On the server side, you can use a PHP script to compare the user-supplied MD5 of a password with the user’s real password’s MD5 digest.. This funcfunc-tion creates an MD5 digest of the u
Trang 1The client-side scripting language JavaScript provides a solution You can use JavaScript to create a MD5 message digest of the password and transmit only the digest, rather than the real password This means that the user’s password never travels over the network
On the server side, you can use a PHP script to compare the user-supplied MD5
of a password with the user’s real password’s MD5 digest If both digests match, you have a user that knows his or her password and therefore should be given access
Now let’s look at this process using an example Listing 22-1 shows a Web form with two JavaScripts The first script simply loads an external JavaScript MD5 library called md5.js You can also download it from the Internet via
http://www.publicator.no/includes/script/md5.js.
Listing 22-1: md5_login.html
<html>
<head>
<script language=”JavaScript” src=”md5.js”></script>
<script language=”JavaScript”>
function processForm() { document.loginForm.password.value = MD5(document.loginForm.password.value);
document.loginForm.submit();
}
</script>
</head>
<body>
<center>
<form name=”loginForm” method=”post” action=”md5_login.php”>
<table border=0 cellpadding=3 cellspacing=0>
<tr>
<td> Name </td>
<td> <input type=”text” name=”username” size=”10”> </td>
</tr>
<tr>
<td> Password </td>
<td> <input type=”password” name=”password” size=”15” ></td>
</tr>
Trang 2<td colspan=2>
<input onclick=”processForm(); return true;”
type=”button” value=”Login”>
</td>
</tr>
</table>
</form>
</center>
</body>
</html>
The second JavaScript has a single function called processForm() This func-tion is called when the login form’s Login button is clicked This funcfunc-tion creates an MD5 digest of the user-supplied password and replaces the password value with the MD5 digest, and then submits the data to the md5_login.php PHP script, shown in Listing 22-2
Listing 22-2: md5_login.php
<?php
error_reporting(E_ALL);
define(‘PASSWORD’, ‘2manysecrets’);
$user = (! empty($_REQUEST[‘username’])) ? $_REQUEST[‘username’] : null;
$givenMD5Hash = (! empty($_REQUEST[‘password’])) ? $_REQUEST[‘password’] : null;
// If user given MD5 of password does not match // with the md5(PASSWORD) then redirect
// user to login page again
if (strcmp($givenMD5Hash , md5(PASSWORD))) {
header(“Location: md5_login.html”);
}
// User knows password so login successful echo “Welcome to PHP.”;
Trang 3This PHP script creates an MD5 digest of the real password stored as a constant called PASSWORDand compares it against the user-supplied MD5 digest of the pass-word If they do not match, the user is redirected to the md5_login.html page
Otherwise, a welcome message is shown Note that the password is hard-coded in the example code for demonstration only In real application, the password will be stored in a database
As the real password never travels the network, this method of login is more secure, as guessing the original password for an MD5 digest is very difficult
Using Web server–based authorization
If you must limit the network or IP address from which users can access your appli-cation, you can create an htaccess conf configuration as follows:
Order deny,allow Deny all
Allow from 192.168.
You can also put this in your httpd.conf file by putting the preceding configura-tion in a directory container, as shown here:
<Directory “/path/to/your_app”>
Order deny,allow Deny all
Allow from 192.168.
</Directory>
If you want to use the Locationcontainer, you can use a relative path:
<Location “/your_app”>
Order deny,allow Deny all
Allow from 192.168.
</Location>
In any of the preceding three cases, all access to the /your_app directory under the Web document root is restricted to hosts with IP addresses that belong to 192.168.x.x networks In other words, an IP address such as 192.168.0.1 or 192.168.254.1 can access the application You can allow specific IP addresses as well, as shown in the following example:
<Location “/your_app”>
Order deny,allow Deny all
Allow from 192.168.1.100 130.86.1.2
</Location>
Trang 4In the preceding example, access is restricted to only the two named IP addresses
If you want to exclude a particular IP or network, simply use Deny from, as shown here:
<Location “/your_app”>
Order allow,deny Deny from 130.86.
Allow all
</Location>
Your Web application always has access to the user’s IP address as
$_SERVER[‘REMOTE_ADDR’] However, note that a block of users can have the same
IP address if their requests are sent via a caching proxy server
Restricting write access to directories
When your PHP applications need to write to a certain directory, be very careful about the directory permissions Your PHP applications typically run as the Web server, so you must allow it to write to the directory in which you want to allow your application to create new files or update existing ones Never make your direc-tories world readable In other words, never run commands such as chmod -R 777
on a directory that is accessible via the Web or your applications
Securely Uploading Files
PHP makes uploading files easy, but with ease comes danger Let’s look at a simple scenario Listing 22-3 shows a simple file upload form that calls bad_upload.html script to upload a file The uploaded file is processed by a script called bad_uploader.php
Listing 22-3: bad_upload.html
<html>
<head><title>Upload Form Using Bad Uploader Script</title>
<body>
<form method=”POST” enctype=”multipart/form-data”
action=”bad_uploader.php”>
File: <input type=”file” name=”picfile”>
<input type=submit value=”Upload Picture”>
</form>
</body>
</html>
Trang 5The bad_uploader.php, shown in Listing 22-4, copies the Web browser–uploaded file to a directory called images Before copying the uploaded temporary file (which
is created automatically by PHP) to the images directory, it checks whether the file size is less than five thousands bytes, and whether the file is a GIF image or not
When both of these conditions are met, the file is copied to the images directory
Otherwise, it displays a message stating that the upload was unsuccessful
Listing 22-4: bad_uploader.php
<?php
// This script will not work // if register_globals is OFF // This is here to make a point only
define(‘MAX_FILE_SIZE’, 5000);
define(‘FILE_TYPE’, ‘image/gif’);
echo “File name : $picfile_name <br>”;
echo “File size : $picfile_size <br>”;
echo “File type : $picfile_type <br>”;
if ( ($picfile_size < MAX_FILE_SIZE) &&
($picfile_type == FILE_TYPE)) {
copy($picfile, “images/$picfile_name”);
} else { echo “Your file $picfile_name was not uploaded <br>”;
}
?>
The Web form in Listing 22-4 has a file field called picfile When processed by PHP, it creates $picfile_nameas the file name, $picfile_sizeas the size of the file, and $picfile_typeas the file’s MIME type The script uses these variables to perform its job For many programmers, there is nothing wrong with the way the preceding script works However, consider the Web form, hacked_bad_upload_
form.html, shown in Listing 22-5
Listing 22-5: hacked_bad_upload_form.html
<html>
<head><title>Hacker’s Upload Form Attacking Bad Uploader Script</title>
<body>
Continued