536Part IIIAdvanced (Photoshop web design) Features and TechniquesThis is nota good
536Part IIIAdvanced Features and TechniquesThis is nota good solution: The second conditional in this code segment checks for pathname separators in the givenfilename. This program explicitly describes a set of unacceptable inputs and considers anythingelse acceptable. It depends on the programmer imagining and checking for every possibleundesired input. In this case, the programmer has missed something by making the implicitassumption that no sensitive files are stored in the same directory as the script. What if a file that should be private escapes your server anyway? There is a chance that somemisconfiguration (perhaps by someone else) or an unnoticed security hole will render someor all of your server s files publicly accessible. PHP allows you to explicitly specify the set of directories in which files can be opened withthe configuration value open_basedir. See Chapter 30 for more information on the PHP con- figuration file. This configuration value can be useful to prevent access to entire directoriesand is a good way to minimize the damage. Many sensitive files, however, must be opened from PHP programs as visitors access the site. A common example is a password file. Access to such a file cannot be blocked withopen_basedir, but the sensitive information it contains can be encrypted to render it use- less to anyone who may steal it. A password-protected site must verify the password given by a visitor wishing to gain access. One way to do this would be to store a password for safekeeping in encrypted form and thendecrypt it when we need to compare it to the user-supplied password. The problem is that ifwe can decrypt the password, others may be able to decrypt it too. Also, we would have tomake sure that no one could see the password after we decrypted it for comparison. Instead, we can use an encryption function that only goes one way and is easy to use for encryption, but that can t be decrypted. Rather than decrypt a stored password and compare thedecrypted versions, we encrypt the given password and compare the encrypted passwords. Unix uses this strategy with its own password file, /etc/passwd, and PHP allows program- mers to use the same encryption function for their own password files. The function crypt(password, salt)encrypts the given password. The salt adds an extrabit of chance and should be chosen randomly when the password is first recorded. (PHPchooses a random salt if this parameter is omitted.) The function returns the concatenationof the salt value and the encrypted version of the password. The following function will cre- ate a new password for a visitor: function new_pw($given) { return crypt($given) }
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision personal web hosting services