-2

I have some form inputs that need to be encrypted for database storage. I am not sure if I am using the best encryption. This is my encrypt and decrypt with strings kept in environment files.

class encrypt
{
   public static function encrypt_text($value)
   {
   if(!$value) return false;

      $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, env('ENCRYPT_STRING_1'), $value, MCRYPT_MODE_ECB, env('ENCRYPT_STRING_2'));
      return trim(base64_encode($crypttext));
   }

   public static function decrypt_text($value)
   {
      if(!$value) return false;

      $crypttext = base64_decode($value);
      $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256,    env('ENCRYPT_STRING_1'), $crypttext, MCRYPT_MODE_ECB, env('ENCRYPT_STRING_2'));
      return trim($decrypttext);
   }
}
TheDizzle
  • 1,534
  • 5
  • 33
  • 76
  • 1
    Depends what you're encrypting, for private messages - awesome. For passwords or sensitive data - no. – Jaquarh Mar 21 '16 at 14:49

1 Answers1

3

Problems with your encryption code.

  • No integrity checking
  • Rijndael256 isn't AES (if you were expecting it to be, sorry, mcrypt sucks)
  • ECB mode
  • Using trim() + null padding -> if you try to store binary data with this method, you'll lose bytes at the beginning and at the end
  • It's using libmcrypt, which is abandonware and may be removed in PHP 7.1

Go back to wherever you found that code and tell them they taught you wrong. See this answer for a superior alternative.

Community
  • 1
  • 1
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
  • `Go back to wherever you found that code and tell them they taught you wrong` - You've just sent him to probably 100+ sites ;) Do you have a blog on this? It's interesting to read through your answer and that integrity link. – Jaquarh Mar 21 '16 at 15:16
  • The mcrypt sucks link goes to the blog where I post crypto/security stuff. Click the "cryptography" tag at the bottom of the page for a lot of stuff. I also curate an appsec reading list on Github. – Scott Arciszewski Mar 21 '16 at 15:18
  • It is interesting because being a developer, you're never talked about hack attempts or see them unless you're developing widely known sources; these 'back-doors', or whatever they call them, are an important factor in development which just do not get taught. I'll surely be spreading your page around, its not only interesting but you can learn more on your site than reading it up on 100 other sites. Great work. – Jaquarh Mar 21 '16 at 15:20