PHP - best method to encrypt and decrypt a string.

jamesmorris86

jamesmorris86

jamesmorris86

Associate
Joined
11 Oct 2008
Posts
268
Hey guys.

I have been looking into encrypting a large string before entering it into my database and then decrypting it again in a secure user area.

There seems to be a few ways to go around doing this, I was wondering if anyone could recommend which method/function works best?

Thanks :)
 
What is the data field for ? Why does it need to be stored encrypted and then decrypted ?

If its a password, the usual approach is a one-way hash, so you never need to decrypt.

Some databases also give you this functionality "for free" based on the column type or a trigger function, so that might suit your need.
 
So for passwords you need to google around use of hashing and salting - this is a good article on the topic. The key point is that you don't ever need to recover the plaintext - you just need a means of proving that the password the user has just typed in matches the "saved" password.

If its something you do need to recover plaintext then it is best to do it down at the database layer with an encrypted column type and then your code never needs to worry about it (translation: programmers don't get to stuff it up).
 
You'll want to use password hashing.

Since 5.5 PHP now has a built in, easy to use and secure password hashing toolkit.

If you aren't on PHP 5.5, simply google 'Password Compat' and you'll land on a GitHub repo which provides a library to use on older versions of PHP (>= 5.3.7).

It boils down to:

PHP: 
$hash = password_hash($password, PASSWORD_BCRYPT);

if (password_verify($password, $hash)) {

} else {

}

Simples. :)
 
jamesmorris86 said:
There seems to be a few ways to go around doing this, I was wondering if anyone could recommend which method/function works best?
Click to expand...

You either* let the DB handle the en/decryption, using built-in crypt functions within queries or trigger functions; or your application handles all en/decryption between it an the DB (ie - mcrypt within PHP).

Tbh, i would recommend reading the threads over on stackexchange/stackoverflow regarding database(/MySQL) encryption, plus MySQL has a section on their site about it, as there are pro's and con's to both and it massively depends on your application, use and underlying infrastructure to which is 'best'.

* You can also apply encryption to the DB at filesystem level and there's a few products around that'll do this but i can't say i've ever ventured into that area.
 
visibleman said:
Tbh, i would recommend reading the threads over on stackexchange/stackoverflow regarding database(/MySQL) encryption, plus MySQL has a section on their site about it, as there are pro's and con's to both and it massively depends on your application, use and underlying infrastructure to which is 'best'.
Click to expand...

In this case OP doesn't need full blown database encryption. All he needs is a good way of hashing a password and checking to see if the entered password matches the hash in the database, that simple.

People tend to over complicate this stuff and end up leaving gaping security holes in their application as a result.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom