Examples of encryption for database access
William Prothero
waprothero at gmail.com
Mon Jun 25 17:17:25 EDT 2018
Mark:
I’ve been exploring, Googling, and my Web Host Manager to figure out where to set the environmental variables for the security keys. It might be nice if I could set different values for different subdomains on my server, but my Web Host Manager program states that it will put a copy of the keys in the .htaccess file. Is the .htaccess file for a domain a secure place to put the keys?
I’ve put in a support ticket to my web host manager, but I’m not confident they know anything about security, so any bit of wisdom from you would be great.
Best,
Bill
> On Jun 25, 2018, at 10:16 AM, William Prothero via use-livecode <use-livecode at lists.runrev.com> wrote:
>
>> On Jun 25, 2018, at 9:54 AM, Mark Wieder via use-livecode <use-livecode at lists.runrev.com> wrote:
>>
>> Bill-
>>
>> Nicely done. For security though, I wouldn't store the encryption keys in either the LC stack or (especially) the php script.
>>
>> In the php script you can set the environment variable on the server and then access it as
>>
>> $encryption_key = .$_ENV["ENCRYPTION_KEY"]
>>
>> Same thing, obviously, for the initialization vector.
>>
>> On the LC end of things, it depends on whether you're distributing the stack as a standalone application or whether you have control over the environment the stack is running in. If you're in control of the environment then you can do something similar: set environment variables and then pick them up in the LC script. If you're distributing the stack to others, then I'd probably obfuscate the keys as much as possible: put them into an array with numeric keys, encrypt the array, store it in a custom property of some non-related object... if you need to distribute a stack without password protection I don't think there's any way to be completely secure, but there are ways to at least pretend to hide the keys.
>>
>>
>> [semi-related isue]
>>
>> be careful with lines like
>> $post = file_get_contents('php://input');
>>
>> Your test code should be fine, but if you're interacting with a database you'll want to scrub the input before acting on it.
>>
>> --
>> Mark Wieder
>> ahsoftware at gmail.com
>>
More information about the use-livecode
mailing list