548Part IIIAdvanced Features and Techniquesyou wish to encrypt (Phpbb hosting)

December 29, 2006 on 7:17 pm | In php | No Comments

548Part IIIAdvanced Features and Techniquesyou wish to encrypt or decrypt in the keyand dataarguments, respectively. To encrypt, passMCRYPT_ENCRYPTin the directionargument; to decrypt, pass MCRYPT_DECRYPT. Finally, forcipher modes that support initialization vectors, pass your own IV in the ivargument. Your key must be of the correct size for your cipher. To find out what this size is, use: mcrypt_get_key_size(cipher) Again, cipheris the cipher you have chosen. To generate a random IV or key, use: mcrypt_create_iv(size, source) Here, sizeis the size of the desired object and sourceis one of MCRYPT_RAND, MCRYPT_DEV_ RANDOM, or MCRYPT_DEV_URANDOM, specifying the random number generator to use: rand(), /dev/random, or /dev/urandom, respectively. If you use rand(), be sure to call srand()toseed the random number generator first. (See Chapter 10 for more information on randomnumbers.) The proper sizes for IVs and keys are obtained by calling mcrypt_get_block_ size(cipher)and mcrypt_get_key_size(cipher), respectively. Note that all data handled by mcryptis in the form of PHP strings of binary data. If you wishto display the data in some human-readable format or store it as a text string, you must applysome translation to it. PHP provides the functions base64_encode()and base64_decode() for just this purpose. Check the PHP manual for more information on these functions. Encrypting cookiesCookies your site sends to a visitor s browser contain information about that visitor. Whenthe browser sends the cookie back, your site uses the information it contains to generate anew page. Don t trust the network sound familiar? A cookie could be modified or forged by amalicious user, perhaps fooling your site somehow. This extremely simple program will serveas an example:

You have been here times

See Chapter 24 for more information on cookies. Here, a count of our visitors visits to this site is kept in the cookie visits. A visitor couldmodify his or her cookie, however, to make the visit count 10,000. Our program would haveno idea that this visitor has not been to the page 10,000 times and would blindly display Youhavebeenhere10000times. Cross- Reference33

Note: If you are looking for good and affordable webspace to host and run your servlet application check Sandzak servlet hosting services

Web hosting macintosh - 547Chapter 29SecurityThe Unix version of PHP provides a

December 27, 2006 on 1:17 pm | In php | 1 Comment

547Chapter 29SecurityThe Unix version of PHP provides a set of functions that implement single-key encryption, using a publicly available library called mcrypt.To use these functions, you must downloadand install mcrypt(there is a link to the library s source available in the PHP manual) andrecompile PHP with the –enable-mcryptconfiguration option. When compiling this version of mcrypt, you must specify the configuration option –disable-posix-threadsduring the mcryptconfiguration. Missing this step causesApache to crash. mcryptoffers a choice between a number of ciphers different single-key algorithms. Eachhas its relative pros and cons in terms of speed and strength. In general, DES and Blowfish are fairly well-known algorithms with a good balance of speed and strength, but if you needextreme speed or great strength, you should research the algorithms available in your imple- mentation (listed in mcrypt.h) and choose the one most suited to your needs. mcryptalso allows you to choose among four cipher modes. These are summarized in Table 29-1. Table 29-1: Cipher Modes Provided by mcryptModeDescriptionInitialization vector (IV) ECB (electronic code book)Just translate the block of data given. noSuitable for small blocks of data that aren t very predictable, such as other keys. Do not use for text: The high frequency of letters and punctuation may be used to break the encryption. CBC (cipher block chaining)This stronger mode is far better optsuited for use with textual data. CFB (cipher feedback)Like ECB, CFB is well suited for short yesblocks of data. OFB (output feedback)OFB is very similar to CFB but designed yesto be better behaved when it encounters errors in its input. The last two modes require an initialization vector (abbreviated IV), which functions as astarting state for the encryption algorithm. The differences between these modes are relevantto interactive use, where individual keystrokes are encrypted one at a time. In that case, it iscrucial that the algorithm not encrypt athe same way each time. The PHP interface to mcryptonly allows us to encrypt strings, however, so any of the modes except ECB are perfectlyacceptable. Depending on the cipher mode you want to use, call mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), or mcrypt_ofb()like this: mcrypt_cbc(cipher, key, data, direction, [iv]) where cipheris MCRYPT_DES, MCRYPT_BLOWFISH, or whichever cipher you have chosen. (Seethe PHP documentation for an updated list of supported ciphers.) Pass your key and the dataCaution33
Hint: If you are looking for high quality webhost to host and run your jsp application check Vision web hosting jsp services

546Part IIIAdvanced Features and TechniquesWe shall call Alice s (Verio web hosting)

December 25, 2006 on 8:04 am | In php | No Comments

546Part IIIAdvanced Features and TechniquesWe shall call Alice s keys Paliceand Salice,respectively and, likewise, Bob s keys Pboband Sbob. They publish their public keys in the newspaper but hide their secret keys under their mattresses. Alice has a sensitive message Mfor Bob. With her keys, Alice received a set of instructions fortranslating a message with a key. We write the translation like this: Pbob(M).She translates hermessage with Bob s public key and hands the result to a shady-looking character on a pony. Our friends keys were not chosen arbitrarily. They have the special property that if theytranslate a message with one key, then translate the result with the other, they get the originalmessage back. That is, Salice(Palice(M)) = Palice(Salice(M)) = M.There s no other way to resurrectthe original message. In this case, Bob translates the message he receives, which he knows tobe Pbob(M)with his secret key. Sbob(Pbob(M)) = M,so he can read Alice s original message. Bob knows that nobody else could have read that message, because nobody else has hissecret key. But he does not know that it came from Alice: Anyone who reads the newspapermay have sent that message, signing the name Aliceat the bottom. Now Alice wants to send another message to Bob, and this time she wants no doubt that itwas from her. First, she translates the message with her secret key and writes the result afterher message as a signature:M + Salice(M).She sends this off to Bob, who reads Alice s message, which instructs him to translate the signature with her public key: Palice(Salice(M)) = M,and hesees her message again. Because nobody else has Alice s secret key, she is the only one who could have created thissignature, so this message must have come from her. But note that this time Alice sent hermessage Mto Bob directly. Any rogue could have waylaid the Pony Express and read it. If shehad so desired, she could have first signed the message, then encrypted the message and thesignature using the first method, resulting in a signed, encrypted message. There is a hitch in this scheme. Without meeting Alice, Bob can t be sure that the public key he found in the newspaper is really Alice s key. What if someone else had his or her keyprinted under her name? This could become a real problem if Bob communicates with lots of people he simply doesn t have the time to check keys with each of them face-to-face. Assume that there is at least one person everyone trusts; call him Tom. Tom picks a set ofkeys and offers to sign documents with his secret key, if the owner of the document showsproof of his or her identity. Alice has her public key signed by Tom, and then publishes thesigned key, called a certificate,in the newspaper. Bob checks the signature on the key he seesin the newspaper, using Tom s public key. He knows that Tom signed that message, and Tommust have checked Alice s identification, so the key in the newspaper must really belong toAlice. Single-key encryptionIn single-key encryption, the same key can encrypt and decrypt a message. In general, it runsmuch more quickly than other forms of encryption, but it is more difficult to use for commu- nication because the key must somehow be transmitted from one end to the other without anyeavesdroppers picking it up. This is precisely where public-key encryption can lend a hand. Returning briefly to our characterization, imagine Alice and Bob want to have a private con- versation using single-key encryption. Alice asks Bob for his certificate, which contains hispublic key. She then picks a new single key and encrypts that key with Bob s public key, send- ing the result to Bob. Using his secret key, he decrypts the message to reveal Alice s singlekey and then uses it to begin a single-key encryption conversation.
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check professional tomcat hosting services

Iowa web hosting - 545Chapter 29Securitychmod($uploadfile, 0644); print( File upload was successful ); }

December 22, 2006 on 1:11 pm | In php | No Comments

545Chapter 29Securitychmod($uploadfile, 0644); print( File upload was successful ); } else { print( File upload failed ); } } else { print( Only images are allowed, upload failed ); } What s different about this version, and why is it better? We ve started by working a littlestring and regex magic on our filename. The value of $_FILES[ upfile ][ name ]containsthe literal name of the file as it was on the user s system; but for reasons which should alreadybe apparent, this cannot be trusted. The second line removes any trailing and leading white- space characters. The third line ensures that we have a filename with a manageable length by taking only the last twenty characters. We take these characters from the end because weneed to capture the file extension; but this is an important step because excessively long file- names can create a host of potential problems. The fourth line pulls out any spaces in the filename, as different platforms handle long filenames in different ways, potentially posingadditional problems. The last thing we do before writing out the file is to make sure it s animage. You may wish to allow other types and can adjust the regular expression accordingly. Finally, we change permissions on the written-out file to a minimal set, reducing the risk fromviruses or unwanted executables. There are safer and less safe ways to handle file uploads; but uploading is historically one ofthe most insecure things that PHP allows you to do. Many good Web developers and sysad- mins think that anyone who s willing to let unknown users upload unknown binaries to theirfilesystem is asking for trouble. So before implementation, you need to ask if this is reallywhat you need or want to do, and if you re prepared for all the possible consequences. Onceyou ve made that decision, follow the hints in this section to make things as safe as possible. EncryptionEncryption is the process of encryptingsome message, referred to as plaintext,into unrecog- nizable ciphertext.Without certain information (a keyof some sort), it is extremely hard toreconstruct the plaintext from the ciphertext. Someone equipped with the proper key, how- ever, can easily decryptthe ciphertext, revealing the original plaintext at least, if the chosenencryption function is not one-way. We have already seen one use of encryption in this chapter: Passwords are stored inencrypted form. Password encryption, however, is usually one-way. There is no key todecrypt an encrypted password. Such a key is not needed, and the encryption can be madestronger if it doesn t need to be reversible. Encryption has many other uses in online busi- ness, both for storing data on the server and transmitting it across the network. Public-key encryptionMeet Alice and Bob, professional cryptographic examples. They were chosen by the mathe- matical community, not for their acting talent, but because their names begin with A and B. Alice and Bob want to communicate securely, but their only method of communication is viaPony Express not particularly secure. Each of them selects a public key and a secret key.
Note: If you are looking for inexpensive but high quality provider to host and run your serlvet application check Astra servlet hosting services

Drupa hosting - 544Part IIIAdvanced Features and TechniquesPHP defaults to a

December 20, 2006 on 6:03 am | In php | 2 Comments

544Part IIIAdvanced Features and TechniquesPHP defaults to a size of 2MB for this parameter, which is probably larger than you will needunder ordinary circumstances. You can set this value as large as you like, but you will have tostrike a balance with the value of max_execution_timewhich will require a duration largeenough to accommodate your largest possible upload from your least well equipped user. For example, a modem user may take six minutes or more to upload a 1MB file. If any of these values seem out of line with the needs of the rest of your PHP installation, they probably are. Greatly increasing the value of max_execution_timeto allow for largeruploads, for example, can make debugging infinite loops and other scripting mishaps diffi- cult. It can also pose a security risk based on scripts that are placed elsewhere on your site. This would be an appropriate place to set these values on a per directory basis using phpflags and .htaccess files as discussed in Chapter 30. The next setting controls the size of HTTP form submissions, which includes file uploads. post_max_size = 8MAgain, the PHP default here is pretty high, but it needs to be big enough to hold the value ofupload_max_filesizeplus a few bytes for any form data that may accompany the upload. Once you ve got these values all set, you re ready to write a script that handles the uploadedfile. At its most basic, this script would look something like the following: $uploaddir = uploads/ ; $uploadfile = $uploaddir . $_FILES[ upfile ][ name ]; if (move_uploaded_file($_FILES[ upfile ][ tmp_name ], $uploadfile)) { print( File upload was successful ); } else { print( File upload failed ); } This script creates a couple of simple variables to create an easily readable path and filename. The global $_FILESis a multidimensional array in order to handle concurrent file uploadsfrom the same form. In the first level, we identify the file by the name assigned to that field inthe form. In the second level, we use the predefined variable name to assign our file a name. Next we capture the actual file data, which is referenced by the value of tmp_name , the loca- tion where the bits are stored until you do something with them. Finally, we move it to its per- manent resting place. You probably didn t expect it to be that simple, and you won t be disappointed. Sure, if youcover all your bases ahead of time, this script will get the job done, but it s pretty insecure aswe have placed the vaguest and most general restrictions on what users can send us. The fol- lowing script offers some checks and modifications added for security and robustness: $uploaddir = uploads/ ; $filename = trim($_FILES[ upfile ][ name ]; $filename = substr($filename, -20); $filename = ereg_replace( , , $filename); if((ereg( .jpg , $filename)) || (ereg( .gif , $filename))) { $uploadfile = $uploaddir . $filename; if (move_uploaded_file($_FILES[ upfile ][ tmp_name ], $uploadfile)) { Caution33

Note: If you are looking for good and affordable webspace to host and run your servlet application check Sandzak servlet hosting services

upload_tmp_dir = This is typically left (Sugarcrm hosting) unassigned, which

December 19, 2006 on 9:45 pm | In php | No Comments

upload_tmp_dir = This is typically left unassigned, which results in a default appropriate for your system. Thisis not where the final uploaded file will resideThis isgenerally the best choice, so unless youhave a really compelling reason to set this to something else, leave it alone. The next setting is where we enforce a maximum file size. upload_max_filesize = 2M33

Hint: If you are looking for very good and affordable webspace to host and run your java hosting application check Sandzak.com java web hosting provider