base64_decode - PHP code example

The php Function Base64_Decode

php is one of the web base scripting languages and it has many functions to handle its back end code. Among all php functions the function base64_decode is one of the finest methods to decrypt the datas in the application.

The php function base64_decode() is an inbuilt function which is used to decode the data that is encoded using MIME base64. The function accepts a single parameter called $data which is the encoded string. It also has an optional parameter named $strict which if set to true then the function will return false if the input contains characters from outside the base64 alphabet. Invalid characters are silently discarded. The function returns the decoded data on success or FALSE on failure, and the returned data may be binary.

This is very similar to the function rotencode() which takes specific letters from the original string and unscrambles them. Both rotencode and base64_decode can be found in many malware exploits to inject malicious code into a website or encrypt and hide a hacker's payload. It is therefore important to understand how these functions work so that you can avoid them in your code. The main issue is that these functions convert arrays directly into a string without prior serialization, which can result in obfuscated datas that are difficult to read. The problem is also that these obfuscated strings can be POSTed to your server and executed by hackers. This is a common practice in the form of the eval base64 decode hack.

base64_decode example

$authorizationHeader = null;
            if (isset($this->parameters['HTTP_AUTHORIZATION'])) {
                $authorizationHeader = $this->parameters['HTTP_AUTHORIZATION'];
            } elseif (isset($this->parameters['REDIRECT_HTTP_AUTHORIZATION'])) {
                $authorizationHeader = $this->parameters['REDIRECT_HTTP_AUTHORIZATION'];
            }

            if (null !== $authorizationHeader) {
                if (0 === stripos($authorizationHeader, 'basic ')) {
                    // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic                     $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)), 2);
                    if (2 == \count($exploded)) {
                        [$headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']] = $exploded;
                    }
                } elseif (empty($this->parameters['PHP_AUTH_DIGEST']) && (0 === stripos($authorizationHeader, 'digest '))) {
                    // In some circumstances PHP_AUTH_DIGEST needs to be set                     $headers['PHP_AUTH_DIGEST'] = $authorizationHeader;
                    $this->parameters['PHP_AUTH_DIGEST'] = $authorizationHeader;
                } elseif (0 === stripos($authorizationHeader, 'bearer ')) {
                    /* * XXX: Since there is no PHP_AUTH_BEARER in PHP predefined variables, * I'll just set $headers['AUTHORIZATION'] here. * https://php.net/reserved.variables.server */

/** * @return array */
    public static function castOpensslX509($h, array $a, Stub $stub, bool $isNested)
    {
        $stub->cut = -1;
        $info = openssl_x509_parse($h, false);

        $pin = openssl_pkey_get_public($h);
        $pin = openssl_pkey_get_details($pin)['key'];
        $pin = \array_slice(explode("\n", $pin), 1, -2);
        $pin = base64_decode(implode('', $pin));
        $pin = base64_encode(hash('sha256', $pin, true));

        $a += [
            'subject' => new EnumStub(array_intersect_key($info['subject'], ['organizationName' => true, 'commonName' => true])),
            'issuer' => new EnumStub(array_intersect_key($info['issuer'], ['organizationName' => true, 'commonName' => true])),
            'expiry' => new ConstStub(date(\DateTimeInterface::ISO8601, $info['validTo_time_t']), $info['validTo_time_t']),
            'fingerprint' => new EnumStub([
                'md5' => new ConstStub(wordwrap(strtoupper(openssl_x509_fingerprint($h, 'md5')), 2, ':', true)),
                'sha1' => new ConstStub(wordwrap(strtoupper(openssl_x509_fingerprint($h, 'sha1')), 2, ':', true)),
                'sha256' => new ConstStub(wordwrap(strtoupper(openssl_x509_fingerprint($h, 'sha256')), 2, ':', true)),
                'pin-sha256' => new ConstStub($pin),
            ]),

    public function auth()
    {
        // Ensure AUTH has not already been initiated.         parent::auth();

        $this->_send('AUTH CRAM-MD5');
        $challenge = $this->_expect(334);
        $challenge = base64_decode($challenge);
        $digest = $this->_hmacMd5($this->_password, $challenge);
        $this->_send(base64_encode($this->_username . ' ' . $digest));
        $this->_expect(235);
        $this->_auth = true;
    }

    /** * Prepare CRAM-MD5 response to server's ticket * * @param string $key Challenge key (usually password) * @param string $data Challenge data * @param string $block Length of blocks * @return string */

$this->info['debug'] .= sprintf("* Connected to %s (%s) port %d\n", $request->getUri()->getHost(), $host, $this->info['primary_port']);

        if ((isset($this->info['peer_certificate_chain']) || $this->pinSha256) && null !== $tlsInfo = $stream->getTlsInfo()) {
            foreach ($tlsInfo->getPeerCertificates() as $cert) {
                $this->info['peer_certificate_chain'][] = openssl_x509_read($cert->toPem());
            }

            if ($this->pinSha256) {
                $pin = openssl_pkey_get_public($this->info['peer_certificate_chain'][0]);
                $pin = openssl_pkey_get_details($pin)['key'];
                $pin = \array_slice(explode("\n", $pin), 1, -2);
                $pin = base64_decode(implode('', $pin));
                $pin = base64_encode(hash('sha256', $pin, true));

                if (!\in_array($pin, $this->pinSha256, true)) {
                    throw new TransportException(sprintf('SSL public key does not match pinned public key for "%s".', $this->info['url']));
                }
            }
        }
        ($this->onProgress)();

        $uri = $request->getUri();
        $requestUri = $uri->getPath() ?: '/';

        }

        if (
            empty( $value['is_widget_customizer_js_value'] ) ||
            empty( $value['instance_hash_key'] ) ||
            empty( $value['encoded_serialized_instance'] )
        ) {
            return;
        }

        $decoded = base64_decode( $value['encoded_serialized_instance'], true );
        if ( false === $decoded ) {
            return;
        }

        if ( ! hash_equals( $this->get_instance_hash_key( $decoded ), $value['instance_hash_key'] ) ) {
            return;
        }

        $instance = unserialize( $decoded );
        if ( false === $instance ) {
            return;
        }

                        $excludes = [$arg->getAttribute('exclude')];
                    }

                    $arguments[$key] = new TaggedIteratorArgument($arg->getAttribute('tag'), $arg->getAttribute('index-by') ?: null, $arg->getAttribute('default-index-method') ?: null, $forLocator, $arg->getAttribute('default-priority-method') ?: null, $excludes, !$arg->hasAttribute('exclude-self') || XmlUtils::phpize($arg->getAttribute('exclude-self')));

                    if ($forLocator) {
                        $arguments[$key] = new ServiceLocatorArgument($arguments[$key]);
                    }
                    break;
                case 'binary':
                    if (false === $value = base64_decode($arg->nodeValue)) {
                        throw new InvalidArgumentException(sprintf('Tag "<%s>" with type="binary" is not a valid base64 encoded string.', $name));
                    }
                    $arguments[$key] = $value;
                    break;
                case 'abstract':
                    $arguments[$key] = new AbstractArgument($arg->nodeValue);
                    break;
                case 'string':
                    $arguments[$key] = $trim ? trim($arg->nodeValue) : $arg->nodeValue;
                    break;
                case 'constant':

private const ENTROPY = 1000;

    /** * A non alpha-numeric byte string. */
    private static string $bytes;

    private UriSafeTokenGenerator $generator;

    public static function setUpBeforeClass(): void
    {
        self::$bytes = base64_decode('aMf+Tct/RLn2WQ==');
    }

    protected function setUp(): void
    {
        $this->generator = new UriSafeTokenGenerator(self::ENTROPY);
    }

    public function testGenerateToken()
    {
        $token = $this->generator->generateToken();

    /** * Decodes column data * * @param string $data * * @return false|string */
    protected function decodeData($data)
    {
        return base64_decode(rtrim($data), true);
    }

    /** * Prepare data to insert/update */
    protected function prepareData(string $data): string
    {
        return '\x' . bin2hex($data);
    }

    /** * Cleans up expired sessions. * * @param int $max_lifetime Sessions that have not updated * for the last max_lifetime seconds will be removed. * * @return false|int Returns the number of deleted sessions on success, or false on failure. */

        if ('const' === $prefix) {
            if (!\defined($env)) {
                throw new RuntimeException(sprintf('Env var "%s" maps to undefined constant "%s".', $name, $env));
            }

            return \constant($env);
        }

        if ('base64' === $prefix) {
            return base64_decode(strtr($env, '-_', '+/'));
        }

        if ('json' === $prefix) {
            $env = json_decode($env, true);

            if (\JSON_ERROR_NONE !== json_last_error()) {
                throw new RuntimeException(sprintf('Invalid JSON in env var "%s": ', $name).json_last_error_msg());
            }

            if (null !== $env && !\is_array($env)) {
                throw new RuntimeException(sprintf('Invalid JSON env var "%s": array or null expected, "%s" given.', $name, get_debug_type($env)));
            }

$i = 1;
        $len = \count($str);

        while ($i < $len) {
            $c = strtolower($str[$i]);
            if ((\ICONV_MIME_DECODE_CONTINUE_ON_ERROR & $mode)
              && 'utf-8' !== $c
              && !isset(self::$alias[$c])
              && !self::loadMap('from.', $c, $d)) {
                $d = false;
            } elseif ('B' === strtoupper($str[$i + 1])) {
                $d = base64_decode($str[$i + 2]);
            } else {
                $d = rawurldecode(strtr(str_replace('%', '%25', $str[$i + 2]), '=_', '% '));
            }

            if (false !== $d) {
                if ('' !== $d) {
                    if ('' === $d = self::iconv($c, $charset, $d)) {
                        $str[$i + 3] = substr($str[$i + 3], 1);
                    } else {
                        $result .= $d;
                    }
                }

/** * decode base64 and urlencode * * @param string $string template_resource to decode * @return string decoded template_resource */
    protected function decode($string)
    {
        // decode if specified         if (($pos = strpos($string, ':')) !== false) {
            if (!strncmp($string, 'base64', 6)) {
                return base64_decode(substr($string, 7));
            } elseif (!strncmp($string, 'urlencode', 9)) {
                return urldecode(substr($string, 10));
            }
        }

        return $string;
    }

    /** * modify resource_name according to resource handlers specifications * * @param Smarty $smarty Smarty instance * @param string $resource_name resource_name to make unique * @return string unique resource name */

$cookieConfig = json_decode($cookieResponseHeader, true);

        if ($cookieConfig['cookieNoteMode'] === CookieRemoveSubscriber::COOKIE_MODE_ALL) {
            return $response;
        }

        $cookieGroupResponseHeader = $responseHeaders->get(CookieRemoveHandler::COOKIE_GROUP_COLLECTION_KEY);
        if (!\is_string($cookieGroupResponseHeader)) {
            return $response;
        }

        $cookieGroupCollection = unserialize(base64_decode($cookieGroupResponseHeader),
            [
                'allowed_classes' => [
                    CookieGroupCollection::class,
                    CookieCollection::class,
                    CookieGroupStruct::class,
                    CookieStruct::class,
                ],
            ]
        );

        $cookieRemoveHandler = new CookieRemoveHandler($cookieGroupCollection);

    public function isValid($message, $signature)
    {
        $pubkeyid = $this->getKeyResource();

        $signature = base64_decode($signature);

        // State whether signature is okay or not         $ok = openssl_verify($message, $signature, $pubkeyid);

        if ($ok === 1) {
            return true;
        }
        if ($ok === 0) {
            return false;
        }
        while ($errors[] = openssl_error_string()) {
        }

public function getAuthKeyword(): string
    {
        return 'CRAM-MD5';
    }

    /** * @see https://www.ietf.org/rfc/rfc4954.txt */
    public function authenticate(EsmtpTransport $client): void
    {
        $challenge = $client->executeCommand("AUTH CRAM-MD5\r\n", [334]);
        $challenge = base64_decode(substr($challenge, 4));
        $message = base64_encode($client->getUsername().' '.$this->getResponse($client->getPassword(), $challenge));
        $client->executeCommand(sprintf("%s\r\n", $message), [235]);
    }

    /** * Generates a CRAM-MD5 response from a server challenge. */
    private function getResponse(#[\SensitiveParameter] string $secret, string $challenge): string     {
        if (\strlen($secret) > 64) {
            $secret = pack('H32', md5($secret));
        }

                    $type |= SIMPLEPIE_CONSTRUCT_HTML;
                }
                else
                {
                    $type |= SIMPLEPIE_CONSTRUCT_TEXT;
                }
            }

            if ($type & SIMPLEPIE_CONSTRUCT_BASE64)
            {
                $data = base64_decode($data);
            }

            if ($type & (SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML))
            {

                if (!class_exists('DOMDocument'))
                {
                    throw new SimplePie_Exception('DOMDocument not found, unable to use sanitizer');
                }
                $document = new DOMDocument();
                $document->encoding = 'UTF-8';