On Oct 13, 2011, at 5:05 AM, Stuart Dallas wrote:
> On 12 Oct 2011, at 21:06, Benjamin Coddington wrote:
>
>> Are there any assurances that function local variables are protected from
>> code calling the function?
>>
>> For example, I would like to provide some cryptographic functions such as
>>
>> function org_secure_string($string) {
>> $org_key = "a very random key";
>> return hash($string, $key);
>> }
>>
>> function org_reveal_string($hash) {
>> $org_key = "a very random key";
>> return unhash($hash, $key);
>> }
>>
>> I'd like to protect $org_key from any code following or using these
>> functions. I've not yet found a way that it can be revealed, but I wonder
>> if anyone here can give me a definitive answer whether or not it is possible.
>
> Maybe I'm missing something, but whatever protection might exist within a
> running PHP process, they'll simply be able to open your PHP file and see it
> there. Even if you're using something like Zend Guard, the string literal
> will not be difficult to extract.
We'll get around this by defining the functions in php's auto_prepend_file
where we'll also restrict access to the file with open_basedir.
Ben
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
