Menu
The general question is: Is it possible to remove value of the String variable from physical memory after that variable being unset in PHP?
The problem arised from certain requirements of security standards (there should be no way to dump data from memory to disk while processing certain vital data). According to "Is memory encrypted?" topic there is no good way to encrypt data in-memory.
So, when unsetting String variable in PHP you cannot say for sure that data in memory was overwritten. Same story about setting new value to variable.
Thus I'm interested if it is possible to wipe out variable value from memory without changing core code of unset method?
316
First of all, I'm not sure that wiping out the string will meet the security requirement you described, as one could still theoretically dump memory before the string is wiped anyway. But that's impossible to meet anyway, as you can't process data without having it in memory.
Anyway, if you want to ensure the string is wiped, I think the only way to do so in PHP is to loop through the string and modify each character: remember, the contents of memory do not go away until overwritten, even if you have no references to the variable and PHP GC has run.
I believe this will work:
for( $i=0; $i < strlen($str); $i++ )
$str[$i] = 'x';
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
