Can i Encrypt submitted form data in PHP by using SSL?

Question

if i bough SSL Certificate for my site, can i encrypt submitted form data manually in PHP then store it to database?

Please Explain me what ssl does?

Example:

visitor of the site enter username and password, can i encrypt both data in php by using SSL?

like this.

$u_name = verisign_ssl_encryption($_POST['username']);
$pass = verisign_ssl_encryption($_POST['password']);

mysql_query('insert into table (username,password) values ("'.$u_name.'", "'.$pass.'")';

and can i decrypt retrieved encrypted data from table by using same SSL like this

$row = mysql_fetch_array(mysql_query('select * from table where u_id = 1'));
$user_card_no = verisign_ssl_decrypt($row['card_no']);
echo $user_card_no;

or SSL is something different from like this?

Advance thanks for your answers!

Answer 1

Yes, you can do that, but you don't need to buy a certificate to use SSL encryption. Any self signed certificate will work to encrypt data on your server.

Note that if a hacker gets access to your code, they likely have access to your private key, and they will still be able to get to your database.

Also, you should hash the passwords (with salt) even if you encrypt the data.

See openssl_encrypt() and related functions.

Answer 2

SSL stands for Secure Sockets Layer, and basically provides a secure channel for a web browser and web server to exchange information. Basically anything sent over the internet with SSL is secure, but SSL doesn't really have anything to do with encrypting usernames or passwords once your server has received them.

Basically, if you want to ensure that your connection between the server and browser is secure, you first test whether SSL (https) is being used, and if not, redirect to the same page, but starting with "https://" instead of the standard "http://"

 if($_SERVER['HTTPS'] != 'on') {
     header('HTTP/1.1 301 Moved Permanently');
     header('Location: "https://" ' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]);
     exit();
 }

Put this code at the top of your page, it will redirect the user's browser to use a secure connection. Using "exit()" will ensure that your script doesn't send anything to the browser unless ($_SERVER['HTTPS'] == 'on').

If you want to secure usernames/passwords once your server has received them, say for adding to a database, you should use a salted hash. Basically a salted hash will compute a hash code that can't be reversed to determine the original password. This way, if anyone hacks into your database, they won't be able to steal any passwords.

The "salt" in a salted hash is simply a random word or sequence which makes dictionary attacks much much harder. A simple function which will return a salted hash of a string:

function getSaltedHash($string){
    $salted = "SaLtStRiNg" . $string;
    $hash   = md5($salted);
    return $hash;
}

The output of this function will be a long hex string (like: 23fds327de345ad7839d9799a9b), you should store this number as the password in the database, and when you need to verify a password, simply compute the hashcode of the password that a user has sent (by using the same hashing function) with the hashcode that you've stored in your database.

If you need to actually encrypt data to put in your database (hashing is not the same as encryption), then you need to looking into some of PHP's crypto packages, or if verisign has provided you with an encryption/decryption API, then use that.

Under NO CIRCUMSTANCES should you try to devise your own crypto scheme, and definitely NEVER use obfuscation (like BASE64, or ROT13), these do nothing to secure your data, and any competent hacker will be able to decode obfuscated data very easily.

Answer 3

SSL can be used in many ways, but I think the way you mean you will need ssl support for your website. With apache you can do this with modssl http://www.modssl.org/.

You should consult with your hosting provider to configure your website with ssl support.

Answer 4

If you don't want to buy an SSL certificate, encrypt your submitted data with base64.