332 Chapter 15 Implementing Secure Transactions with PHP and MySQL If we are providing a Web interface to send GPG encrypted mail, the flow of informa- tion will look something like Figure 15.5. 3 Recipient’s Mail Server 2 Sender’s Browser Recipient’s Mail Client Web Server 1 Figure 15.5 In our encrypted email application, the message is sent via the Internet three times. In this figure, each arrow represents our message being sent from one machine to anoth- er. Each time the message is sent, it travels through the Internet and might pass through a number of intermediary networks and machines. The script we are looking at here exists on the machine labeled Web Server in the diagram. At the Web server, the message will be encrypted using the recipient’s public key. It will then be sent via SMTP to the recipient’s mail server.The recipient will con- nect to his mail server, probably using POP or IMAP, and download the message using a mail reader. Here he will decrypt the message using his private key. The data transfers in Figure 15.5 are labeled 1, 2, and 3. For stages 2 and 3, the infor- mation being transmitted is a GPG encrypted message and is of little value to anybody who does not have the private key. For transfer 1, the message being transmitted is the text that the sender entered in the form. If our information is important enough that we need to encrypt it for the second and third leg of its journey, it is a bit silly to send it unencrypted for the first leg.Therefore, this script belongs on a server that uses SSL. If we connect to our script using a port other than 443, it will provide a warning. This is the default port for SSL. If your server uses a non-default port for SSL, you might need to modify this code. Rather than providing an error message, we could deal with this situation in other ways.We could redirect the user to the same URL via an SSL connection.We could also choose to ignore it because it is not usually important if the form was delivered using a secure connection.What is usually important is the details that the user has typed into the form are sent to us securely.We could simply have given a complete URL as the action of our form. Currently, our open form tag looks like this: <form method="post" action="send_private_mail.php"> We could alter it to send data via SSL even if the user connected without SSL, like this: <form method="post" action="https://webserver/send_private_mail.php"> If we hard code the complete URL like this, we can be assured that visitors’ data will be sent using SSL, but we will need to modify the code every time we use it on another server or even in another directory. 19 525x ch15 1/24/03 3:41 PM Page 332 333 Next Although in this case, and many others, it is not important that the empty form is sent to the user via SSL, it is usually a good idea to do so. Seeing the little padlock sym- bol in the status bar of their browsers reassures people that their information is going to be sent securely.They should not need to look at your HTML source and see what the action attribute of the form is. Further Reading The specification for SSL version 3.0 is available from Netscape: http://home.netscape.com/eng/ssl3/ If you would like to know more about how networks and networking protocols work, a classic introductory text is Andrew S.Tanenbaum’s Computer Networks. Next That wraps up our discussion of e-commerce and security issues. In the next section, we’ll look at some more advanced PHP techniques including interacting with other machines on the Internet, generating images on-the-fly, and using session control. 19 525x ch15 1/24/03 3:41 PM Page 333 19 525x ch15 1/24/03 3:41 PM Page 334 IV Advanced PHP Techniques 16 Interacting with the File System and the Server 17 Using Network and Protocol Functions 18 Managing the Date and Time 19 Generating Images 20 Using Session Control in PHP 21 Other Useful Features 20 525x part4 1/24/03 3:38 PM Page 335 20 525x part4 1/24/03 3:38 PM Page 336 . 332 Chapter 15 Implementing Secure Transactions with PHP and MySQL If we are providing a Web interface to send GPG encrypted mail, the flow of informa- tion will look something like Figure 15.5. 3 Recipient’s Mail Server 2 Sender’s Browser Recipient’s Mail Client Web Server 1 Figure. 334 IV Advanced PHP Techniques 16 Interacting with the File System and the Server 17 Using Network and Protocol Functions 18 Managing the Date and Time 19 Generating Images 20 Using Session Control in PHP 21. more about how networks and networking protocols work, a classic introductory text is Andrew S.Tanenbaum’s Computer Networks. Next That wraps up our discussion of e-commerce and security issues.