On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote:

> On 12 Oct 2011, at 21:06, Benjamin Coddington wrote:
> 
>> Are there any assurances that function local variables are protected from 
>> code calling the function?
>> 
>> For example, I would like to provide some cryptographic functions such as
>> 
>> function org_secure_string($string) {
>>      $org_key = "a very random key";
>>      return hash($string, $key);
>> }
>> 
>> function org_reveal_string($hash) {
>>      $org_key = "a very random key";
>>      return unhash($hash, $key);
>> }
>> 
>> I'd like to protect $org_key from any code following or using these 
>> functions.  I've not yet found a way that it can be revealed, but I wonder 
>> if anyone here can give me a definitive answer whether or not it is possible.
> 
> Maybe I'm missing something, but whatever protection might exist within a 
> running PHP process, they'll simply be able to open your PHP file and see it 
> there. Even if you're using something like Zend Guard, the string literal 
> will not be difficult to extract.

We'll get around this by defining the functions in php's auto_prepend_file 
where we'll also restrict access to the file with open_basedir.

Ben 
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to