PHP AES Decryption from MySQL Database

Question

So I'm working on encrypting all data being sent to the database. It's sending everything to the database encrypted using the key, but when I go to encrypt it and display it using the key, nothing shows up. Can someone point me in the right direction, please? Here is my code. The password for encryption/decryption is in the init.php document.

require_once 'init.php';
$itemsQuery = $db->prepare("SELECT id, name, done FROM tasks WHERE user = :user AND folder = :folder");
$itemsQuery->execute([
'user' => $_SESSION['user_id'],
'folder' => "inbox"    
]);
$method = 'aes-256-cbc';
$key = substr(hash('sha256', $password, true), 0, 32);
$iv = chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0) . chr(0x0);
$decrypted = openssl_decrypt(base64_decode($itemsQuery), $method, $key, OPENSSL_RAW_DATA, $iv);$items = $decrypted->rowCount() ? $decrypted : [];

This is being displayed out in the table using the $items tag.

This is the code that is echoing out the supposed decrypted text:

<ul id="myul" class="items">
<?php foreach($items as $item): ?><?php if (!$item['done']):?><li><a href="functions.php?as=inboxdone&item=<?php echo $item['id'] ?>" class="done-button"><span class="dot"></span></a>&nbsp;<div class="task-dropdown"><!--Button to show more in the task dropdown--><button class="task-dropbtn"><!--More image--><img src="assets/images/more-707070.svg" class="more"></button><div class="task-dropdown-content"><!--Personal move--><a href="functions.php?as=inboxtopersonal&item=<?php echo $item['id'] ?>" class="done-button"><img src="assets/images/user-active.svg" id="bookmark" height="15px" width="15px"></a><!--Work move--><a href="functions.php?as=inboxtowork&item=<?php echo $item['id'] ?>" class="done-button"><img src="assets/images/work-active.svg" id="bookmark" height="15px" width="15px"></a><!--Bookmark--><a href="functions.php?as=inboxbookmark&item=<?php echo $item['id'] ?>" class="done-button"><img src="assets/images/bookmark-active.svg" id="bookmark" height="15px" width="15px"></a><!--Delete task--><a href="functions.php?as=inboxdelete&item=<?php echo $item['id'] ?>" class="done-button"><img src="assets/images/trash-warn.svg" id="bookmark" height="15px" width="15px"></a></div></div>&nbsp;<span class="item<?php echo $item['done'] ? 'done' : '' ?>"><?php echo $item['name']; ?></span></li><?php endif; ?><?php endforeach; ?>
</ul>

This looks like each user has their own encrypted items. Is that right? Encrypting them limits the ability to perform SQL to search for items. What risk scenario are you mitigating risks from? Because a compromised server all data is exposes in its current implementation. — danblack, Mar 22 '20 at 23:16
The same encryption key is used across users. The echo $item['name'] is the column name and echos them out into a ul>li. — RealJoshLee, Mar 22 '20 at 23:19
I assumed that for some reason [build in encryption (mariadb)](https://mariadb.com/kb/en/library/data-at-rest-encryption/) isn't available in your mysql version or doesn't meet your requirement. — danblack, Mar 22 '20 at 23:43
It encrypts in the php(client) side. Why does it matter if it has build in encryption? — RealJoshLee, Mar 22 '20 at 23:45
This is all wrong. 1) Using execute for a SELECT statements makes no sense here (use one of the fetch* methods). 2) A PDOStatement instance isn't a valid argument for base64_decode. 3) SHA-2 is not a good [key derivation function](https://en.wikipedia.org/wiki/Category:Key_derivation_functions) 4) Your substring call is utterly redundant; sha256 already outputs 32 bytes (= 256 bits), hence the name. 4) [IVs must be unpredictable in CBC mode](https://stackoverflow.com/questions/3008139/why-is-using-a-non-random-iv-with-cbc-mode-a-vulnerability). — Peter, Mar 24 '20 at 18:36
I strongly suggest you write down your risk scenario (what do you want to protect from whom given which level of access to your code and/or infrastructure) and then go look for a solution that does the encryption for you and covers the scenario you came up with. — Peter, Mar 24 '20 at 18:41

PHP AES Decryption from MySQL Database

0 Answers0