On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote: > On 12 Oct 2011, at 21:06, Benjamin Coddington wrote: > >> Are there any assurances that function local variables are protected from code calling the function? >> >> For example, I would like to provide some cryptographic functions such as >> >> function org_secure_string($string) { >> $org_key = "a very random key"; >> return hash($string, $key); >> } >> >> function org_reveal_string($hash) { >> $org_key = "a very random key"; >> return unhash($hash, $key); >> } >> >> I'd like to protect $org_key from any code following or using these functions. I've not yet found a way that it can be revealed, but I wonder if anyone here can give me a definitive answer whether or not it is possible. > > Maybe I'm missing something, but whatever protection might exist within a running PHP process, they'll simply be able to open your PHP file and see it there. Even if you're using something like Zend Guard, the string literal will not be difficult to extract. We'll get around this by defining the functions in php's auto_prepend_file where we'll also restrict access to the file with open_basedir. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php