Encryption using mcrypt, PHP, and MySQL

Question

I am trying to use mcrypt to store a password on my database. First of all, it WORKS, but only some of the time.

Here is my encryption code:

    //Encryption/Decryption key
    $key = $username.$username.$username.$username.$username;
    //Encryption Algorithm
    $cipher_alg = MCRYPT_RIJNDAEL_256;

    $iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND);
    $password = mcrypt_encrypt($cipher_alg, $key, $pass1, MCRYPT_MODE_CBC, $iv);

This then uploads the $username, the $iv and the $password to the MySQL database.

Here is my decryption code:

    //Encryption/Decryption key
    $key = $username.$username.$username.$username.$username;

    //Encryption Algorithm
    $cipher_alg = MCRYPT_RIJNDAEL_256;

    $dbpass = mcrypt_decrypt($cipher_alg, $key, $encpass, MCRYPT_MODE_CBC, $random);
    $dbpass = trim($dbpass); // Trim the fat

The $username, $iv, and $encpass(encrypted password) are retrieved from the database and the key is recreated using the username.

This WORKS but only sometimes. I can't figure out why. My only assumption is that the database can't accept some of characters the encryption produces such as quotations.

Any help would be greatly appreciated!

Please show us the code you use to insert the data into the database, as well as the code used to retrieve it. We'll also need to know the structure of the table. Also, why are you fetching the IV in ECB mode, but encrypting in CBC mode? — Charles, Apr 22 '11 at 17:05
as far as I know algorithms depend on key and IV sizes and username is not acceptable neither for pass/nor for key.. you cannot rely on user input!! — DaGhostman Dimitrov, Feb 06 '13 at 22:25

score 1 · Answer 1 · edited May 23 '17 at 12:18

You can try below code for 2 way encryption. You may add salt with password as per your requirement.

$key = 'ecryptionkey';
$string = 'password';

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));   
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

var_dump($encrypted);
var_dump($decrypted);

I got this code from below URL and I'm using it in my application.

https://stackoverflow.com/a/9262137/1724762

score 1 · Answer 2 · answered Apr 22 '11 at 18:04

$salt = time(); // I would use something other than time(), something more random

// store it in the db and redirect user
connect();
$query = mysql_query("INSERT INTO user VALUES
                      ('".mysql_real_escape_string($username)."',
                       '".mysql_real_escape_string(sha1($password . $salt))."',
                       '".mysql_real_escape_string($salt)."') ");

// returning user
$username = $_POST['username'];
$password = $_POST['password'];

// retrieve stored password
connect();
$result = mysql_query("SELECT * FROM user WHERE username = '".mysql_real_escape_string($username)."' ");
$row = mysql_fetch_assoc($result);
if (!$result) {
// user doesn't exist
}
$storedPassword = $row['password'];
$salt = $row['salt'];

$hashedPassword = sha1($password . $salt);

if ($storedPassword != $hashedPassword) {
// exit
}
else {
// redirect user
}

I'm not claiming this is the most secure, it is simply just a small example of one way hashing with a salt.

There is plenty of documentation and help out there from people who have a lot more experience with security. You'll find some good tips in stackoverflow alone. — Brett, Apr 22 '11 at 18:09
I found a good hashing guide here: http://elbertf.com/2010/01/store-passwords-safely-with-php-and-mysql/ But forget passwords for the moment, why isn't my encryption working? — Connor, Apr 22 '11 at 19:05

Brett · Answer 3 · 2011-04-22T17:22:23.137

0

If you are storing a user's password in the database, you should be using one-way hashing

Here is just a very minimalist example

$username = $_POST['username'];
$password = $_POST['password'];
$salt     = 'Some Salt';

$result = mysql_query("SELECT username, password
                       WHERE username = '".mysql_real_escape_string($username)."'
                       AND   password = '".mysql_real_escape_string(sha1($password . $salt))."'
                       LIMIT 1");

if(mysql_num_rows($result)) {
// we have a match
}
else {
// no match
}

You would have to be inserting user passwords with an appended salt using sha1 in my example. Keep in mind, this is just a suggestion for storing user passwords in the database.

edited Apr 22 '11 at 17:22

answered Apr 22 '11 at 16:59

Brett

721
2
10
20

This page is a few years old, but it still offers some good insight http://www.ibm.com/developerworks/opensource/library/os-php-encrypt/ – Brett Apr 22 '11 at 17:12
Well I was thinking of eventually doing both. I was going to hash it first with a salt, then encrypt. My thinking behind it was if my database was stolen they would have the $iv and the $password, and if they got a hold of my PHP they would have the $key and the $salt, but without both they could do nothing. Is this right? Oh and anyway it does me no good if I can't figure out why my passwords/$iv are possibly not storing properly. Should I be using addslash? – Connor Apr 22 '11 at 17:37
1

mysql_real_escape_string is the proper way to escape a string. And as far as storing passwords in the database, one way hashing is absolutely the way to go. I'll post some sample code that may help you – Brett Apr 22 '11 at 17:48

score 0 · Answer 4 · edited May 23 '17 at 12:03

0

Agreed that for your particular use case (storing users' passwords), a one-way hash would be best.

But for people who really do need to use mcrypt and PHP and MySQL, see the various options in MySql insert binary data to db without errors. One easy option is base64_encode/base64_decode -- here's an example.

edited May 23 '17 at 12:03

Community

1
1

answered Feb 02 '12 at 17:25

jlstrecker

4,953
3
46
60

Encryption using mcrypt, PHP, and MySQL

4 Answers4

Linked