storing ethereal key? restricted environment variable?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
zeveck
Forum Newbie
Posts: 15
Joined: Mon Oct 17, 2005 7:23 pm
Location: Mountain View, CA

storing ethereal key? restricted environment variable?

Post by zeveck »

Is there any way to create an environment variable that only apache can see?
Or, even better, that only a particular PHP script can see?

How does Gentoo store environment variables? are they just resident in memory?

What I really need is some way to make a password visible to a PHP script I am writing, but to do so such that it vanishes whenever the machine is reset. Ideally it would never get written to disk and would only be accessible from a particular script, say, deriveEncryptionKey.php.

Thoughts on how to do this?

-----------

I don't think a PHP global variable will work. The problem here is that I want something that is resident in memory only, that I can manually enter when the computer starts. For a series of PHP scripts running through Apache I don't see any way for me to manually specify the value of a PHP variable - reading it from a text file or such is an invalid solution because then it has to be resident in the text file.

Were it a command-line app I could just pass it as a command-line argument and then the PHP program could store it as a global variable, but there doesn't seem to be any such notion when running through Apache. Or is there some way to do the equivelent?

I know all solutions are technically insecure, but in any case involving a cryptographic key it has to be present somewhere. I am trying to figure out the best way of making it available to my PHP scripts. Any alternate suggestions will be appreciated.
Post Reply