Re: PHP Crypt functions - security audit
On Mon, Sep 16, 2013 at 01:44:16PM +0100, Alain Williams wrote:
> > Note that most of these things don't refer to PHP directly. i.e.
> > encryption between user and PHP is usually done by the web server.
> > Encryption between PHP and databases by database libraries. If
> > applications built on top of PHP don't do proper end-to-end encryption
> > it is also no issue of the platform in itself.
>
> I am aware of that. Unless we are careful all the components in an application
> stack (of which PHP is just one part) will just sit on their hands and tell
> people to look elsewhere. I am trying to kick start something that other
> components will pick up and do their bit.
One other point is that the functions in the various libraries (at the C
programming level) have got to be called with all manner of arguments, some of
which are not visible at the PHP level. Are these the correct ones ?
The difference between something that works and something that is really secure
can, sometimes, be subtle/non_obvious.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
Thread (4 messages)