www.webdeveloper.com
Results 1 to 7 of 7

Thread: Encrypt and Decrypt function

  1. #1
    Join Date
    Nov 2013
    Posts
    72

    Encrypt and Decrypt function

    I found this function on the web to encrypt and decrypt passwords and it seems to work pretty well but I don't really understand what is going on with it. Would someone mind explaining it to me please?


    PHP Code:
    function encrypt_decrypt($action$string){
        
    $output false;

        
    $encrypt_method "AES-256-CBC";
        
    $secret_key 'This is my secret key';
        
    $secret_iv 'This is my secret iv';

        
    // hash
        
    $key hash('sha256'$secret_key);
        
        
    // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
        
    $iv substr(hash('sha256'$secret_iv), 016);

        if( 
    $action == 'encrypt' ) {
            
    $output openssl_encrypt($string$encrypt_method$key0$iv);
            
    $output base64_encode($output);
        }
        else if( 
    $action == 'decrypt' ){
            
    $output openssl_decrypt(base64_decode($string), $encrypt_method$key0$iv);
        }

        return 
    $output;


  2. #2
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,342
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  3. #3
    Join Date
    Dec 2011
    Location
    Centurion, South Africa
    Posts
    795
    May I ask the purpose of the decryption?

    If you are sending data between web servers without the use of certificates, then of course the data needs to be decryptable.

    But, if you are using this for something like password matching, it would be better to use one-way, salted, hashes instead. PHP and mysql both offer cryptographic functionality for this kind of purpose, such as MD5 or SHA1 etc.

    http://php.net/sha1
    https://dev.mysql.com/doc/refman/5.5...functions.html
    JavaScript: Learn | Validate | Compact | bionoid

  4. #4
    Join Date
    Nov 2013
    Posts
    72
    This is what I wanted to use for password matching.

  5. #5
    Join Date
    Dec 2011
    Location
    Centurion, South Africa
    Posts
    795
    Great, then I would personally suggest using only one-way hashes.

    How are your passwords stored? In a file, or in a database?
    JavaScript: Learn | Validate | Compact | bionoid

  6. #6
    Join Date
    Nov 2013
    Posts
    72
    They will be stored in a database

  7. #7
    Join Date
    Dec 2011
    Location
    Centurion, South Africa
    Posts
    795
    OK, I will assume you're using MySQL for now.

    Let's say you want to create a new user in your users table, while setting a password:

    Code:
    INSERT INTO users (`username`, `password`) VALUES ("username", SHA1("password"))
    And during some login procedure you have on the client side, the webserver could query it like so:

    PHP Code:
    <?php

        $username 
    $_POST['username'];
        
    $password $_POST['password'];

        
    $rs mysql_query('SELECT * FROM users u WHERE u.username = "' mysql_real_escape_string($username) . '" AND u.password = SHA1("' mysql_real_escape_string($password) . '") LIMIT 1');
        if (
    $user mysql_fetch_array($rsMYSQL_ASSOC)) {

            echo 
    'USER FOUND';
            
    print_r($user);

        } else {

            echo 
    'USER NOT FOUND';

        }
        
    mysql_free_result($rs);

    ?>
    I haven't tested the code, but that's basically how it's done. The passwords are currently unsalted, meaning if users choose the same password they would end up with the same hash.

    A recommendation for creating the hash is something like : [password] + [server defined salt] + [unique salt]

    Eg,

    Code:
    SHA1(CONCAT("password", "server_salt", u.id))
    And the same rules would need to be followed on the PHP side as well.
    Last edited by bionoid; 12-08-2013 at 07:05 PM.
    JavaScript: Learn | Validate | Compact | bionoid

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles