On Oct 12, 2011, at 4:24 PM, Ken Robinson wrote:
> Quoting Benjamin Coddington <bcodd...@uvm.edu>:
>
>> Are there any assurances that function local variables are protected from
>> code calling the function?
>>
>> For example, I would like to provide some cryptographic functions such as
>>
>> function org_secure_string($string) {
>> $org_key = "a very random key";
>> return hash($string, $key);
>> }
>>
>> function org_reveal_string($hash) {
>> $org_key = "a very random key";
>> return unhash($hash, $key);
>> }
>>
>> I'd like to protect $org_key from any code following or using these
>> functions. I've not yet found a way that it can be revealed, but I wonder
>> if anyone here can give me a definitive answer whether or not it is possible.
>
> It's called the scope of the variable. See
> http://us3.php.net/manual/en/language.variables.scope.php
>
> Variables defined in a function are only available to the function where they
> are defined.
Yes, but scope does not necessarily protect a value. Within a function globals
are out of scope, but their values can still be accessed through $GLOBALS.
Many languages have little-documented reflection features. I am concerned
about a determined person being capable of discovering the value of a variable
within a function that has already been defined. Is there a way to this? Is
there a way to examine the input buffer, or anything that has been read into
the interpreter so far? Certainly those values exist within the memory of the
process, which can be accessed through other methods.
I'd be very happy if anyone is able to say it is not possible to do this, and
explain why.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
