Examples of encryption for database access

William Prothero waprothero at gmail.com
Mon Jun 25 17:17:25 EDT 2018


Mark:
I’ve been exploring, Googling, and my Web Host Manager to figure out where to set the environmental variables for the security keys. It might be nice if I could set different values for different subdomains on my server, but my Web Host Manager program states that it will put a copy of the keys in the .htaccess file. Is the .htaccess file for a domain a secure place to put the keys?

I’ve put in a support ticket to my web host manager, but I’m not confident they know anything about security, so any bit of wisdom from you would be great.

Best,
Bill

> On Jun 25, 2018, at 10:16 AM, William Prothero via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
>> On Jun 25, 2018, at 9:54 AM, Mark Wieder via use-livecode <use-livecode at lists.runrev.com> wrote:
>> 
>> Bill-
>> 
>> Nicely done. For security though, I wouldn't store the encryption keys in either the LC stack or (especially) the php script.
>> 
>> In the php script you can set the environment variable on the server and then access it as
>> 
>> $encryption_key = .$_ENV["ENCRYPTION_KEY"]
>> 
>> Same thing, obviously, for the initialization vector.
>> 
>> On the LC end of things, it depends on whether you're distributing the stack as a standalone application or whether you have control over the environment the stack is running in. If you're in control of the environment then you can do something similar: set environment variables and then pick them up in the LC script. If you're distributing the stack to others, then I'd probably obfuscate the keys as much as possible: put them into an array with numeric keys, encrypt the array, store it in a custom property of some non-related object... if you need to distribute a stack without password protection I don't think there's any way to be completely secure, but there are ways to at least pretend to hide the keys.
>> 
>> 
>> [semi-related isue]
>> 
>> be careful with lines like
>> $post = file_get_contents('php://input');
>> 
>> Your test code should be fine, but if you're interacting with a database you'll want to scrub the input before acting on it.
>> 
>> -- 
>> Mark Wieder
>> ahsoftware at gmail.com
>> 





More information about the use-livecode mailing list