Solved

php web form data encryption

Posted on 2011-03-07
5
334 Views
Last Modified: 2012-05-11
Dear Experts,
I want to encrypt the data, which is coming from my users like: username and password, and insert it into my database.

How should I do this,
how can I insert it into the database and how should I select it to read the data?
I use PHP and mysql server
thank you
0
Comment
Question by:Braveheartli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 34

Accepted Solution

by:
Beverley Portlock earned 200 total points
ID: 35056115
Your best bet is to use the mcrypt extension to encode and decode the data.

Once it is encrypted and stored in MySQL then you can get the original data back by simply feeding the encrypted data back into mcrypt and it will reveal the clear text.

Many of the ciphers used require an initialisation vector to seed the random number generator used for the encryption. You will need to store the initialisation vector with the encrypted data as it will be needed for the decode process as well as the secret encryption key.

The other thing to watch for is that many of the algorithms are BLOCK CIPHERS and your data needs to be made to fill a block. So if the block size is (say) 256 bytes = 32 chars and your data is 20 chars then you will need to pad it out with another 12 chars.

See http://uk3.php.net/mcrypt and http://uk3.php.net/manual/en/mcrypt.examples.php for examples
0
 
LVL 2

Assisted Solution

by:adeelshahid
adeelshahid earned 100 total points
ID: 35056707
just use mysql so you won't have worry about php,

try,

to encrypt.

INSERT INTO t VALUES (1,AES_ENCRYPT('text', password));

SELECT AES_DECRYPT('text', password) FROM t
0
 
LVL 19

Assisted Solution

by:Michael701
Michael701 earned 100 total points
ID: 35060215
You MUST use an https connection to enter and send the form data. This will protect the data on the open internet.

Then, it's best to use a one way encryption of the password to be stored in the mysql database. You should never be able to decrypt the users passwords. If they forgot the password you can assign a new temporary password, but NOT be able to decrypt the existing one (this is best for your protection). To see if the user/password is valid for login, you take the login password encrypt it, then compare it to the already encrypted password stored in the database.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 35062198
Use HTTPS for transmission.  You might want to rethink the strategy of encrypting the username.  It's fine to encode or encrypt the password, and you can get adequate protection if you use md5().  Some further encryption is OK, too.  It depends on what you want to protect.  But if you have encrypted the username, how will you ever be able to help the client reset the password?  Just a thought...

The general design pattern goes something like this.

1. At the time of registration, you require two form inputs for the password.  If they match you make the md5() string from the password and store it in the client data base table along with the username.

2. At logon time, you receive the username and the password from the HTML form on the login page.  You make the md5() string from the password.  Then you do a query something like this:
SELECT username FROM userTable WHERE username='$username' AND password='$password' LIMIT 1

If mysql_num_rows() you have a valid login.
0
 
LVL 1

Author Closing Comment

by:Braveheartli
ID: 35083169
thank you
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When table data gets too large to manage or queries take too long to execute the solution is often to buy bigger hardware or assign more CPUs and memory resources to the machine to solve the problem. However, the best, cheapest and most effective so…
This article discusses how to implement server side field validation and display customized error messages to the client.
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question