Re: Temporary storage of data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

<?php

/** Page 1 of the form (uniqid.php).  Try to protect this page with your
server, mmmkay?  Authentication is left as an exercise for the reader... */
$genkey = 'http://receiving_server.com/genkey.php?fname=';
define('TMP', './');

$key = <<<KEY
admin's public key.  In an optimal situation you would have
GPG on both servers and this would be admin's public key.
In our less-than-perfect world the next best option: you
do private / public keypair encryption with your own PHP
functions.  Unfortunately I am no encryption expert!  So
instead this key will be generated by the receiving
server.  In fact, this whole block of text is about to get
nuked.  :)
KEY;

$data = <<<DATA
I am the data that you are trying to encrypt.  See if you can
guess what I am!

Testing 1.2..3...

<?php phpinfo(); ?>
<img
src="http://evil:haxor/leet_hax0r/your_server_is_my_beeyatch.php.jpg"; />
DATA;

$fp = null;
while(!$fp) {
  $fname = TMP . uniqid(NULL, TRUE);
  $fp = fopen($fname, 'x');
}

/** flock() doesn't work on all systems, write back to the list if this
    is the case for you.  But really, since we're creating a new file
    with a random name, this should be no problem. */
if(flock($fp, LOCK_EX)) {
  /** requires allow_url_fopen = 1 in php.ini or httpd.conf
  This page should generate the key for the file named $fname
  see function genkey() below. */
  $genkey .= urlencode($fname);
  //$key = file_get_contents($genkey);
  $key = genkey();
  $enc = encode($data, $key);
  if (!fwrite($fp, $enc)) {
    trigger_error("Could not write to temporary file $fname",
E_USER_WARNING);
    /** Handle this error however you think you should... depends on what
        exactly is in the data / what you are trying to accomplish. */
  }
} else {
  /** No lock was acquired... what do you want to do about it? */
}

/** for illustration purposes... */

echo $data . "\n\n\n";
echo $enc;


/** $data is a string of any length.  The $key here is actually weak,
but it should be good enough to keep people on the server from being
able to easily tell what you've got.  */
function encode($data, $key) {
  $enc = '';

  /** This is why this function stinks... because if someone intercepts
  the key when it is passed to the encoding server, then it isn't too
  tough for them to decode your data. */
  $printable_chars = unserialize($key);

  for ($i = 0; $i < strlen($data); $i++) {
    $char = substr($data, $i, 1);
    if (array_key_exists($char, $printable_chars)) {
      $enc .= $printable_chars[$char];
    } else {
      /** Handle this in the way you deem appropriate */
      trigger_error("unknown character: $char", E_USER_WARNING);
    }
  }

  return $enc;
}

/** You probably don't want this  the encoding server... but for the
sake of completeness I have put this function here.  */
function genkey($more_entropy = TRUE) {

  $key = '';

  /** Modify this array if you need other characters */
  $printable_chars = array();
  for ($i = 0; $i <= 127; $i++) {
    $printable_chars[$i] = chr($i);
  }

  /** Now we create the encoding table. */
  foreach($printable_chars as $char) {
    $key[$char] = uniqid(NULL, $more_entropy);
  }

  return serialize($key);
}


?>

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux