Mark:
I’ve been exploring, Googling, and my Web Host Manager to figure out where to
set the environmental variables for the security keys. It might be nice if I
could set different values for different subdomains on my server, but my Web
Host Manager program states that it will put a copy of the keys in the
.htaccess file. Is the .htaccess file for a domain a secure place to put the
keys?
I’ve put in a support ticket to my web host manager, but I’m not confident they
know anything about security, so any bit of wisdom from you would be great.
Best,
Bill
> On Jun 25, 2018, at 10:16 AM, William Prothero via use-livecode
> <use-livecode@lists.runrev.com> wrote:
>
>> On Jun 25, 2018, at 9:54 AM, Mark Wieder via use-livecode
>> <use-livecode@lists.runrev.com> wrote:
>>
>> Bill-
>>
>> Nicely done. For security though, I wouldn't store the encryption keys in
>> either the LC stack or (especially) the php script.
>>
>> In the php script you can set the environment variable on the server and
>> then access it as
>>
>> $encryption_key = .$_ENV["ENCRYPTION_KEY"]
>>
>> Same thing, obviously, for the initialization vector.
>>
>> On the LC end of things, it depends on whether you're distributing the stack
>> as a standalone application or whether you have control over the environment
>> the stack is running in. If you're in control of the environment then you
>> can do something similar: set environment variables and then pick them up in
>> the LC script. If you're distributing the stack to others, then I'd probably
>> obfuscate the keys as much as possible: put them into an array with numeric
>> keys, encrypt the array, store it in a custom property of some non-related
>> object... if you need to distribute a stack without password protection I
>> don't think there's any way to be completely secure, but there are ways to
>> at least pretend to hide the keys.
>>
>>
>> [semi-related isue]
>>
>> be careful with lines like
>> $post = file_get_contents('php://input');
>>
>> Your test code should be fine, but if you're interacting with a database
>> you'll want to scrub the input before acting on it.
>>
>> --
>> Mark Wieder
>> ahsoftw...@gmail.com
>>
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
