On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote: > On 12 Oct 2011, at 21:06, Benjamin Coddington wrote: > >> Are there any assurances that function local variables are protected from >> code calling the function? >> >> For example, I would like to provide some cryptographic functions such as >> >> function org_secure_string($string) { >> $org_key = "a very random key"; >> return hash($string, $key); >> } >> >> function org_reveal_string($hash) { >> $org_key = "a very random key"; >> return unhash($hash, $key); >> } >> >> I'd like to protect $org_key from any code following or using these >> functions. I've not yet found a way that it can be revealed, but I wonder >> if anyone here can give me a definitive answer whether or not it is possible. > > Maybe I'm missing something, but whatever protection might exist within a > running PHP process, they'll simply be able to open your PHP file and see it > there. Even if you're using something like Zend Guard, the string literal > will not be difficult to extract.
We'll get around this by defining the functions in php's auto_prepend_file where we'll also restrict access to the file with open_basedir. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php