Using PGP with PHP

Anon

I'm trying to encrypt an e-mail web form using PGP. One of my problems is that my unix virtual server does not allow SSH or Telnet access so I can not remotely add my public key to my webserver's public key. Thus, I am forced to upload my public key via ftp to the selected directory "www.mydomain.com/temp", and call on the key from there. The popular PHP/PGP script below by Julie does not work as I continually receive Error # 5 messages. This is probably due to the fact that it can't find the public key to encrypt with. Any suggestions or workarounds? My hands are tied with my current ISP since ftp is about the only way I can communicate with my server files, and ftp is pretty limited in what it can do.

//build the message string
$msg = "Sender's Full Name:\t$sender_name\n";
$msg .= "Sender's E-Mail:\t$sender_email\n";
$msg .= "Secret Message:\t$secret_msg\n\n";

//set the environment variable for PGPPATH

putenv("PGPPATH=/$DOCUMENT_ROOT/mydomain/temp/");
$p = $PGPPATH;

//generate token for unique filenames
$tmpToken = md5(uniqid(rand()));

//create vars to hold paths and filenames
$plainTxt = "/$DOCUMENT_ROOT/mydomain/temp/" . "$tmpToken" . "data";
$crypted = "/$DOCUMENT_ROOT/mydomain/temp/" . "$tmpToken" . "pgpdata";

//open file and dump in plaintext contents
$fp = fopen($plainTxt, "w+");
fputs($fp, $msg);
fclose($fp);

$pgp_id = "mydomain<info@mydomain.com>";
//invoke PGP to encrypt file contents
system("/usr/local/bin/pgp -e \"$pgp_id\" -o $crypted -a $plainTxt");

//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);

// Build mail message and send it to target recipient.
$recipient = "syndicate@ncweb.com";
$subject = "Secret Message";

$mailheaders = "From: info@mydomain.com\n";
$mailheaders .= "Reply-To: $sender_email\n\n";

mail("$recipient", "$subject", $mail_cont, $mailheaders);

// Print confirmation to screen.
echo "<H1 align=center>Thank You, $sender_name</h1>
<p align=center>Your secret message has been sent.</p>";

Anon

I am having a similar problem, and am getting very little help in solving it. Even my host calls php and pgp a black art. If I come across any info I will post it here.
Mike.

Anon

Thanks, Mike. To date the issue remains unresolved with me. If you come across any sort of solution, I would appreciate it. I'm sure were not alone in the web community in dealing with this problem.

Andy

Anon

Andy, have a read at this. I hope there are no typos as this was written in a major hurry.
Let me know how you get on.
Mike.

When I tried to get PGP + PHP working a couple of days ago I searched through lots of tutorials that were way!! above my head. I shall try to explain in detail what I did and how. These details may seem very simple but if I had access to them a few days ago I would have been a happy man.

1) Contacted my host and asked about PGP paths and the paths to my webspace.
PGP as entered: /usr/local/bin/pgp
Webspace as entered: /home/public_html

2) Downloaded a copy of freeware PGP from www.pgpi.org to suit my OS.

3) Installed & setup PGP (ver 7.03) on my home PC and found my keyring file which is called whateveryoucallit.pkr
My host id running PGP 5.0i.

4) set up a directory called .pgp in the root of my webspace:
/home/public_html/.pgp and used CUTEFTP to chmod it to 777

5) Uploaded whateveryoucallit.pkr to the .pgp directory and used CUTEFTP to chmod it to 644.

6) Changed the necessary details of the code below (from Julie Meloni) to make it work on my system, surrounded by either side !remove ** before uploading.

If the steps detailed above seem too simple then it was not meant for you, just others like me!!

With these settings the script seems to work and decrypt ok, but it is a work in progress and I have to research it a whole lot more before I put peoples card details through it. There is possibly a problem where if the server should fail mid encryption the original unencrypted message might be left on the server, eg. if the unlink commands were not executed..

I would like to refine this to the point where no temporary files are created at all. But this is beyond me at the moment.
All suggestions gracefully accepted.

code for sendsecret.php

<?
//build the message string
$msg = "Sender's Full Name:\t$sender_name\n";
$msg .= "Sender's E-Mail:\t$sender_email\n";
$msg .= "Secret Message?\t$secret_msg\n\n";
//set the environment variable for PGPPATH
putenv("PGPPATH=/home/public_html/.pgp");

//generate token for unique filenames
$tmpToken = md5(uniqid(rand()));

//create vars to hold paths and filenames
$plainTxt = "/home/public_html/.pgp" . "$tmpToken" . "data";
$crypted = "/home/public_html/.pgp" . "$tmpToken" . "pgpdata";

//open file and dump in plaintext contents
$fp = fopen($plainTxt, "w+");
fputs($fp, $msg);
fclose($fp);

//invoke PGP to encrypt file contents
// Your Name & Email Address must be exactly
// as your DH/DSS key pair in PGPKeys
system("/usr/local/bin/pgpe -r 'Your Name <your@emailaddress.com>' -o $crypted -a $plainTxt");

//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);

//delete files!
unlink($plainTxt);
unlink($crypted);

// Build mail message and send it to target recipient.
$recipient = "your email address";
$subject = "Secret Message";

$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";

mail("$recipient", "$subject", $mail_cont, $mailheaders);

// Print confirmation to screen.
echo "
<H1 align=center>Thank You, $sender_name</h1>
<p align=center>Your secret message has been sent.</p>
";

Code for mail.php

<HEAD>
<TITLE>Secret Form</TITLE>
</HEAD>
<BODY>
<h1>Form to Send Secret Stuff</h1>

<p>Your E-Mail Address:<br>
<INPUT type="text" name="sender_email" size=25></p>

<p>The Secret Message:<br>
<TEXTAREA name="secret_msg" cols=35 rows=5></TEXTAREA></p>

</FORM>
</BODY>

Anon

Thanks, I'll try your way, and see how it goes. My php directory is the same as yours.
By chance, is your server Verio? They're one of the few major hosts who don't yet support PGP. Worse, they still use PHP3!!!

Andy

syndicate@ncweb.com

Anon

If you get that code working on your server, have a look at the thread starting at http://www.phpbuilder.com/forum/read.php3?num=2&id=115223&loc=0&thread=115223

Rob Jackson started me on a possibly slightly more secure path using popen and pipes. These methods don't seem to write the unencrypted file to the disk!!

Let me know how you get on.
Mike.

Anon

I was having problems doing PGP from PHP...

The web hosting provider I was working with has a strict policy against shell access, and they weren't willing to do anything other than tell me the path to PGP. So setting up PGP was an ordeal involving lots of PHP passthru commands and FTP sessions.

I downloaded a copy of PGP 2.6.3i/DOS since my primary machine is a Win2000 box and generated a new keyring using that.

I uploaded the resulting keyring to the web server, and eventually realized that PGP 2.6.3i/*nix ignores the PGPPATH environment variable.

I figured out that temporarily changing the HOME environment variable to point to a directory containing a .pgp subdirectory would satisfy PGP.

Hopefully someone else can benefit from this experience...