Ftp web hosting - 545Chapter 29Securitychmod($uploadfile, 0644); print( File upload was successful ); }
545Chapter 29Securitychmod($uploadfile, 0644); print( File upload was successful ); } else { print( File upload failed ); } } else { print( Only images are allowed, upload failed ); } What s different about this version, and why is it better? We ve started by working a littlestring and regex magic on our filename. The value of $_FILES[ upfile ][ name ]containsthe literal name of the file as it was on the user s system; but for reasons which should alreadybe apparent, this cannot be trusted. The second line removes any trailing and leading white- space characters. The third line ensures that we have a filename with a manageable length by taking only the last twenty characters. We take these characters from the end because weneed to capture the file extension; but this is an important step because excessively long file- names can create a host of potential problems. The fourth line pulls out any spaces in the filename, as different platforms handle long filenames in different ways, potentially posingadditional problems. The last thing we do before writing out the file is to make sure it s animage. You may wish to allow other types and can adjust the regular expression accordingly. Finally, we change permissions on the written-out file to a minimal set, reducing the risk fromviruses or unwanted executables. There are safer and less safe ways to handle file uploads; but uploading is historically one ofthe most insecure things that PHP allows you to do. Many good Web developers and sysad- mins think that anyone who s willing to let unknown users upload unknown binaries to theirfilesystem is asking for trouble. So before implementation, you need to ask if this is reallywhat you need or want to do, and if you re prepared for all the possible consequences. Onceyou ve made that decision, follow the hints in this section to make things as safe as possible. EncryptionEncryption is the process of encryptingsome message, referred to as plaintext,into unrecog- nizable ciphertext.Without certain information (a keyof some sort), it is extremely hard toreconstruct the plaintext from the ciphertext. Someone equipped with the proper key, how- ever, can easily decryptthe ciphertext, revealing the original plaintext at least, if the chosenencryption function is not one-way. We have already seen one use of encryption in this chapter: Passwords are stored inencrypted form. Password encryption, however, is usually one-way. There is no key todecrypt an encrypted password. Such a key is not needed, and the encryption can be madestronger if it doesn t need to be reversible. Encryption has many other uses in online busi- ness, both for storing data on the server and transmitting it across the network. Public-key encryptionMeet Alice and Bob, professional cryptographic examples. They were chosen by the mathe- matical community, not for their acting talent, but because their names begin with A and B. Alice and Bob want to communicate securely, but their only method of communication is viaPony Express not particularly secure. Each of them selects a public key and a secret key.