#native_company# #native_desc#
#native_cta#

Some security & HTTP tips.

By Alexander Yanuar Koentjara
on May 10, 2001

Hi PHP friends,

Here comes some quick tips :

1. To prevent IE from caching WWW-Authentication

Use a dynamic Realm to prevent IE from caching your WWW-Authentication.
Simple example :


<?php

function do_auth()
{
  GLOBAL $PHP_AUTH_USER, $PHP_AUTH_PW;

  header("WWW-Authenticate: Basic realm="Secure Area (".
          substr(md5(md5(date("siHdMY",time()))),0,15).
          ")"");

  header("HTTP/1.0 401 Unauthorized");
  print("<HTML>Authorization is required</HTML>n");
  exit;
}

if(!isset($PHP_AUTH_USER)) 
  {
  do_auth();
  }
else
  {
  // Check if 
  //    username : Alexander
  //    password : Helloworld

  if  (
      md5($PHP_AUTH_USER) !=
          "b7a71d8799cf6dd75b711a7f52de6675"
      ||
      md5($PHP_AUTH_PW) !=
          "a165968b0a8084a041aed89bf40d581f"
      )
      // if username or password is wrong ...
      do_auth();
  }

print "Ok ! Welcome user !!";
?>

2. To prevent your sites accessed not by https protocol

Simple example (tested on Apache + PHP4) :


<?php

if (!$HTTP_SERVER_VARS["HTTPS"])
   {
   print 
        "
        <HTML>
        This site must be accessed with HTTPS (SSL)         
        </HTML>
        <SCRIPT LANGUAGE='javascript'>
        setTimeout('redirect()',3000);
        function redirect()
        {
        location.href='https://www.somewhere.com';
        }
        </SCRIPT> 
        ";
   exit;
   }

print "Thank you for using HTTPS to connect to our site !";
?>

3. Upload a file manually using PHP

Simple example


<?php
// function to read server name
function servername($txt)
{
  if (substr(strtoupper($txt),0,4)=="WWW.")
     $txt="HTTP://".$txt;
  if (substr(strtoupper($txt),0,7)!="HTTP://") 
      return 0;
  eregi("^(http://([^/ ]+))",$txt,$arr);
  return $arr[2];
}

// init ...
srand((double)microtime()*1000000);
$file = "anyfile.exe";
$remote_page = "http://127.0.0.1/upload.php";
$boundary = "---------------------------".substr(md5(rand(0,32000)),0,10);

// read the file
$fp = @fopen($file,"r");
if (!$fp) die ("Cannot read $file !!");
$content_file = fread($fp,filesize($file));
fclose($fp);

// define HTTP POST DATA
$data = "--$boundaryn".
        "Content-Disposition: form-data; name="file"; filename="$file"n".
        "Content-Type: application/octet-streamnn$content_file".
        "--$boundary--rnrn";

$msg = "POST $remote_page HTTP/1.0n".
       "Content-Type: multipart/form-data; boundary=$boundaryn".
       "Content-Length: ".strlen($data)."rnrn";

// Open socket connection ...
$f = fsockopen(servername($remote_page),80);

if ($f)
   {
   // Send the data
   fputs($f,$msg.$data);

   // retrieve the response
   $result="";
   while (!feof($f)) $result.=fread($f,1024);
   fclose($f);

   // write the response (if needed)
   print $result;
   }
else
   die ("Cannot connect !!!");
?>

4. To POST <FORM> data manually using PHP.

Simple example :


<?php
// function to read server name
function servername($txt)
{
  if (substr(strtoupper($txt),0,4)=="WWW.")
     $txt="HTTP://".$txt;
  if (substr(strtoupper($txt),0,7)!="HTTP://") 
      return 0;
  eregi("^(http://([^/ ]+))",$txt,$arr);
  return $arr[2];
}

// a file contain post data
$file = "post_data.txt";
$remote_url = "http://www.domain.com/script.php";

// read post data
$data = file($file);

// built up POST data
$request = "?";
for ($i=0;$i<count($data);$i++)
    {
    $arr = explode("=",$data[$i]);
    if (count($arr)!=2) continue;
    $request .= urlencode(trim($arr[0])) . 
                "=" . 
                urlencode(trim($arr[1])) . "&";
    }

// Build the header 
$header = "POST $remote_url HTTP/1.0rn"; 
$header .= "Content-type: application/x-www-form-urlencodedrn"; 
$header .= "Content-length: " . strlen($request) . "rnrn";

// Open the connection 
$fp = fsockopen(servername($remote_url), 80); 

if ($fp) 
  { 
   // Send HTTP request  
   fputs($fp, $header . $request); 

   // Get the response 
   $response="";
   while (!feof($fp)) 
   $response .= fgets($fp, 128); 

   fclose($fp);
  
   print $response;
   } 
else
   die ("Cannot connect !!!");

?>

Content of post_data.txt : 
name = Panda
gender = male
age = 10
location = China
Food = bamboo

5. To PING and display it in HTML.

Simple example :


<?php
// IP to ping
$IP = "127.0.0.1";

// exec the ping
exec("ping 127.0.0.1",$arr);
$arr = join("
n",$arr); // display the ping result print "<HTML><BODY>$arr</HTML></BODY>"; ?>

Warm regards,

LexZEUS