Dell Sala wrote:
Hi all,
I'm doing some research on using GPG from PHP to encrypt sensitive
data that will be stored server-side. I came across an old but good
article:
...
Quoted from the article:
A second pitfall is in the use of PHP's shell_exec() statement. Since
you are executing a shell command the passphrase is available for all
to see due to having to echo it.
How is it available for all to see? Are all shell commands called from
PHP logged somewhere public? This didn't seem right to me, but maybe
I'm missing something. Anyone know what they mean by "available for
all to see"? Thanks!
It probably safe enough to encrypt the data with a passphrase-less
public key. Whenever I need to store credit card data, I encrypt it with
GPG before storing it in the database. The private key file is not to be
stored on the same machine and should definitely not be accessible by
the web server!
~Rolan
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
