-3

I want to build a php application which I can store my patients informations. I found two functions on internet. One for encrypt and one for decrypt but I'm facing some problem.

This is an example. I need to store tones of informations with this way. I need to know if this will slow my app.

function encryptthis($data, $key) {
  $encryption_key = base64_decode($key);
  $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
  $encrypted = openssl_encrypt($data, 'aes-256-cbc', $encryption_key, 0, $iv);
  return base64_encode($encrypted . '::' . $iv);
}

function decryptthis($data, $key) {
  $encryption_key = base64_decode($key);
  list($encrypted_data, $iv) = array_pad(explode('::', base64_decode($data), 2),2,null);
  return openssl_decrypt($encrypted_data, 'aes-256-cbc', $encryption_key, 0, $iv);
}

if(isset($_POST['login'])){
  $username = $_POST['username'];
  $password = $_POST['password'];

  $usrEncr = encryptthis($username, $key);
  $pswEncr = encryptthis($password, $key);

  $users = DB::query('SELECT * FROM users');

  foreach ($users as $user) {
      if(decryptthis($user['username'], $key) == $username && decryptthis($user['password'], $key) == $password){

      $user = array(
        'id' => $user['id'],
        'name' => $user['username']
      );

      setcookie("loginCredentials", json_encode($user), time() + 7200); 
      header("Refresh:0");
    }
  }
}

I have to select all users and decrypt all usernames and passwords to see if matched with given username and password because every time I encrypt the same word the encrypted string was different.

Is this a safe way to do it? Sorry for my bad English.

Manos
  • 35
  • 1
  • 8
  • Yeah, if you encrypt data in the database, you can’t query for it anymore. That’s a tradeoff. What the necessary tradeoff for you is depends on what exactly you need and what exactly you can give up. – deceze Jun 15 '19 at 11:44
  • Thanks! I need to know if I have tones of information, will this slow my app? – Manos Jun 15 '19 at 11:49
  • 1
    Passwords are not supposed to be encrypted because encryption is reversible. Passwords must be secured via one-way hashing algorithms. See the duplicate topic for answers. – Shadow Jun 15 '19 at 12:02
  • *"See the duplicate topic for answers."* that duplicated is not totally "correct" as it is a bit to much "outdated" @Shadow this [Safe Password Hashing](https://php.net/manual/en/faq.passwords.php) is what the topicstarter should be reading about .. But you are right about the rest. – Raymond Nijland Jun 15 '19 at 13:23

1 Answers1

-2

Instead of this functions you can use hashing technique which simply implemented in php eg md5(text which you have to encrypt) and store in db while checking create hash of inputs and check hash of input with hash in db

Dakshit
  • 1
  • 2
  • Thanks. With this technique if someone steal my database, will be able to decrypt it? – Manos Jun 15 '19 at 11:52
  • 2
    Hashing algorithms are one way - there is no way to decrypt them. These are not useful to encrypt anything. For securing passwords you can use hashing algorithms, but md5 is obsolete and should not be used. – Shadow Jun 15 '19 at 11:57
  • 1
    *"For securing passwords you can use hashing algorithms, but md5 is obsolete and should not be used. "* @Shadow i wouldn't even trust SHA256 or SHA512 (with or without salt) for one way password hashing as those as simply designed to run fast.. Which means on CPU or GPU those hashing algorithms can be easy bruteforced or be used for rainbow table generation – Raymond Nijland Jun 15 '19 at 13:34