The client-side scripting language JavaScript provides a solution. You can use JavaScript to create a MD5 message digest of the password and transmit only the digest, rather than the real password. This means that the user’s password never travels over the network. On the server side, you can use a PHP script to compare the user-supplied MD5 of a password with the user’s real password’s MD5 digest. If both digests match, you have a user that knows his or her password and therefore should be given access. Now let’s look at this process using an example. Listing 22-1 shows a Web form with two JavaScripts. The first script simply loads an external JavaScript MD5 library called md5.js. You can also download it from the Internet via http://www.publicator.no/includes/script/md5.js. Listing 22-1: md5_login.html <html> <head> <script language=”JavaScript” src=”md5.js”></script> <script language=”JavaScript”> function processForm() { document.loginForm.password.value = MD5(document.loginForm.password.value); document.loginForm.submit(); } </script> </head> <body> <center> <form name=”loginForm” method=”post” action=”md5_login.php”> <table border=0 cellpadding=3 cellspacing=0> <tr> <td> Name </td> <td> <input type=”text” name=”username” size=”10”> </td> </tr> <tr> <td> Password </td> <td> <input type=”password” name=”password” size=”15” ></td> </tr> Chapter 22: Securing PHP Applications 741 29 549669 ch22.qxd 4/4/03 9:28 AM Page 741 <tr> <td colspan=2> <input onclick=”processForm(); return true;” type=”button” value=”Login”> </td> </tr> </table> </form> </center> </body> </html> The second JavaScript has a single function called processForm(). This func- tion is called when the login form’s Login button is clicked. This function creates an MD5 digest of the user-supplied password and replaces the password value with the MD5 digest, and then submits the data to the md5_login.php PHP script, shown in Listing 22-2. Listing 22-2: md5_login.php <?php error_reporting(E_ALL); define(‘PASSWORD’, ‘2manysecrets’); $user = (! empty($_REQUEST[‘username’])) ? $_REQUEST[‘username’] : null; $givenMD5Hash = (! empty($_REQUEST[‘password’])) ? $_REQUEST[‘password’] : null; // If user given MD5 of password does not match // with the md5(PASSWORD) then redirect // user to login page again if (strcmp($givenMD5Hash , md5(PASSWORD))) { header(“Location: md5_login.html”); } // User knows password so login successful echo “Welcome to PHP.”; ?> 742 Part VI: Tuning and Securing PHP Applications 29 549669 ch22.qxd 4/4/03 9:28 AM Page 742 This PHP script creates an MD5 digest of the real password stored as a constant called PASSWORD and compares it against the user-supplied MD5 digest of the pass- word. If they do not match, the user is redirected to the md5_login.html page. Otherwise, a welcome message is shown. Note that the password is hard-coded in the example code for demonstration only. In real application, the password will be stored in a database. As the real password never travels the network, this method of login is more secure, as guessing the original password for an MD5 digest is very difficult. Using Web server–based authorization If you must limit the network or IP address from which users can access your appli- cation, you can create an .htaccess conf configuration as follows: Order deny,allow Deny all Allow from 192.168. You can also put this in your httpd.conf file by putting the preceding configura- tion in a directory container, as shown here: <Directory “/path/to/your_app”> Order deny,allow Deny all Allow from 192.168. </Directory> If you want to use the Location container, you can use a relative path: <Location “/your_app”> Order deny,allow Deny all Allow from 192.168. </Location> In any of the preceding three cases, all access to the /your_app directory under the Web document root is restricted to hosts with IP addresses that belong to 192.168.x.x networks. In other words, an IP address such as 192.168.0.1 or 192.168.254.1 can access the application. You can allow specific IP addresses as well, as shown in the following example: <Location “/your_app”> Order deny,allow Deny all Allow from 192.168.1.100 130.86.1.2 </Location> Chapter 22: Securing PHP Applications 743 29 549669 ch22.qxd 4/4/03 9:28 AM Page 743 In the preceding example, access is restricted to only the two named IP addresses. If you want to exclude a particular IP or network, simply use Deny from, as shown here: <Location “/your_app”> Order allow,deny Deny from 130.86. Allow all </Location> Your Web application always has access to the user’s IP address as $_SERVER[‘REMOTE_ADDR’]. However, note that a block of users can have the same IP address if their requests are sent via a caching proxy server. Restricting write access to directories When your PHP applications need to write to a certain directory, be very careful about the directory permissions. Your PHP applications typically run as the Web server, so you must allow it to write to the directory in which you want to allow your application to create new files or update existing ones. Never make your direc- tories world readable. In other words, never run commands such as chmod -R 777 on a directory that is accessible via the Web or your applications. Securely Uploading Files PHP makes uploading files easy, but with ease comes danger. Let’s look at a simple scenario. Listing 22-3 shows a simple file upload form that calls bad_upload.html script to upload a file. The uploaded file is processed by a script called bad_uploader.php. Listing 22-3: bad_upload.html <html> <head><title>Upload Form Using Bad Uploader Script</title> <body> <form method=”POST” enctype=”multipart/form-data” action=”bad_uploader.php”> File: <input type=”file” name=”picfile”> <input type=submit value=”Upload Picture”> </form> </body> </html> 744 Part VI: Tuning and Securing PHP Applications 29 549669 ch22.qxd 4/4/03 9:28 AM Page 744 The bad_uploader.php, shown in Listing 22-4, copies the Web browser–uploaded file to a directory called images. Before copying the uploaded temporary file (which is created automatically by PHP) to the images directory, it checks whether the file size is less than five thousands bytes, and whether the file is a GIF image or not. When both of these conditions are met, the file is copied to the images directory. Otherwise, it displays a message stating that the upload was unsuccessful. Listing 22-4: bad_uploader.php <?php // This script will not work // if register_globals is OFF // This is here to make a point only define(‘MAX_FILE_SIZE’, 5000); define(‘FILE_TYPE’, ‘image/gif’); echo “File name : $picfile_name <br>”; echo “File size : $picfile_size <br>”; echo “File type : $picfile_type <br>”; if ( ($picfile_size < MAX_FILE_SIZE) && ($picfile_type == FILE_TYPE)) { copy($picfile, “images/$picfile_name”); } else { echo “Your file $picfile_name was not uploaded. <br>”; } ?> The Web form in Listing 22-4 has a file field called picfile. When processed by PHP, it creates $picfile_name as the file name, $picfile_size as the size of the file, and $picfile_type as the file’s MIME type. The script uses these variables to perform its job. For many programmers, there is nothing wrong with the way the preceding script works. However, consider the Web form, hacked_bad_upload_ form.html, shown in Listing 22-5. Listing 22-5: hacked_bad_upload_form.html <html> <head><title>Hacker’s Upload Form Attacking Bad Uploader Script</title> <body> Continued Chapter 22: Securing PHP Applications 745 29 549669 ch22.qxd 4/4/03 9:28 AM Page 745 . the MD5 digest, and then submits the data to the md5_login .php PHP script, shown in Listing 22-2. Listing 22-2: md5_login .php < ?php error_reporting(E_ALL); define(‘PASSWORD’, ‘2manysecrets’); $user. password so login successful echo “Welcome to PHP. ”; ?> 742 Part VI: Tuning and Securing PHP Applications 29 549669 ch22.qxd 4/4/03 9:28 AM Page 742 This PHP script creates an MD5 digest of the. Restricting write access to directories When your PHP applications need to write to a certain directory, be very careful about the directory permissions. Your PHP applications typically run as the Web server,