Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

PHP encryption/decryption without 3rd party software

Wednesday, March 16th, 2011 by Servage

It’s possible to encrypt and decrypt data with PHP using third party software, such as MCrypt. There are also some interesting PEAR packages for encryption. However, for many cases there’s an even easier solution, which encrypts your data reasonably well and relies only on PHP: “A reversible password encryption routine for PHP” by Tony Marston. It’s a simple PHP class that utilizes native PHP functions to achieve a fairly high level of encryption, which is secure enough for most PHP based applications. Despite the name, the class can be used for any kind of data, not only passwords. Recommended practice is to store all sensitive data encrypted in your database (like users’ private address, credit card details etc.). This class helps you with that. In contradiction to the name of the article by Tony Marston, I would not recommend to store passwords in a reversible encryption format. Why? Passwords don’t need to be decrypted. The clear unencrypted password should only be know by the user. For the app provider it’s enough to obfuscate the password, and compare the obfuscated login input with the obfuscated data in the user database. This way the user can rest assured, that no one can read his password clearly. Other data, like the previously mentioned address or credit card, needs to be reversible, because it should be displayed on invoices, or used for payments.

Address example

$crypt = new encryption_class;
$key = 'mySecureKey12345!';
$plaintext = 'My address';
$encrypted_plaintext = $crypt->encrypt($key, $plaintext);
.....
$decryptet_plaintext = $crypt->decrypt($key, $encrypted_plaintext);

If you store the $encrypted_plaintext in your database, the entry cannot be read by someone who gains access to your database. Afterwards you can use $decrypted_plaintext in your application to show the address, based on the encrypted string from your database. You can enhance the level of security by adding individual keys, for each user etc.

Password example

$signup_password = 'UserPassword';
$key = 'mySecureKey12345!';
$obfuscated_password = sha1($key.$string);
.....
if (sha1($key.$login_password) == $obfuscated_password) {
	$login = true;
}
else {
	$login = false;
}

In this example you store the obfuscated user password in your database, using a one-way-encryption, such as SHA1. When the users attempts a login, you obfuscate the entered login password, and compare that to the stored password. Thereby you actually compare two obfuscated strings, to check if the password is the same, but that works fine. It’s nice for the user to know, that the password cannot be stolen. It would only be possible if someone was to hack the SHA1 encryption method. To make that even more unlikely, I have added a key to the obfuscation method.

PHP encryption/decryption without 3rd party software, 4.9 out of 5 based on 10 ratings
Categories: Guides & Tutorials

Keywords: ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 comments (leave a comment)

Great! Haven’t been able to find anyting as easy as this before!

Great blog, how about links exchanging? Please contact me asap, Thanks.

Leave a comment

You must be logged in to post a comment.