php crypt

Forum Moderators: coopster

Message Too Old, No Replies

php crypt

music_man

10:07 pm on Jan 12, 2006 (gmt 0)

I have been looking around on how to crypt and decrypt a variable.

I have looked up a phpnoise tutorial but I can't get it to go for me on the system I am using.

I would like to be able to encrypt an input and store it on a flat file database on one page. Then I would like to be able to call up the flat file database and decrypt it, on another page.

Do I have to use gnupgp for this?

whoisgregg

10:31 pm on Jan 12, 2006 (gmt 0)

How about the Mcrypt Encryption Functions [php.net] (as mentioned in your last thread about php encryption [webmasterworld.com])?

music_man

2:24 am on Jan 13, 2006 (gmt 0)

Sorry I must have missed the replies.

Thank you.

music_man

2:50 am on Jan 13, 2006 (gmt 0)

Well I have tried to do it using the php.net examples but I can't seem to get it going.

Here is my situation:

I have a newsletter subscribe process which adds the email to the flat file database - which I would like to encrypt.

So I have done this:

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = "f98hdrfg98dfkjg";
$text = $_GET["email"];

$encemail = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);

And I write $encemail to the database and that seems to go fine.

Now I am in administration and I would like to view the subscribers so I must decrypt the data.

Here is the code:

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = "f98hdrfg98dfkjg";
$buffer2 = $buffer;

$encemail = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $buffer2, MCRYPT_MODE_ECB, $iv);

It shows the email encrypted.

I think this problem might have something to do with the MCRYPT_RAND...

whoisgregg

4:58 pm on Jan 13, 2006 (gmt 0)

The IV used to decrypt must be the same that was used to encrypt. It appears as though you may be creating a new, different IV when attempting to decrypt.

Added: In other words, pass the key and the IV to the decrypt function. The IV can be stored with the encrypted data.

music_man

9:43 pm on Jan 13, 2006 (gmt 0)

Can I set the iv to be a set variable like

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, dfg98dnfg);
//changed rand
$key = "f98hdrfg98dfkjg";
$buffer2 = $buffer;

whoisgregg

10:53 pm on Jan 13, 2006 (gmt 0)

It wouldn't affect your ability to decrypt the string. Have you beeen able to get the decryption working?

music_man

9:45 am on Jan 14, 2006 (gmt 0)

It says:

mcrypt_create_iv() expects parameter 2 to be long

Are you saying that it still won't work?

Do I need the iv?

music_man

7:46 am on Jan 15, 2006 (gmt 0)

What about pgp encryption? I am not sure how to implement that. Is there a good tutorial?

whoisgregg

7:35 pm on Jan 16, 2006 (gmt 0)

What I'm saying is that the function mcrypt_create_iv() has no place in your decrypt function.

When decrypting, $iv should be equal to what was generated from that function during the encryption of the data.

Instead of writing to a DB, try encrypting and decrypting on the same page, printing out the results of each step.

music_man

8:01 pm on Jan 16, 2006 (gmt 0)

So $iv should be relative to the $email input? That would make each $iv unique. Is it really necessary? I'll do some investigating.

whoisgregg

9:41 pm on Jan 16, 2006 (gmt 0)

You could use the same $iv every time you encrypt. I believe it makes the encryption less "secure," but it's your call as to how well you wish to secure the data.

music_man

11:30 pm on Jan 16, 2006 (gmt 0)

Well I would like to make it as secure as I can. However, I think I have to have a set $iv with this situation.

music_man

12:11 am on Jan 17, 2006 (gmt 0)

Here is my test:

test.php

test2.php

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 345);
$key = "This is a very secret key";
$text = $_GET["text"];
echo strlen($text) . "\n";

$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);

$crypttext2 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);

echo strlen($crypttext2) . "\n";

echo strlen($crypttext) . "\n";
?>

Gives:

5 32 32

...

whoisgregg

6:05 pm on Jan 17, 2006 (gmt 0)

$crypttext2 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);

should be

$crypttext2 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);

music_man

10:54 pm on Jan 17, 2006 (gmt 0)

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 345);
$key = "This is a very secret key";
$text = $_GET["text"];
echo strlen($text) . "\n";

$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);

$crypttext2 = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);

echo strlen($crypttext2) . "\n";

echo strlen($crypttext) . "\n";
?>

It still returns the same... as numbers. I am assuming one would be numbers and one would be the text I sent.

whoisgregg

11:45 pm on Jan 17, 2006 (gmt 0)

Well, you are echoing the strlen of the result, which is function that determines the length of the string. Try:

echo ($crypttext2) . "\n";
echo ($crypttext) . "\n";

music_man

7:55 pm on Jan 18, 2006 (gmt 0)

It adds a 5 before the text. It says:

5 howdy

whoisgregg

8:55 pm on Jan 18, 2006 (gmt 0)

Read through your code. You have an earlier echo statement which is producing the 5.

However, if you are able to see the decrypted text, that means your decryption routine is working. Congrats! :)

music_man

9:05 pm on Jan 18, 2006 (gmt 0)

I do too! Thanks for your help! I am going to try and implement it into the system.

music_man

9:20 pm on Jan 18, 2006 (gmt 0)

Ok I have tried to implement it without success. Here is the coding for writing to a flatfile as encrypted, and then trying to view it in a select field.

subscribe_process

<?php
#####################
#
# Newsletter subscribe
#
#####################
$new_email_address = $_GET['email'];
$new_email_id = $_GET['id'];
$found = FALSE;
$file = file_get_contents('tmp.txt');
$lines = explode("\n", $file);
foreach($lines as $line)
{
$info = explode('¦', $line);
if($info[0] == $new_email_address)
{
if($info[1] == $new_email_id)
{
$found = TRUE;
$user_info = $info;
}
else
{
$awaiting = implode('¦', $info)."\n";
}
}
else
{
$awaiting = implode('¦', $info)."\n";
}
}
if($found)
{
$contents = file_get_contents('subscribers.txt');
$subscribers = explode(",", $contents);
if(in_array($new_email_address, $subscribers))
{
$result = TRUE;
}
else
{
$result = FALSE;
}
if($result)
{
$msg = "
<h3>
Sorry, we cannot add you as... you already exist on this list...
</h3>
";
}
else
{
$fp2 = fopen('tmp.txt', "w");
fwrite($fp2, $awaiting);
fclose($fp2);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 489);
$key = "f8ghh9 98sdfhg se98";
$text = $_GET["email"];
$cryptemail = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
$fp = fopen("subscribers.txt", "a+");
fwrite($fp, $cryptemail . ",");
fclose($fp);
$msg = "
<h3>
You have been added to the newsletter. Thanks!
</h3>
";
}
}
else
{
die('Not found');
}
$page = 'about';
include ("inc/files/header.php");
?>

<div id="content">
<?php echo $msg;?>
</div>

<?php
include ("inc/files/footer.php");
?>

Subscribers

<?
#####################
#
# Newsletter subscribers
#
#####################
session_start();
require_once("includes/config.php");
if($_SESSION["valid"] == true)
{
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 489);
$key = "f8ghh9 98sdfhg se98";
$text = $buffer;
$buffer = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
if($_GET["action"] == "add")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$subscribers = explode(",",$file_text);
foreach($subscribers as $subscriber)
{
if($subscriber == $_GET["email"])
{
$result = 1;
break;
}
else
{
$result = 0;
}
}
if($result == 1)
{
$msg = "
<div class=error>
Cannot add subscriber, subscriber already exists...
</div>
";
}
else
{
$fp = fopen("subscribers.txt", "a+");
fwrite($fp, $_GET["email"] . ",");
fclose($fp);
$msg = "
<div class=message>
Subscriber added successfully...
</div>
";
}
}
if($_GET["action"] == "delete")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$fp = fopen("subscribers.txt", "w");
$file_text_new = str_replace("$_GET[email],", "", $file_text);
fwrite($fp, $file_text_new);
fclose($fp);
$msg = "
<div class=message>
Subscriber deleted successfully...
</div>
";
}
if(isset($msg)) $main .= "$msg
<br>
";
$main .= "
<div class=heading2>
Add a subscriber
</div>
<br>
<form name=add action='subscribers.php' method='get'>
Email
<br>
<input class=textField type=text name=email>
<br>
<br>
<input type=hidden name=action value=add>
<input class=button type=submit value=Add>
</form>
<script language=javascript>
var validator = new Validator('add');
validator.addValidation('email','req','Please enter a valid email');
validator.addValidation('email','email','Please enter a valid email');
</script>
<br>
<div class=heading2>
Delete a subscriber
</div>
<br>
<form action='subscribers.php' method='get'>
Email
<br>
<select class=textField name=email>
";
$fp = fopen("subscribers.txt", "r");
while (!feof($fp))
{
$char = fread($fp, 1);
if($char == ",")
{
$main .= "
<option>
$buffer
</option>
";
$buffer = "";
}
else
{
$buffer .= "$char";
}
}
fclose($fp);
$main .= "
</select>
<br>
<br>
<input type=hidden name=action value=delete>
<input class=button type=submit value=Delete>
</form>
";
}
else
{
header("Location: index.php");
}
$page = "subscribers";
require_once("includes/template.php");
?>

It doesn't decrypt for the select field.

whoisgregg

10:22 pm on Jan 18, 2006 (gmt 0)

Make a page where you run:

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 489);
echo $iv;

Then copy and paste whatever you get into your "includes/config.php" file as:

$iv = 'whatever you got';

Next, add this line to your subscribe_process.php script, at the top:

require_once("includes/config.php");

Then delete these lines from both of your scripts:

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, 489);

Why all the above? Because since you aren't generating a random $iv each time, you might as well just make one $iv and stop trying to make it every time. $iv is just a string to make your encryption unique to you.

Finally, add this line into your Subscribers.php file:

$key = "f8ghh9 98sdfhg se98";
echo 'Before: '.$buffer.'<br>';
$text = $buffer;
$buffer = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
echo '<br>After: '.$buffer.'<br>';

I can't see what $buffer is defined as. Let me know what gets echoed. I suspect the problem is how $text is defined.

music_man

11:37 pm on Jan 18, 2006 (gmt 0)

Whoa it almost works!

Ok I did what you said and it gives me a warning saying the $iv is too large. Should I make it smaller?

Also... I put the $buffer bit where I think it shoudl go, and it worked-ish. The email got decrypted but it has lots of 0's after it.

Here is the subscribers.php file

<?
#####################
#
# Newsletter subscribers
#
#####################
session_start();
require_once("includes/config.php");
if($_SESSION["valid"] == true)
{
if($_GET["action"] == "add")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$subscribers = explode(",",$file_text);
foreach($subscribers as $subscriber)
{
if($subscriber == $_GET["email"])
{
$result = 1;
break;
}
else
{
$result = 0;
}
}
if($result == 1)
{
$msg = "
<div class=error>
Cannot add subscriber, subscriber already exists...
</div>
";
}
else
{
$fp = fopen("subscribers.txt", "a+");
fwrite($fp, $_GET["email"] . ",");
fclose($fp);
$msg = "
<div class=message>
Subscriber added successfully...
</div>
";
}
}
if($_GET["action"] == "delete")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$fp = fopen("subscribers.txt", "w");
$file_text_new = str_replace("$_GET[email],", "", $file_text);
fwrite($fp, $file_text_new);
fclose($fp);
$msg = "
<div class=message>
Subscriber deleted successfully...
</div>
";
}
if(isset($msg)) $main .= "$msg
<br>
";
$main .= "
<div class=heading2>
Add a subscriber
</div>
<br>
<form name=add action='subscribers.php' method='get'>
Email
<br>
<input class=textField type=text name=email>
<br>
<br>
<input type=hidden name=action value=add>
<input class=button type=submit value=Add>
</form>
<script language=javascript>
var validator = new Validator('add');
validator.addValidation('email','req','Please enter a valid email');
validator.addValidation('email','email','Please enter a valid email');
</script>
<br>
<div class=heading2>
Delete a subscriber
</div>
<br>
<form action='subscribers.php' method='get'>
Email
<br>
<select class=textField name=email>
";
$fp = fopen("subscribers.txt", "r");
while (!feof($fp))
{
$char = fread($fp, 1);
if($char == ",")
{
$key = "f8ghh9 98sdfhg se98";
echo 'Before: '.$buffer.'<br>';
$text = $buffer;
$buffer = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
echo '<br>After: '.$buffer.'<br>';

$main .= "
<option>
$buffer
</option>
";
$buffer = "";
}
else
{
$buffer .= "$char";
}
}
fclose($fp);
$main .= "
</select>
<br>
<br>
<input type=hidden name=action value=delete>
<input class=button type=submit value=Delete>
</form>
";
}
else
{
header("Location: index.php");
}
$page = "subscribers";
require_once("includes/template.php");
?>

whoisgregg

5:19 pm on Jan 19, 2006 (gmt 0)

Glad we're getting closer. :)

So, I expect that the output of subscribers.php is (the part about $buffer, I know there is a lot more output.)

Before: dfs87dsf879vs7d89v7sd89f7sfs... (the encrypted email)
After: somebody@somedomain.tld000000000000000000000000000000

Is that accurate? If so, I have no clue why the 0s are there. Rather than spend time figuring it out, I'd take a look at rtrim [php.net] and just get rid of them.

music_man

4:42 am on Jan 22, 2006 (gmt 0)

Does the $iv size thing have any relation to a variable input - like the email address?

music_man

4:49 am on Jan 22, 2006 (gmt 0)

I did the trim thing and it worked thanks!

Here is the code:

$key = "f8ghh9 98sdfhg se98";
echo 'Before: '.$buffer.'<br>';
$text = $buffer;
$buffer = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
echo '<br>After: '.$buffer.'<br>';
$trimmed = rtrim($buffer, " \0.");
echo '<br>After trim: '.$trimmed.'<br>';

I still get the warning:

Warning: mcrypt_decrypt(): The IV parameter must be as long as the blocksize

music_man

5:12 am on Jan 22, 2006 (gmt 0)

Sorry for all the posts from me one after another but I have hit a hurdle in deleting from the subscribers.txt file...

<?
#####################
#
# Newsletter subscribers
#
#####################
session_start();
require_once("includes/config.php");
if($_SESSION["valid"] == true)
{
if($_GET["action"] == "add")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$subscribers = explode(",",$file_text);
foreach($subscribers as $subscriber)
{
if($subscriber == $_GET["email"])
{
$result = 1;
break;
}
else
{
$result = 0;
}
}
if($result == 1)
{
$msg = "
<div class=error>
Cannot add subscriber, subscriber already exists...
</div>
";
}
else
{
$key = "f8ghh9 98sdfhg se98";
$text = $_GET["email"];
$cryptemail = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
$fp = fopen("subscribers.txt", "a+");
fwrite($fp, $cryptemail . ",");
fclose($fp);
$msg = "
<div class=message>
Subscriber added successfully! Yay!
</div>
";
}
}
if($_GET["action"] == "delete")
{
$fp = fopen("subscribers.txt", "r");
$file_text = fread($fp, 999999);
fclose($fp);
$key = "f8ghh9 98sdfhg se98";
$text = $_GET["email"];
$text = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
$email2 = rtrim($text, " \0.");

$fp = fopen("subscribers.txt", "w");
$file_text_new = str_replace("$email2,", "", $file_text);
fwrite($fp, $file_text_new);
fclose($fp);
$msg = "
<div class=message>
Subscriber deleted successfully...
</div>
";
}
if(isset($msg)) $main .= "$msg
<br>
";
$main .= "
<div class=heading2>
Add a subscriber
</div>
<br>
<form name=add action='subscribers.php' method='get'>
Email
<br>
<input class=textField type=text name=email>
<br>
<br>
<input type=hidden name=action value=add>
<input class=button type=submit value=Add>
</form>
<script language=javascript>
var validator = new Validator('add');
validator.addValidation('email','req','Please enter a valid email');
validator.addValidation('email','email','Please enter a valid email');
</script>
<br>
<div class=heading2>
Delete a subscriber
</div>
<br>
<form action='subscribers.php' method='get'>
Email
<br>
<select class=textField name=email>
";
$fp = fopen("subscribers.txt", "r");
while (!feof($fp))
{
$char = fread($fp, 1);
if($char == ",")
{
$key = "f8ghh9 98sdfhg se98";
$text = $buffer;
$buffer = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
$buffer = rtrim($buffer, " \0.");
$main .= "
<option>
$buffer
</option>
";
$buffer = "";
}
else
{
$buffer .= "$char";
}
}
fclose($fp);
$main .= "
</select>
<br>
<br>
<input type=hidden name=action value=delete>
<input class=button type=submit value=Delete>
</form>
";
}
else
{
header("Location: index.php");
}
$page = "subscribers";
require_once("includes/template.php");
?>

It doesn't delete it...

music_man

4:36 am on Jan 23, 2006 (gmt 0)

... bump...

whoisgregg

7:29 pm on Jan 23, 2006 (gmt 0)

I don't know about the failing to delete problem. Perhaps a new thread with the isolated code responsible for deleting is in order? (Since deleting has little to do with the encryption/decryption.)

As far as the $iv needing to match the size of the encrypted message, the mcrypt_get_iv_size [php.net] function or the mcrypt_enc_get_iv_size [php.net] would need to accept the message or the length of the message for that to be a factor, right? But all it accepts is the cipher and mode, so length of message could not possibly be a factor.

music_man

7:14 pm on Jan 24, 2006 (gmt 0)

How do I remove the warning then?

This 39 message thread spans 2 pages: 39

php crypt

music_man

whoisgregg

music_man

music_man

whoisgregg

music_man

whoisgregg

music_man

music_man

whoisgregg

music_man

whoisgregg

music_man

music_man

whoisgregg

music_man

whoisgregg

music_man

whoisgregg

music_man

music_man

whoisgregg

music_man

whoisgregg

music_man

music_man

music_man

music_man

whoisgregg

music_man

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week