Mark:
Thanks so much! This is just the advice I needed. I was wondering about the
security of the keys.
I’m setting up a general db library stack. One of the apps will be distributed
for free to teachers and students. The other apps are mobile and will be used
either by me alone, or distributed to others, possibly through the app store.
So, it’s good to get the techniques for securing the db in a variety of
environments.
Best,
Bill
> On Jun 25, 2018, at 9:54 AM, Mark Wieder via use-livecode
> <use-livecode@lists.runrev.com> wrote:
>
> Bill-
>
> Nicely done. For security though, I wouldn't store the encryption keys in
> either the LC stack or (especially) the php script.
>
> In the php script you can set the environment variable on the server and then
> access it as
>
> $encryption_key = .$_ENV["ENCRYPTION_KEY"]
>
> Same thing, obviously, for the initialization vector.
>
> On the LC end of things, it depends on whether you're distributing the stack
> as a standalone application or whether you have control over the environment
> the stack is running in. If you're in control of the environment then you can
> do something similar: set environment variables and then pick them up in the
> LC script. If you're distributing the stack to others, then I'd probably
> obfuscate the keys as much as possible: put them into an array with numeric
> keys, encrypt the array, store it in a custom property of some non-related
> object... if you need to distribute a stack without password protection I
> don't think there's any way to be completely secure, but there are ways to at
> least pretend to hide the keys.
>
>
> [semi-related isue]
>
> be careful with lines like
> $post = file_get_contents('php://input');
>
> Your test code should be fine, but if you're interacting with a database
> you'll want to scrub the input before acting on it.
>
> --
> Mark Wieder
> ahsoftw...@gmail.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
