Hi all,
I'm doing some research on using GPG from PHP to encrypt sensitive
data that will be stored server-side. I came across an old but good
article:
http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-
PHP-and-GnuPG
Decryption example from article:
$gpg = '/usr/bin/gpg';
$passphrase = 'My secret pass phrase.';
$encrypted_file = 'foo.gpg';
$unencrypted_file = 'foo.txt';
echo shell_exec("echo $passphrase | $gpg --passphrase-fd 0
-o $unencrypted_file -d $encrypted_file");
They did mention one pitfall related to using shell_exec:
http://devzone.zend.com/article/1265-Encryption-and-Decryption-using-
PHP-and-GnuPG#Heading7
Quoted from the article:
A second pitfall is in the use of PHP's shell_exec() statement.
Since you are executing a shell command the passphrase is available
for all to see due to having to echo it.
How is it available for all to see? Are all shell commands called
from PHP logged somewhere public? This didn't seem right to me, but
maybe I'm missing something. Anyone know what they mean by "available
for all to see"? Thanks!
-- Dell
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
