0

I am using php to connect to oracle database, php function to connect to oracle database is

oci_connect("user","password","database");

to make connection string more secure, i store connection string in php string variable and i have encrypted whole php string using openssl_encrypt method aes-128-cbc.

at the run time i am decrypting my encrypted string, encryption and decryption part is working ok, when i am decrypting string at run time i am getting proper decrypted value

$dec_conn_string = openssl_decrypt($encrypted_conn_string,"aes-128-cbc", $keys, $options=0, $iv);

so it is like

$dec_conn_string = oci_connect("user","password","database");

but $dec_conn_string is not having expected value e.g FALSE or connection identifier and connection to database is not happening, when i echo php variable $dec_conn_string it displays oci_connect("user","password","database").

Utsav Patel
  • 9
  • 2
    How is that more secure? You'd have to have the password for the encryption in PHP code as well... additionally, a string is not code, you'd have to eval() it to execute the code in a string. This is a bad application design, you shouldn't do it like this. – Honk der Hase Apr 25 '21 at 08:18
  • 2
    You may want to consider https://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php instead. – Nigel Ren Apr 25 '21 at 08:21
  • @LarsStegelitz dont want to use eval as it is dangerous, my server is in vault, but i dont want to use plain connection string, as it is finding in secure code review audit – Utsav Patel Apr 25 '21 at 08:24
  • You can't encrypt the whole code line! You may ONLY encrypt the individual parameters of the function call.. – Honk der Hase Apr 25 '21 at 08:43
  • 1
    After you've encrypted code part with some function it is not a code anymore, but string variable. You need to decrypt it and `eval()` to run that code. But as was said it is a bad design, use proper documented security, consider connection using [Oracle Wallet](https://docs.oracle.com/en/database/oracle/oracle-database/18/dbimi/using-oracle-wallet-manager.html#GUID-D0AA8373-B0AC-4DD8-9FA9-403E345E5A71) – astentx Apr 25 '21 at 09:14
  • There's no need to use decryption in php for this purpose. Use config files or environment variables that are not stored in source control. After all, you would need to store your encryption keys somewhere anyways... – Devon Bessemer Apr 26 '21 at 02:04

2 Answers2

0

You could use either an environment variable:

$c = oci_connect('hr', $_ENV['HRPASSWORD'], 'localhost/XE');

Or preferably you could use 'external authentication' such a wallet (as mentioned in comments) or other authentication system.

$c = oci_connect("/", "", "mynetalias", null, OCI_CRED_EXT);

See 'Password Handling in PHP Applications' on p116 of Oracle's free PDF The Underground PHP and Oracle Manual.

Christopher Jones
  • 9,449
  • 3
  • 24
  • 48
0

when i echo php variable $dec_conn_string it displays oci_connect("user","password","database").

So your encrypted data contains both PHP code and data. Really????!!!!!

That's bad. While it is technically possible to handle this in PHP code it is ver dangerous and inefficient.

Keep your code and data separate.

Also use an appropriate data structure for your data.

You need to re-encrypt your data. Not your code.

If I thought the approach of encrypting the credentials had any value (you've just moved the problem to the encryption key) I'd do something like....


$db=unserialize(decrypt($cyphertext,$key));
if (!($db['user'] && $db['pass'] && $db['db'])) {
     trigger_error('bad decrypt');
     exit 1;
}
oci_connect($db['user'], $db['pass'], $db['db']);

Where

$cyphertext=encrypt(serialise(array(
   'user'=>'scott', 'pass'=>'tiger','db'=>'hr'
  )),$key);
symcbean
  • 47,736
  • 6
  • 59
  • 94