Examples of encryption for database access

Mark Wieder ahsoftware at sonic.net
Mon Jun 25 12:54:18 EDT 2018


Bill-

Nicely done. For security though, I wouldn't store the encryption keys 
in either the LC stack or (especially) the php script.

In the php script you can set the environment variable on the server and 
then access it as

$encryption_key = .$_ENV["ENCRYPTION_KEY"]

Same thing, obviously, for the initialization vector.

On the LC end of things, it depends on whether you're distributing the 
stack as a standalone application or whether you have control over the 
environment the stack is running in. If you're in control of the 
environment then you can do something similar: set environment variables 
and then pick them up in the LC script. If you're distributing the stack 
to others, then I'd probably obfuscate the keys as much as possible: put 
them into an array with numeric keys, encrypt the array, store it in a 
custom property of some non-related object... if you need to distribute 
a stack without password protection I don't think there's any way to be 
completely secure, but there are ways to at least pretend to hide the keys.


[semi-related isue]

be careful with lines like
$post = file_get_contents('php://input');

Your test code should be fine, but if you're interacting with a database 
you'll want to scrub the input before acting on it.

-- 
  Mark Wieder
  ahsoftware at gmail.com




More information about the Use-livecode mailing list