I am trying to build an application in php and I have an encrypt/decrypt method that I am deploying, to enhance the security I declared these two methods as protected and I plan to have any class that needs them inherit from them. Are there any drawbacks to this? aka can malicious users take advantage of the fact that they are declared protected?
Asked
Active
Viewed 702 times
1
-
9`protected` and `private` have *nothing* at all to do with security. – ken Jan 19 '11 at 20:41
-
See http://stackoverflow.com/questions/1020749/what-are-public-private-and-protected-in-object-oriented-programming – Brad Jan 19 '11 at 20:42
-
ken: right innately they don't but as a convention of the language they limit the scope. So say somehow someone did gain access to the site would they be able to inject code into my php scripts? or are code injection attacks limited to db, browser code, and client side code? – xenador Jan 19 '11 at 21:14
-
Brad: thanks for the link, I think that my comment to ken gets to the heart of the question though. – xenador Jan 19 '11 at 21:18
-
@xenador - see the 2nd part of Nanne's answer; if someone gets to the point that they can run arbitrary code on your server, them having access to those class members will be the _least_ of your problems. e.g. sample code of what might be done: `file_put_contents(__FILE__, str_replace(array('private', 'protected'), 'public', file_get_contents(__FILE__)));` ...also: http://www.php.net/manual/en/reflectionclass.getproperties.php – ken Jan 19 '11 at 23:44
2 Answers
6
The concept of private/protected/public (i.e. visibility) has nothing to do with security at all. It's related to concept of encapsulation.
Mchl
- 61,444
- 9
- 118
- 120
5
I don't think that protected, private or public should be used for that kind of security. It's more a tool for correct Object Oriented programming, not for security.
If an attacker can actually insert code that might exploit something like that, it would not be your worry if it's private or protected.
Nanne
- 64,065
- 16
- 119
- 163