On Oct 12, 2011, at 4:24 PM, Ken Robinson wrote:
> Quoting Benjamin Coddington <bcodding@xxxxxxx>:
>
>> Are there any assurances that function local variables are protected from code calling the function?
>>
>> For example, I would like to provide some cryptographic functions such as
>>
>> function org_secure_string($string) {
>> $org_key = "a very random key";
>> return hash($string, $key);
>> }
>>
>> function org_reveal_string($hash) {
>> $org_key = "a very random key";
>> return unhash($hash, $key);
>> }
>>
>> I'd like to protect $org_key from any code following or using these functions. I've not yet found a way that it can be revealed, but I wonder if anyone here can give me a definitive answer whether or not it is possible.
>
> It's called the scope of the variable. See http://us3.php.net/manual/en/language.variables.scope.php
>
> Variables defined in a function are only available to the function where they are defined.
Yes, but scope does not necessarily protect a value. Within a function globals are out of scope, but their values can still be accessed through $GLOBALS.
Many languages have little-documented reflection features. I am concerned about a determined person being capable of discovering the value of a variable within a function that has already been defined. Is there a way to this? Is there a way to examine the input buffer, or anything that has been read into the interpreter so far? Certainly those values exist within the memory of the process, which can be accessed through other methods.
I'd be very happy if anyone is able to say it is not possible to do this, and explain why.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
