NYCPHP Meetup

NYPHP.org

[nycphp-talk] Where to store credentials and/or keys

csnyder chsnyder at gmail.com
Mon Aug 14 17:47:42 EDT 2006


On 8/14/06, Dan Cech <dcech at phpwerx.net> wrote:
> Chris Shiflett wrote:
> > If you own neither, I have an old article on my web site that explains
> > it briefly (near the end):
> >
> > http://shiflett.org/articles/security-corner-mar2004
>
> That is quite a neat trick, and definitely a good one to add to the bag.
>
> Dan
>

Agreed, nice hack. :-)

If you use this method you should probably also disallow calls to
phpinfo() using the disable_functions configuration directive in
php.ini, see http://us3.php.net/manual/en/features.safe-mode.php#ini.disable-functions

As for decryption keys, I assume you mean the private key of a
public/private key pair? The private key should be stored on another
system, if possible, or protected by a strong passphrase that is
stored elsewhere.

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list