0

I've written a login system in PHP, using a MySQL-database. Currently I'm just saving the users' email-addresses as plaintext in the database. But I'm wondering if I would be better off encrypting these email-addresses to decrypt them later on when I need them.

Let's say, if someone would actually be able to inject some SQL inside a query, and make the entire users-table appear on his screen, he would be able to view all email-addresses in the database and spam them with full power.

Would storing encrypted email-addresses be an interesting thing to do, or not? The fact that I use PHP actually doesn't matter.

BTW: As far as I know my login-system is completely safe for SQL-injection (mysqli_real_escape_string) and XSS-attacks (htmlspecialchars) (as far as I know).

user3582780
  • 43
  • 9
  • Are the emails used for login, or just stored with the user record? There's not much need to encrypt emails IMO - they're not *generally* considered particularly sensitive information. Side note: You *really* should be using parameterized queries if you want to be safe from SQL injection. – ceejayoz Jan 27 '17 at 17:36
  • And for your answer, no. Because if you encrypt it, you can't decrypt and you'll need that email for reset passwords, sending them notifications etc.... You can encode it, but then someone can decode it anyway. –  Jan 27 '17 at 17:39
  • Parametrised queries are the best defence against injection – Strawberry Jan 27 '17 at 17:41
  • 1
    *"BTW: As far as I know my login-system is completely safe for SQL-injection (mysqli_real_escape_string)"* - No, not really http://stackoverflow.com/a/5200152/1415724 – Funk Forty Niner Jan 27 '17 at 18:16
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.3/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman Jan 27 '17 at 19:48
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). – tadman Jan 27 '17 at 19:49
  • Don't encrypt individual fields. **DO** encrypt any and all backups of your data. One of the easiest targets for attackers is loosely secured backup servers or developer workstations containing full dumps of the data. – tadman Jan 27 '17 at 19:50
  • @tadman: I'm building queries by adding single-quotes around the user-inputs and escaping the user-inputs. There's no way anyone can inject SQL that way. Off course it's a little easier to use prepared statements, that's true. `$query = "SELECT * FROM login_db WHERE user='" . mysqli_real_escape_string($db,$userpost) . "' ORDER BY id"` When a hacker inserts single-quotes, they are being escaped. When a user enters no single-quotes, the single-quotes in the query itself borders the user-input. And passwords are always stored as a (variable-)salted, hashed text. – user3582780 Jan 27 '17 at 21:55
  • Everything about what you just said is why you're in way over your head here. Manual escaping like that is [inadequate](http://stackoverflow.com/questions/5200051/is-using-mysqli-real-escape-string-enough-to-secure-my-query-string/5200152#5200152). Hashing with a salt is also **dangerously wrong**, it means you're using a weak hashing method like SHA256. Follow [password hashing](http://www.phptherightway.com/#password_hashing) best practices. Use `bcrypt` at the absolute least. This is not the sort of thing you want to approach casually. The risks are real, the stakes too high. – tadman Jan 27 '17 at 22:05
  • Well, I think I'm not going to encrypt email-addresses since 1. performance hit, 2. not necessarily secure (encryption key might leak) like you say. – user3582780 Jan 28 '17 at 00:48

0 Answers0