[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 346
  • Last Modified:

php web form data encryption

Dear Experts,
I want to encrypt the data, which is coming from my users like: username and password, and insert it into my database.

How should I do this,
how can I insert it into the database and how should I select it to read the data?
I use PHP and mysql server
thank you
4 Solutions
Beverley PortlockCommented:
Your best bet is to use the mcrypt extension to encode and decode the data.

Once it is encrypted and stored in MySQL then you can get the original data back by simply feeding the encrypted data back into mcrypt and it will reveal the clear text.

Many of the ciphers used require an initialisation vector to seed the random number generator used for the encryption. You will need to store the initialisation vector with the encrypted data as it will be needed for the decode process as well as the secret encryption key.

The other thing to watch for is that many of the algorithms are BLOCK CIPHERS and your data needs to be made to fill a block. So if the block size is (say) 256 bytes = 32 chars and your data is 20 chars then you will need to pad it out with another 12 chars.

See http://uk3.php.net/mcrypt and http://uk3.php.net/manual/en/mcrypt.examples.php for examples
just use mysql so you won't have worry about php,


to encrypt.

INSERT INTO t VALUES (1,AES_ENCRYPT('text', password));

SELECT AES_DECRYPT('text', password) FROM t
You MUST use an https connection to enter and send the form data. This will protect the data on the open internet.

Then, it's best to use a one way encryption of the password to be stored in the mysql database. You should never be able to decrypt the users passwords. If they forgot the password you can assign a new temporary password, but NOT be able to decrypt the existing one (this is best for your protection). To see if the user/password is valid for login, you take the login password encrypt it, then compare it to the already encrypted password stored in the database.
Ray PaseurCommented:
Use HTTPS for transmission.  You might want to rethink the strategy of encrypting the username.  It's fine to encode or encrypt the password, and you can get adequate protection if you use md5().  Some further encryption is OK, too.  It depends on what you want to protect.  But if you have encrypted the username, how will you ever be able to help the client reset the password?  Just a thought...

The general design pattern goes something like this.

1. At the time of registration, you require two form inputs for the password.  If they match you make the md5() string from the password and store it in the client data base table along with the username.

2. At logon time, you receive the username and the password from the HTML form on the login page.  You make the md5() string from the password.  Then you do a query something like this:
SELECT username FROM userTable WHERE username='$username' AND password='$password' LIMIT 1

If mysql_num_rows() you have a valid login.
BraveheartliMarketingAuthor Commented:
thank you

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now