You are here: Re: [PHP] Saving of buffers, from a security standpoint « PHP « IT news, forums, messages
Re: [PHP] Saving of buffers, from a security standpoint

Posted by Richard Lynch on 05/12/05 00:52

On Wed, May 11, 2005 10:02 am, Colin Ross said:
> I am working on a bit of code for credit-card processing, so please keep
> in
> mind, security of the data is essential..
> On part of it i wish to use a buffer, but i wonder if that data is saved
> anywhere on the running system (as a temp file, etc), or is it just held
> in
> the system's memory?

What kind of a buffer?

Actually, scratch that question.

There is no guarantee, in PHP, that the data in your running script will
not be stored in swap (temp file) on disk as the script runs.

It would be nice, perhaps, if there were a way to allocate memory only in
RAM that could not be swapped.

There are, in some OSes, low-level calls to do this, but I don't think PHP
wrappers exist (yet) for them.

At any rate, my point is that if the Bad Guys can read your swap files,
you're probably already in so much trouble that the credit card numbers
isn't your #1 concern. It is that bad.

> My concern is that if an error occurs in the processing, i don't want that
> buffer to remain (with possible valid Credit Card data) on the system...

You want to catch/handle as many possible errors as you can, and work
through them intelligently.

No matter what you do, it's possible that you'll end up with a core dump
(or similar) with your RAM including CC#s in it. You'll want to make this
as unlikely as you can, but you'll also want to think about what you'll do
if it *DOES* happen. Should you turn off core dumps on a production
server? Probably, if you can. Does that guarantee that somebody (maybe
you a year from now) trying to detect some other issue won't turn it back
on, yes, even on a production server? Probably not. So, prepare for it,
and do the right thing, whatever you think that is.

Back to your buffers: It really all depends on how you build the buffer,
and where they are allocated/stored/free'd. PHP has no data type of
"buffer" so we don't really understand the question until you clarify that
a bit.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация