1

I have a good working knowledge of basic security best practices (password hashing, preventing sql injection, CSRF, etc.) but am completely at a loss for finding a solution to common-case encryption and decryption in PHP.

Google is little help, with most results being heavily-criticised for being insecure by design or simply out-dated (e.g. EBC) and to add to the confusion, the plethora of libraries seems to offer little confidence over each other.

Say I have a string of plaintext and a key that will not change and I want to be able to encrypt and decrypt that string at will using that key with as little code as possible (ideally a one-liner) and while adhering to current best practice. Could someone please provide an example of this in PHP?

A great example of where this would be useful is when storing sensitive data in WordPress. The Options API makes basic storage and retrieval really easy, but often you need to store credit card details, API keys, etc. and a really simple one-liner would greatly improve the situation.

Also, if I'm asking in the wrong place and there already exists an always-up-to-date source for this exact problem, please feel free to direct me there.

EDIT: The key should support an arbitrary string, so you could use WordPress's AUTH_KEY if desired and to keep it simple.

Rich Jenks
  • 111
  • 4
  • It would help if you can include some of the criticism you mentioned. Eg What's wrong with mcrypt? (with CBC, but I think modes of operation would be a separate question, as they are not unique to PHP). – tim Mar 10 '15 at 12:23
  • 2
    This is a duplicate of [How to encrypt in PHP, properly?](https://security.stackexchange.com/questions/80888/how-to-encrypt-in-php-properly) which has no good answers yet. – Xander Mar 10 '15 at 12:56
  • The best option at this time is to use the [Defuse PHP Encryption API](https://github.com/defuse/php-encryption) and be sure to use a strong, random key that you've stored as securely as possible. – Xander Mar 10 '15 at 12:58
  • 2
    And as a general rule, you simply shouldn't store credit card details at all. Certainly not with Wordpress, under any circumstances. Use a third-party payment provider to manage those instead. – Xander Mar 10 '15 at 12:59

2 Answers2

0

I don't think there is any one line function or method for encryption and decryption. You can try this, its pretty easy

https://github.com/CoreProc/crypto-guard

Sample: 

<?php

require 'vendor/autoload.php';

use Coreproc\CryptoGuard\CryptoGuard;

// This passphrase should be consistent and will be used as your key to encrypt/decrypt
// your string

$passphrase = 'whatever-you-want';

// Instantiate the CryptoGuard class

$cryptoGuard = new CryptoGuard($passphrase);

$stringToEncrypt = 'test';

// This will spit out the encrypted text

$encryptedText = $cryptoGuard->encrypt($stringToEncrypt);

// This should give you back the string you encrypted

echo $cryptoGuard->decrypt($encryptedText);
GouravR
  • 111
  • 1
  • The first thing I see is that this provider lacks authentication, which is a critical flaw. – Xander Mar 10 '15 at 12:53
  • I think that the question is about encryption and decryption of string. The above is a basic example. – GouravR Mar 10 '15 at 12:59
  • The question is about best practices. This answer does not follow best practices, and is thus wrong. – Xander Mar 10 '15 at 13:03
  • Asking the user for pass phrase and then using that pass phrase directly as encryption key is completely wrong. There are key derivation functions that can take a user input and derive the key of the desired length. This is a consistent problem with PHP as a whole that a lot of bad code is given as example and people assume that is the best (or the only) way to do things. – void_in Mar 13 '15 at 16:18
0

Seems that what I'm hoping for doesn't exist. I'd love to see something like this in PHP core because most people just don't have the time, interest or inclination to learn things like this but will still inevitably need it.

I ended up using a library. https://github.com/defuse/php-encryption looked very good, but not available on Packagist, so I went with http://phpseclib.sourceforge.net/

Rich Jenks
  • 111
  • 4