Encryption in PHP 101 6

Hey guys Izikeo here,

I am working on a project for a friend of mine, and normally I use Code Igniter for all of my PHP work. However with this project, i’m having to write out PHP manually with no framework at all. I’ve come to a point where I thought would make a good blog post. So today I will be discussing Encryption.

Encryption is a must now-a-days in PHP. If your encrypting someones credit card information, or even just encrypting their secret question answer, you always need a really good way to encrypt data to be stored in a database. The first encryption type I would like to mention is MD5.

I consider MD5 one of the least effective ways to encrypt my data. I say this, because it seems to be the oldest and most widely used, and like virus to windows vs macs, the most used is always the most attacked. MD5 takes two arguements. First is a string. Second being a boolean for raw output. Lets take at a quick look at MD5.

<?php
    
    $username = "mycoolusername";
    $password = "mycoolpassword";

    $encrypted_password = md5($password);
    // b8746e3a40dd0970977cf089c7497c68

    $encrypted_password = md5($password, true);
    // Returns $password in binary form.
    // ¸tn:@Ý	p—|ð‰ÇI|h
?>

<?php

$username = "mycoolusername";

$password = "mycoolpassword";

$encrypted_password = md5($password);

// b8746e3a40dd0970977cf089c7497c68

$encrypted_password = md5($password, true);

// Returns $password in binary form.

// ¸tn:@Ý p—|ð‰ÇI|h

MD5 by itself will take a regular string, and encrypt it into a 32 character string. Above you see that I md5 encrypted “mycoolpassword” into the string commented below. Now remember, MD5 takes a second arguement. The second arguement is for raw output. This will return the binary of the string youve supplied in the first arguement. In all of my time of programming PHP, I have never needed to use the second arguement. Raw output for MD5 is set to false by default.

MD5 is good and all but really outdated. So next on my list of encryption is SHA1. Its slightly more effective than MD5, as it generates a 40 character string, versus a 32 character string, and takes the same field arguments. Setting the second argument to true will produce a raw output of binary characters of the string. Heres the same example in SHA1.

<?php
    
    $username = "mycoolusername";
    $password = "mycoolpassword";

    $encrypted_password = sha1($password);
    // 194e49abbd07b2443914a4061ac39aa99f0b0ed3

    $encrypted_password = sha1($password, true);
    // Returns $password in binary form.
    // NI«½²D9¤Ãš©ŸÓ
?>

<?php

$username = "mycoolusername";

$password = "mycoolpassword";

$encrypted_password = sha1($password);

// 194e49abbd07b2443914a4061ac39aa99f0b0ed3

$encrypted_password = sha1($password, true);

// Returns $password in binary form.

// NI«½²D9¤Ãš©ŸÓ

Again SHA1 is better to use than MD5, but not by much. However, if you absolutely have to use MD5 and/or SHA1, I recommend using both on the same string if possible. Heres the example:

<?php
    
    $username = "mycoolusername";
    $password = "mycoolpassword";

    $encrypted_password = sha1(md5($password));
    // 4199f5de7d8a2576e76170981416329bb5fb3f14
?>

<?php

$username = "mycoolusername";

$password = "mycoolpassword";

$encrypted_password = sha1(md5($password));

// 4199f5de7d8a2576e76170981416329bb5fb3f14

By encrypting with MD5 then immediately encrypting the result string, will add that extra layer of security. There are a lot of possibilities, anything is possible in PHP, but how do you check to see if the password in the database is the same as the given password. Well honestly there is no way to decode MD5 or SHA1. That’s probably the only thing I like about it. However you do have to check things like passwords when a user logs in, so you can do that this way:

<?php
    
    // Some database code here to get the 
    // Database's values.
    $database_password = "194e49abbd07b2443914a4061ac39aa99f0b0ed3";

    $post_password = "mycoolpassword";

    if(sha1($post_password) == $database_password){
        // Do some code if the password is correct
    } else {
        // Do some code if the password isnt correct
    }
?>

<?php

// Some database code here to get the

// Database's values.

$database_password = "194e49abbd07b2443914a4061ac39aa99f0b0ed3";

$post_password = "mycoolpassword";

if(sha1($post_password) == $database_password){

// Do some code if the password is correct

} else {

// Do some code if the password isnt correct

}

As you can see there, I re-encrypted the $_POST password, and checked to see if the two encryptions are the same. Encryptions with MD5, SHA1, or MD5 AND SHA1 together, are always the same.

So that’s good and all but what are your other options? Well another option is base64_encode and base64_decode. These are a good alternative and probably my second favorite to use. As you can see above you can encode AND decode the string. However that’s also its fall back because if anyone got a hold of your encrypted data, it can easily be decoded. However, there’s a trick. You can encode multiple times, and use strrev() to reverse the string each time you encode it. This will make it very hard for the hacker to know how many times the string has been reverse or encoded, making it very hard to decode the password. Here’s how I use these functions. (I learned this from Roshans Blog, you can find a link at the bottom of this post)

<?php
    
// example_encode() and example_decode()
// Encrypts and Decrypes a string using base64_encode and
// base64_decode.
function example_encode($str){
	for($i = 0; $i < 5; $i++){
		$str = strrev(base64_encode($str));
	}
	return $str;
}

function example_decode($str){
	for($i = 0; $i < 5; $i++){
		$str = base64_decode(strrev($str));
	}
	return $str;
}
?>

<?php

// example_encode() and example_decode()

// Encrypts and Decrypes a string using base64_encode and

// base64_decode.

function example_encode($str){

for($i = 0; $i < 5; $i++){

$str = strrev(base64_encode($str));

}

return $str;

}

function example_decode($str){

for($i = 0; $i < 5; $i++){

$str = base64_decode(strrev($str));

}

return $str;

}

Here I have made a function that I can call anytime, and supply it with a string. It will take this string, and loop 5 times. Each time it loops, it will reverse the string, and encode it. Same with Decoding it. I do the exact opposite. I decode the string, then reverse it. This will decode and give me the decoded string that I first supplied it. I am not exactly sure how many characters the encoded string is. I do know that the encoded string will take 33% more space than the original string.

However my most favorite, is honestly Code Igniters encryption class. Its a easy to use, one-liner that’s much more secure than the above encryption methods.

This just scratches the surface of the possibilities in security in PHP. There’s so much to do to prevent bad users from doing bad things to your website. I just hope this gets you started in your road to security in PHP.

Thanks for reading,
Izikeo

Credits and Sources:
Roshans Blog

Write a non-facebook response. View all facebook responses