On Wed, Oct 12, 2011 at 4:51 PM, Benjamin Coddington <bcodding@xxxxxxx>wrote:
> On Oct 12, 2011, at 4:24 PM, Ken Robinson wrote:
>
> > Quoting Benjamin Coddington <bcodding@xxxxxxx>:
> >
> >> Are there any assurances that function local variables are protected
> from code calling the function?
> >>
> >> For example, I would like to provide some cryptographic functions such
> as
> >>
> >> function org_secure_string($string) {
> >> $org_key = "a very random key";
> >> return hash($string, $key);
> >> }
> >>
> >> function org_reveal_string($hash) {
> >> $org_key = "a very random key";
> >> return unhash($hash, $key);
> >> }
> >>
> >> I'd like to protect $org_key from any code following or using these
> functions. I've not yet found a way that it can be revealed, but I wonder
> if anyone here can give me a definitive answer whether or not it is
> possible.
> >
> > It's called the scope of the variable. See
> http://us3.php.net/manual/en/language.variables.scope.php
> >
> > Variables defined in a function are only available to the function where
> they are defined.
>
> Yes, but scope does not necessarily protect a value. Within a function
> globals are out of scope, but their values can still be accessed through
> $GLOBALS.
>
Maybe you should read that [1] again and thoroughly analyze the given
example. Any variable and its value within the function is only accessible
within _that_ function, unless you make a reference to a global variable.
Thus, the value is protected within the local scope inside that function,
which you're free to do as you wish within that same function. As Ken
mentioned, you should revisit that section Ken provided in the official
manual. BTW, your examples will generate errors as $key is not defined nor
did you reference it to a global variable within the functions.
If you still have any doubts, run the following code with all errors and
warnings enabled in the php.ini:
function org_secure_string($string) {
$key = "a very random key";
return hash($string, $key);
}
echo '<pre>';
var_dump($GLOBALS);
The use of var_dump is one of the best ways to confirm that what actually
happens is the _exactly_the_same_ as what you think should happen within
your code/application.
Many languages have little-documented reflection features. I am concerned
> about a determined person being capable of discovering the value of a
> variable within a function that has already been defined. Is there a way to
> this? Is there a way to examine the input buffer, or anything that has been
> read into the interpreter so far? Certainly those values exist within the
> memory of the process, which can be accessed through other methods.
>
> I'd be very happy if anyone is able to say it is not possible to do this,
> and explain why.
>
> Ben
>
>
Regards,
Tommy
[1] php.net/reserved.variables.globals
