Re: Local variable protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote:

> On 12 Oct 2011, at 21:06, Benjamin Coddington wrote:
> 
>> Are there any assurances that function local variables are protected from code calling the function?
>> 
>> For example, I would like to provide some cryptographic functions such as
>> 
>> function org_secure_string($string) {
>> 	$org_key = "a very random key";
>> 	return hash($string, $key);
>> }
>> 
>> function org_reveal_string($hash) {
>> 	$org_key = "a very random key";
>> 	return unhash($hash, $key);
>> }
>> 
>> I'd like to protect $org_key from any code following or using these functions.  I've not yet found a way that it can be revealed, but I wonder if anyone here can give me a definitive answer whether or not it is possible.
> 
> Maybe I'm missing something, but whatever protection might exist within a running PHP process, they'll simply be able to open your PHP file and see it there. Even if you're using something like Zend Guard, the string literal will not be difficult to extract.

We'll get around this by defining the functions in php's auto_prepend_file where we'll also restrict access to the file with open_basedir.

Ben 
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux