (opens in a new window).

In my last article, I used the following code to create a random numeric value:

// 1000-9999 gives 5832 possibilies, strong enough for most captcha uses.
$VerificationCode = rand(1000, 9999);

You can use the following code instead to create a random alphanumeric value instead:

// This function will return a 5-length alphanumeric value.
// It will produce one out of 550731776 possible values.
function createCaptchaCode() {
  $stringChoices = array(
  'a','b','c','d','e','f','g','h','i','j','k','m','n','p','q','r','s','t','u','v','w','x','y','z',
  'A','B','C','D','E','F','G','H','J','K','L','M','N','P','Q','R','S','T','U','V','W','X','Y','Z',
  '2','3','4','5','6','7','8','9');

  $code = '';
  for( $loop_b = 1; $loop_b <= 5; $loop_b++ ) {
    $code .= $stringChoices[mt_rand(0,count($stringChoices)-1)];
  }
  return $code;
}

I suppose the above function could be written in PHP as simple as this:

function createCaptchaCode2() {
	$code = substr(str_shuffle('abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'),0,5);
	return $code;
}

You might have noticed that the following characters are missing: 1, I, l, o, O and 0. This is to prevent unnecessary user frustration (they are very similar).

This covers how to generate a random alphanumeric value, what about encryption when you’re sending it between web pages? This subject is bigger than I thought it would be, so I’m going to make a new article on it.

You’ll find it here when it’s ready.

The idea is to send the actual answer to the other side, but with a simple encryption.

// First page variables.

// Create the random numeric code that a user/visitor will have to confirm it.
// 1000-9999 gives 5832 possibilies, strong enough for most captcha uses.
$VerificationCode = rand(1000, 9999);

// This is not a live example, so we’ll give $UserInput a manual value.
// In your own script, you would capture what the user had typed in.
$UserInput = ‘1234′;

// Create a key that only the other side will know.
// Send this key together with the answer the user provided.
$MySeed = 12345;
$VerificationKey = ($VerificationCode + ($MySeed*(int)date(‘d’)));

/*
The key is now made based on your custom value ($MySeed) that only YOU will know. To hack the key, the hacker would have to know it. AND would have to know what you do with it. In this example we keep it dynamic from day to day by multiplying it with the current day extracted from the current date. It’s easy to figure out something else that would be much harder to guess.

Now you send both $UserInput and $VerificationKey to the next page.
*/

// Second page variables and handling.

// This naturally has to match the value in page one.
$MySeed = 12345;

// Decrypt the key
$ReceivedKey = ((int)$VerificationKey – ($MySeed*(int)date(‘d’)));

// Now you can compare the user input with $ReceivedKey
$VerificationStatus = ((int)$UserInput==$ReceivedKey?true:false);

echo ($VerificationStatus?’Accepted’:'Not accepted’);

Representing the random code to the user
When you have created a random number and/or code you can represent it to your visitor like this: . Images are widely used to ask Captcha questions since they are binary with different random colors and shapes that’s hard to scan for a bot that’s scanning the Internet to collect or spam information.

Can I use your image script to show my random codes?
The image script I’ve used above takes a GET variable and prints it on a chosen image. It’s of no good use to anyone else other than an example, as it would be simple to just read the code right out of your source code for a spam-bot. So please make your own

Download your own copy WITH deciphering!
To make it easy for you, you can download the image script here and adapt it to your own needs. (This image script is adjusted to receive a key and view it dechiphered, adjust after your own needs. Bots will NOT be able to scan the code from THIS script, unless they know your way of encrypting the key).

What is a recursive function?
A recursive function is basically just a function that calls itself from within, making several instances of itself until you force it to stop. It’s good for when you don’t have a definitive concept depth to deal with, like searching for files through subdirectories, but don’t know how many directories and files there may be.

Here’s a recursive function I’ve made to search for images. It takes a search word and the folder to search in as first and second parameters.

// Recursive search function, a bit scary... I hope it won't make the universe implode on itself
function searchEngine($keyword, $folder) {
	global $SearchedImagesFoundCount, $SearchedImages;

	if($handle = opendir($folder)) {
		while(($file = readdir($handle)) !== false) {
			if((stristr($file,'.jpg') !== false || stristr($file,'.gif') !== false || stristr($file,'.png') !== false) && stristr($file,$keyword) !== false) {
				$SearchedImagesFoundCount += 1;
				array_push($SearchedImages,$folder.'/'.$file);
			} elseif(is_dir($folder.'/'.$file) && $file != '.' && $file != '..') {
				// Ran into a folder, we have to dig deeper now
				searchEngine($keyword,$folder.'/'.$file);
			}
		}
		closedir($handle);
	}
}

This is a stripped down version that might be easier to understand. This would simply search for a file (first parameter) in the given directory (second parameter).

function searchEngine($keyword, $folder) {
	if($handle = opendir($folder)) {
		while(($file = readdir($handle)) !== false) {
			if(stristr($file,$keyword) !== false) {
				// Action when a filename matching $keyword is found.
			} elseif(is_dir($folder.'/'.$file) && $file != '.' && $file != '..') {
				// Ran into a folder, we have to dig deeper now
				searchEngine($keyword,$folder.'/'.$file);
			}
		}
		closedir($handle);
	}
}

You can find it here.

Code used to detect ip and proxy (PHP):

if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
  if ($_SERVER["HTTP_CLIENT_IP"]) {
    $proxy = $_SERVER["HTTP_CLIENT_IP"];
  } else {
    $proxy = $_SERVER["REMOTE_ADDR"];
  }
  $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
  if ($_SERVER["HTTP_CLIENT_IP"]) {
    $ip = $_SERVER["HTTP_CLIENT_IP"];
  } else {
    $ip = $_SERVER["REMOTE_ADDR"];
  }
}

Starting, and continuing a session
On every PHP page you want to take use of sessions, start the script by calling session_start().

Registering session data
This is done by using the global $_SESSION array. Like this: $_SESSION['MyAge'] = ‘26′;

Closing and terminating all session data

$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
  setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();

Additional info
All session data is stored server-side, with only a cookie on the client-side telling the server what session-id it should work with. If the client browser has high security and you are afraid that cookies might not be available, then you can add the constant SID to every hyperlink necessary in order to pass the session-id around. This constant will not have any value unless the cookie creation fails.

A simple SID usage example

<a href="index.php?<?=SID?>">A link during a session that needs to have the session-id on the next page.</a>

If SID has a value, it would contain both the needed GET variable, and the session-id value. E.g. PHPSESSID=somevalue.

Get more information about php sessions over at php.net

Several of the files I’ve ran into have the same form of base64 encoding technique. This technique consists of 2 encoded parts. One part that holds the main code, and another part that decodes the first part and swaps around a few characters to make it valid.

The common contents of an encoded base64 file from a publisher could look like this (usually in 1 unbroken string but I split it up here to make it more readable):

$_F=__FILE__;
$_X='encoded_part1';
$_D=strrev('edoced_46esab');
eval($_D('encoded_part2'));
?>


Where the encoded part2 usually contain something like this:

$_X=base64_decode($_X);
$_X=strtr($_X,'something','something');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);


Solution
So all you need to do to view the real contents of any base64 encoded file that uses this method is just replacing the “eval” in encoded part2 with e.g. “echo” to view the final decoded code instead of running it.

To get to the contents of encoded part1, you just replace “eval” with “echo” there as well, which is never encoded to begin with.

Additional notes
Remember to view the source instead of just trusting screen output if viewing through a browser when analyzing output results.

As an additional comment, this way of hiding the source code is a quick and dirty and not secure way at all of doing it, and I was surprised to encounter it. If someone wants your code, they are most likely very fit to do this process to get it. Even if you have several hundred files, a script could be made to decode all of them in 1 batch.

A reason for wanting to decode some of these files, is often to see if the script is malicious or honest in its purpose.

The class is simple to load and use right away. You can find the class and it’s documentation on it’s website here: http://html2fpdf.sourceforge.net/

It is based upon (F)PDF which you can find here: http://www.fpdf.org/

You can download a usable version directly from here

The purpose of this class is to make the creation of PDF documents from HTML formatting easier, and it does the job fairly well. It seems to understand many of the most important HTML elements, as well as some CSS.

An example of simple usage:

<?php
// ---------------------------------
// HTML 2 (F)PDF

// Homepage for this class:
// http://html2fpdf.sourceforge.net/

// Homepage for the class which it is based on:
// http://www.fpdf.org/
// ---------------------------------
require_once('html2fpdf.php');
ob_start();
?>

<html>
<body>
<h1>My PDF test</h1>
<div align="center">Hello, World!</div>
</body>
</html>

<?php
$html = ob_get_contents();
ob_end_clean();
$pdf = new HTML2FPDF();
$pdf->SetTopMargin(1);
$pdf->AddPage();
$pdf->WriteHTML($html);
$pdf->Output('test.pdf','D');
?>

View example

-

First define a filename, and headers.

$filename = "test.xls";
header("Content-Disposition: attachment; filename=\"$filename\"");
header("Content-Type: application/vnd.ms-excel");

Now just send the clear text data you want the excel file to contain, use “\n” and “\t” for row and column navigation.

For example:

echo "column1 \t column2\n";
echo "row1 value1" . "\t" . "row1 value2\n";
echo "row2 value1" . "\t" . "row2 value2";
exit(); //remember to stop output unless you do it its own file.

Click the excel icon below to see how the export of this data would look like.

SimpleXML provides a simple and practical way of reading and handling XML content. SimpleXML requires PHP5.

First you define your XML document source

$xml = new SimpleXMLElement(file_get_contents('http://example.com/rss/'));

Then you choose what structure to get from the XML, in this example I want to loop through all the <item> tags under the first <channel>. Then I want to view the <title> of each item, as well as a download count from the ‘download’ namespace. The XML could look something like this:

<?xml version=”1.0″ encoding=”UTF-8″ ?>
<rss xmlns:download=”http://example.com/rss/downloadModule#” version=”2.0″>

<channel>
<item>
<title>The Title</title>
<download:count>12345</download:count>
</item>
<item>
<title>The Title 2</title>
<download:count>1234</download:count>
</item>
</channel>

SimpleXML works through arrays. Here I’m telling it to loop through the first <channel> by writing ‘channel[0]‘, and then the item collection within that channel. This small example illustrates how to handle both normal tags and namespaces.

foreach( $xml->channel[0]->item as $item ) {
// The download namespace
$download = $item->children('http://example.com/rss/downloadModule#');

// View item title
echo $item->title;

// The download count
echo $downloads->count;
}

I haven’t had any need for it yet, but to get the attributes within a tag you should only have to do something like this:

$attributes = $item->attributes();

// View attributes through names:
echo $attributes->attribute1;
echo $attributes->attribute2;