I'm currently a student and I'm studying PHP, I'm trying to make a simple encrypt/decrypt of data in PHP. I made some online research and some of them were quite confusing(at least for me).
Rate this post Web Shell PHP Exploit WordPress is by far the most popular CMS (Content Management System). This popularity is due in particular to the great personalization offered by themes and extensions. This customization is also a door open for backdoors. What is a Backdoor? Backdoors are pieces. Tutorial to develop multi user secure login system using php including script. Coded in PHP for web application development. Multiple users can login from same web page. PHP login script using PDO.
Here's what I'm trying to do:
I have a table consisting of these fields (UserID,Fname,Lname,Email,Password)
What I want to have is have the all fields encrypted and then be decrypted(Is it possible to use
sha256
for encryption/decryption, if not any encryption algorithm)Another thing I want to learn is how to create a one way
hash(sha256)
combined with a good 'salt'.(Basically I just want to have a simple implementation of encryption/decryption, hash(sha256)+salt)
Sir/Ma'am, your answers would be of great help and be very much appreciated. Thank you++Randel RamirezRandel Ramirez
6 Answers
Starting with your table definition:
Here are the changes:
- The fields
Fname
,Lname
andEmail
will be encrypted using a symmetric cipher, provided by OpenSSL, - The
IV
field will store the initialisation vector used for encryption. The storage requirements depend on the cipher and mode used; more about this later. - The
Password
field will be hashed using a one-way password hash,
Cipher and mode
Choosing the best encryption cipher and mode is beyond the scope of this answer, but the final choice affects the size of both the encryption key and initialisation vector; for this post we will be using AES-256-CBC which has a fixed block size of 16 bytes and a key size of either 16, 24 or 32 bytes.
Encryption key
A good encryption key is a binary blob that's generated from a reliable random number generator. The following example would be recommended (>= 5.3):
This can be done once or multiple times (if you wish to create a chain of encryption keys). Keep these as private as possible.
IV
The initialisation vector adds randomness to the encryption and required for CBC mode. These values should be ideally be used only once (technically once per encryption key), so an update to any part of a row should regenerate it.
A function is provided to help you generate the IV:
Example
Let's encrypt the name field, using the earlier
$encryption_key
and $iv
; to do this, we have to pad our data to the block size:Storage requirements
The encrypted output, like the IV, is binary; storing these values in a database can be accomplished by using designated column types such as
BINARY
or VARBINARY
.The output value, like the IV, is binary; to store those values in MySQL, consider using
BINARY
or VARBINARY
columns. If this is not an option, you can also convert the binary data into a textual representation using base64_encode()
or bin2hex()
, doing so requires between 33% to 100% more storage space.Decryption of the stored values is similar:
You can further improve the integrity of the generated cipher text by appending a signature that's generated from a secret key (different from the encryption key) and the cipher text. Before the cipher text is decrypted, the signature is first verified (preferably with a constant-time comparison method).
Example
See also:
hash_equals()
Storing a reversible password in your database must be avoided as much as possible; you only wish to verify the password rather than knowing its contents. If a user loses their password, it's better to allow them to reset it rather than sending them their original one (make sure that password reset can only be done for a limited time).
Applying a hash function is a one-way operation; afterwards it can be safely used for verification without revealing the original data; for passwords, a brute force method is a feasible approach to uncover it due to its relatively short length and poor password choices of many people.
Hashing algorithms such as MD5 or SHA1 were made to verify file contents against a known hash value. They're greatly optimized to make this verification as fast as possible while still being accurate. Given their relatively limited output space it was easy to build a database with known passwords and their respective hash outputs, the rainbow tables.
Adding a salt to the password before hashing it would render a rainbow table useless, but recent hardware advancements made brute force lookups a viable approach. That's why you need a hashing algorithm that's deliberately slow and simply impossible to optimize. It should also be able to increase the load for faster hardware without affecting the ability to verify existing password hashes to make it future proof.
Currently there are two popular choices available:
- PBKDF2 (Password Based Key Derivation Function v2)
- bcrypt (aka Blowfish)
This answer will use an example with bcrypt.
Generation
A password hash can be generated like this:
The salt is generated with
openssl_random_pseudo_bytes()
to form a random blob of data which is then run through base64_encode()
and strtr()
to match the required alphabet of [A-Za-z0-9/.]
.The
crypt()
function performs the hashing based on the algorithm ($2y$
for Blowfish), the cost factor (a factor of 13 takes roughly 0.40s on a 3GHz machine) and the salt of 22 characters.Validation
Once you have fetched the row containing the user information, you validate the password in this manner:
To verify a password, you call
crypt()
again but you pass the previously calculated hash as the salt value. The return value yields the same hash if the given password matches the hash. To verify the hash, it's often recommended to use a constant-time comparison function to avoid timing attacks.Password hashing with PHP 5.5
PHP 5.5 introduced the password hashing functions that you can use to simplify the above method of hashing:
And verifying:
See also:
password_hash()
, password_verify()
Ja͢ckJa͢ck
I'm think this has been answered before...but anyway, if you want to encrypt/decrypt data, you can't use SHA256
romoromo
Answer Background and Explanation
To understand this question, you must first understand what SHA256 is. SHA256 is a Cryptographic Hash Function. A Cryptographic Hash Function is a one-way function, whose output is cryptographically secure. This means it is easy to compute a hash (equivalent to encrypting data), but hard to get the original input using the hash (equivalent to decrypting the data). Since using a Cryptographic hash function means decrypting is computationally infeasible, so therefore you cannot perform decryption with SHA256.
What you want to use is a two-way function, but more specifically, a Block Cipher. A function that allows for both encryption and decryption of data. The functions
mcrypt_encrypt
and mcrypt_decrypt
by default use the Blowfish algorithm. PHP's use of mcrypt can be found in this manual. A list of cipher definitions to select the cipher mcrypt uses also exists. A wiki on Blowfish can be found at Wikipedia. A block cipher encrypts the input in blocks of known size and position with a known key, so that the data can later be decrypted using the key. This is what SHA256 cannot provide you.Code
cytinuscytinus
VivekVivek
gauravbhai daxinigauravbhai daxini
It took me quite a while to figure out, how to not get a
false
when using openssl_decrypt()
and get encrypt and decrypt working. If you want to pass the encrypted string via a URL, you need to urlencode the string:
To better understand what is going on, read:
To generate 16 bytes long keys you can use:
To see error messages of openssl you can use:
echo openssl_error_string();
Hope that helps.
Kai NoackKai Noack
protected by user557846 Aug 9 '16 at 2:23
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Would you like to answer one of these unanswered questions instead?
Not the answer you're looking for? Browse other questions tagged phpsecurityencryptioncryptographyencryption-symmetric or ask your own question.
This question already has an answer here:
- How to encrypt/decrypt data in php? 6 answers
How to Encrypt password in PHP, i am using below code to insert data into database using PHP code and i am able to store new member data but now i just want to encrypt user password..
PHP Script::
Chulbul Pandey
Chulbul PandeyChulbul Pandey
marked as duplicate by Ja͢ck, hjpotter92, Yan Sklyarenko, Anand Shah, souser12345May 20 '13 at 11:56
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
5 Answers
You can make use of
http://php.net/manual/en/function.crypt.php
Use prepared statements while doing a db query. (PDO or mysqli)
crypt();
in php. It supports multiple hash types.http://php.net/manual/en/function.crypt.php
Use prepared statements while doing a db query. (PDO or mysqli)
curious_codercurious_coder
md5 is not safe anymore, sha should be used from now on. Take a look at http://php.net/manual/en/function.hash.php and use with sha256 or sha512
graywolfgraywolf
I believe that your question is very basic method of handling passwords to store in database. There are many views on this if you might have googled already. However these two links might be helpful .
Check this link for knowing all methods available. You need not to follow article but it gives all possible ways of password management.
another this question!
Community♦
PC.PC.
i am using this class for encrypt.
Create a php file named MCrypt.php
and include thi php file to where you use encrypt
and then use
one last thing to add don't forget to change
must be 16 characters
Mehmet EmreMehmet Emre
use mysql encription ,
for AES_ENCRYPT()
for AES_DECRYPT
Saurabh Chandra PatelSaurabh Chandra Patel