Encrypting data with PHP September 17, 2010Posted by Tournas Dimitrios in PHP.
PHP provides us with an interesting array of security-oriented functionality, In this article I’ll introduce you to this functionality, providing you with a basis from which you can begin incorporating security enhancements into your own applications.
Using PHP we can easily accomplish One way encryption, In this article I will show you how PHP can be used to do One Way encryption. PHP provides us with built in functions to accomplish one way encryption, the most popular functions used for these are md5() and the crypt() function, In this article we would be using md5() to accomplish one way encryption.
What the heck does One way encryption mean?
In the most simple terms it means, that the data that you encrypt cannot be decrypted back to it’s original form! One-way encryption? What’s the point?” you may say Well sometimes it’s a good idea to be not able to decrypt stuff, I know you must be thinking that I have gone crazy, to explain my point I will give you a simple example.
Suppose you have a site where a password is needed to access a particular area of your site that is restricted, and you are storing this password info in a database or a file, currently you might be storing this password as a normal readable file, suppose tomorrow there is a security breach the person who gets access to your database/file can gets access to all the passwords�.. not a pretty picture!
To explain you I will be using the md5() hash function, It converts any string supplied to it into a 128bit, 32 character string. The interesting thing about hashing is that it is impossible to decode a message by examining the hash, because the hashed result is in no way related to the content of the original plain text, to make it clear let me give you an example.
Now suppose that you had encrypted the password data using PHP md5() the hackers just gets password data something like 648a19754f7803769c66f871bsdcd71a which doesn’t make any sense to him and because it is a one-way encrypted it isn’t going to do much good to a hacker because they can never be converted back to the original form.
Let assume our password is : mypass, now instead of storing this password directly we will create a hash of it using md5
. php $password = "mypass"; $encrypted_password = md5($password); //encrypting the password using md5() echo "Un-encrypted Password: $password"; echo "Encrypted Password: $encrypted_password"; ?> .
Access the previus script with your browser and view Sample output and notice that the encrypted password for mypass is a029d0df84eb5549c641e04a9ef389e5 this (128-bit) 32 character string has been generated by the md5() function for mypass., What the md5() does is it generates a unique 32 character hexadecimal number for any string supplied to it.
You can pass any string to the md5() function and it will create a unique the 32 character hexadecimal number for that string.
Real World example for md5() :
Now we will build a simple password protected page, in which password are stored using md5(). We will use MySQL database in which there will be two fields user_name and password (the password is stored in an encrypted form using md5() in the database)
Let’s assume that our table name is user_data and this is the structure of our table
CREATE TABLE `user_data` ( `user_name` VARCHAR( 12 ) NOT NULL , `password` VARCHAR( 100 ) NOT NULL , PRIMARY KEY ( `user_name` ) ); # Data for table `user_data` INSERT INTO user_data VALUES ('user1', 'a722c63db8ec8625af6cf71cb8c2d939'); INSERT INTO user_data VALUES ('george', 'a029d0df84eb5549c641e04a9ef389e5');
The table has two records with the following data
* Note that the passwords stored in the database are encrypted using md5().
We would now create a form (ask_password.html) which ask the user for the username and password, and next we create a simple PHP program (check_password.php) that checks the values that are submited via the form.
<HTML> <BODY> <form method=post action=check_password.php> User Name <input type=text name=u_name> Password <input type=password name=pass> <input type=submit> </form> </body></html>
Now we have created the check_password.php program, which retrives the u_name and compares those values with the data we have in the database.
<?PHP $user_name = $_POST['u_name']; $password = $_POST['pass']; //db connection string $db = mysql_connect("localhost","root","pass"); mysql_select_db("my_database",$db); //replace the above values with your actual database val //We will now retrive the password from the database $sql_query = mysql_query("SELECT password FROM user_data WHERE user_name='$user_name'",$db); $rs = mysql_fetch_row($sql_query); //comparing passwords Note before we can compare the password we use md5() to encrypt the $password becuase the password that we retrive from the database is in the encrypted form. if(md5($password) != $rs) echo "ERROR: Invalid User"; else echo "Congrats, Password is correct!"; ?>
As you can see it is fairly simple to store encrypted passwords in the database instead of plain passwords, this technique can add a lot of security to your applications.
So Instead of storing plain password in your database/file it’s a better idea to store encrypted passwords using md5(). This technique is used by many commercial applications to store sensitive data like passwords and combined with your Flash -Flex applications will improve your security.