Examples of encryption for database access

William Prothero waprothero at gmail.com
Mon Jun 25 13:16:13 EDT 2018 

Mark:
Thanks so much! This is just the advice I needed. I was wondering about the security of the keys.

I’m setting up a general db library stack. One of the apps will be distributed for free to teachers and students. The other apps are mobile and will be used either by me alone, or distributed to others, possibly through the app store. 

So, it’s good to get the techniques for securing the db in a variety of environments.

Best,
Bill

> On Jun 25, 2018, at 9:54 AM, Mark Wieder via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> Bill-
> 
> Nicely done. For security though, I wouldn't store the encryption keys in either the LC stack or (especially) the php script.
> 
> In the php script you can set the environment variable on the server and then access it as
> 
> $encryption_key = .$_ENV["ENCRYPTION_KEY"]
> 
> Same thing, obviously, for the initialization vector.
> 
> On the LC end of things, it depends on whether you're distributing the stack as a standalone application or whether you have control over the environment the stack is running in. If you're in control of the environment then you can do something similar: set environment variables and then pick them up in the LC script. If you're distributing the stack to others, then I'd probably obfuscate the keys as much as possible: put them into an array with numeric keys, encrypt the array, store it in a custom property of some non-related object... if you need to distribute a stack without password protection I don't think there's any way to be completely secure, but there are ways to at least pretend to hide the keys.
> 
> 
> [semi-related isue]
> 
> be careful with lines like
> $post = file_get_contents('php://input');
> 
> Your test code should be fine, but if you're interacting with a database you'll want to scrub the input before acting on it.
> 
> -- 
> Mark Wieder
> ahsoftware at gmail.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list