I am trying to use mcrypt to store a password on my database. First of all, it WORKS, but only some of the time.
Here is my encryption code:
//Encryption/Decryption key
$key = $username.$username.$username.$username.$username;
//Encryption Algorithm
$cipher_alg = MCRYPT_RIJNDAEL_256;
$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND);
$password = mcrypt_encrypt($cipher_alg, $key, $pass1, MCRYPT_MODE_CBC, $iv);
This then uploads the $username, the $iv and the $password to the MySQL database.
Here is my decryption code:
//Encryption/Decryption key
$key = $username.$username.$username.$username.$username;
//Encryption Algorithm
$cipher_alg = MCRYPT_RIJNDAEL_256;
$dbpass = mcrypt_decrypt($cipher_alg, $key, $encpass, MCRYPT_MODE_CBC, $random);
$dbpass = trim($dbpass); // Trim the fat
The $username, $iv, and $encpass(encrypted password) are retrieved from the database and the key is recreated using the username.
This WORKS but only sometimes. I can't figure out why. My only assumption is that the database can't accept some of characters the encryption produces such as quotations.
Any help would be greatly appreciated!
If you are storing a user's password in the database, you should be using one-way hashing
Here is just a very minimalist example
$username = $_POST['username'];
$password = $_POST['password'];
$salt = 'Some Salt';
$result = mysql_query("SELECT username, password
WHERE username = '".mysql_real_escape_string($username)."'
AND password = '".mysql_real_escape_string(sha1($password . $salt))."'
LIMIT 1");
if(mysql_num_rows($result)) {
// we have a match
}
else {
// no match
}
You would have to be inserting user passwords with an appended salt using sha1 in my example. Keep in mind, this is just a suggestion for storing user passwords in the database.
$salt = time(); // I would use something other than time(), something more random
// store it in the db and redirect user
connect();
$query = mysql_query("INSERT INTO user VALUES
('".mysql_real_escape_string($username)."',
'".mysql_real_escape_string(sha1($password . $salt))."',
'".mysql_real_escape_string($salt)."') ");
// returning user
$username = $_POST['username'];
$password = $_POST['password'];
// retrieve stored password
connect();
$result = mysql_query("SELECT * FROM user WHERE username = '".mysql_real_escape_string($username)."' ");
$row = mysql_fetch_assoc($result);
if (!$result) {
// user doesn't exist
}
$storedPassword = $row['password'];
$salt = $row['salt'];
$hashedPassword = sha1($password . $salt);
if ($storedPassword != $hashedPassword) {
// exit
}
else {
// redirect user
}
I'm not claiming this is the most secure, it is simply just a small example of one way hashing with a salt.
Agreed that for your particular use case (storing users' passwords), a one-way hash would be best.
But for people who really do need to use mcrypt and PHP and MySQL, see the various options in MySql insert binary data to db without errors. One easy option is base64_encode/base64_decode -- here's an example.
You can try below code for 2 way encryption. You may add salt with password as per your requirement.
$key = 'ecryptionkey';
$string = 'password';
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
var_dump($encrypted);
var_dump($decrypted);
I got this code from below URL and I'm using it in my application.