-1

I have some sensitive data like user data and stuff stored in arrays at times.and the problem is that with a very high probability unset behaves just like deleting on most file systems work, just remove it from the index and well, "out of sight out of mind", but I clearly want to annihilate the arrays contents, so they cannot be read anymore even if there might be a second heartbleed or similar stuff... so I want to completely overwrite the array's data so it cannot be retrieved from the ram anymore after I finished my work with it.

any ideas?

Peter
  • 8,776
  • 6
  • 62
  • 95
My1
  • 475
  • 5
  • 21
  • 1
    I suggest that if this such a critical security issue, that you use a different language, one specifically designed with this functionality in mind..... most computer languages don't wipe memory when variables cease to be defined, but simply free that memory for use elsewhere..... it's very transient, but there is a slight risk of bleed that even banks tolerate, but if you're working for the NSA then you probably have to be concerned about even this level of security – Mark Baker Dec 03 '15 at 10:46
  • Of course, if your system is compromised to the level where a potential hacker can gain direct access to the system memory, you probably have more serious security worries – Mark Baker Dec 03 '15 at 10:47
  • @Sougata the duplicate thing is wrong. the other one was for freeing the memory while this one is for actually wiping the array data away from the RAM – My1 Dec 03 '15 at 10:52
  • "most computer languages don't wipe memory when variables cease to be defined" -> that's exactly why I ask this. for single strings it's easy http://stackoverflow.com/questions/10088553/wiping-out-value-of-a-variable-from-physical-memory-in-php but arrays can contain anything, numbers, strings, bools etc... – My1 Dec 03 '15 at 10:55
  • I think these all are explained their. If it is not others will vote to reopen it. :) – Sougata Bose Dec 03 '15 at 10:57
  • With simple strings, it isn't always so easy.... most simple strings are "deleted" by simply setting the length to zero, leaving the previous contents still in memory..... but if you really are that paranoid about memory leaks to reveal sensitive data, then PHP is definitely not the language that you should be using, nor indeed any of the commonly used development languages – Mark Baker Dec 03 '15 at 11:00
  • I put extra a link in there, where a relatively easasy function is in there. for a string you go over the length of the string and set each char, for example to 'x'. (and then I unset it) but I probably dont even know about all types that exist and what would be the best way to overwrite them. – My1 Dec 03 '15 at 11:02
  • You would also have issues with calling functions using pass by value where the function modifies the original argument in some way, triggering a "copy" within the scope of that function, especially if that modified copy is to be the return value, because there is no way you can forcibly eliminate that copy from memory after the return..... you're dependent on garbage collection to deallocate the memory used, which again is a simple deallocation, not a wipe – Mark Baker Dec 03 '15 at 11:05
  • If you absolutely have to do this in PHP, then you almost certainly need to create a custom garbage collector that will actually overwrite memory before deallocating it, and ensure that it is triggered whenever there is a change to a variable that might reduce its length, unset it, set it to null, etc – Mark Baker Dec 03 '15 at 11:06
  • well there's not a lot of secret stuff passed between functions (and even if the caller and the functions itself both wipe their copies), usually each function gets it by itself and at least for strings I have the wipe function based on answer from the link before the question if what is the best for arrays since in an array I dont have a preset type. – My1 Dec 03 '15 at 11:18

1 Answers1

0

To wipe an array completely, you can either unset or overwrite it.

$array = array(1, 2, 3);

// To unset it - a var_dump will return NULL afterwards
unset($array);

// To overwrite - a var_dump will return array(0) { empty } afterwards
$array = array();
Peter
  • 8,776
  • 6
  • 62
  • 95