[nycphp-talk] Encrypt and decrypt to store in DB
Dan Cech
dcech at phpwerx.net
Thu Aug 3 13:21:00 EDT 2006
David Mintz wrote:
> On Thu, 3 Aug 2006, Daniel Convissor wrote:
>
>> On Thu, Aug 03, 2006 at 10:00:20AM -0400, Aaron Fischer wrote:
>>> Are there any other functions/classes that folks would recommend that
>>> would allow me to encrypt and decrypt a string?
>> GNUPG, aka GPG.
>
> More specifically, something like:
>
> $output = shell_exec('echo "credit card number
> 2000-1234-9876-4321"|/usr/bin/gpg --no-secmem-warning --homedir
> /usr/home/username/.gnupg -ear them at example.org');
This isn't a great idea as you're echoing out plaintext to the shell, a
more secure approach is to launch gpg with popen and redirect the
encrypted output to a temporary file, then feed in the plaintext using
fwrite.
Even better is to use proc_open to open both standard in and standard
out, so nothing is sent directly to the shell or written to disk.
Of course, the best approach is still to use the mcrypt or openssl
functions if they're available.
As stated before, key management in a web environment is still the
trickiest aspect of this whole issue, as anyone with access to the
encrypted data will usually also end up gaining access to the key.
Dan
> will assign to $output something like:
>
>
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v1.2.2 (FreeBSD)
>
> hQIOA8HABYWAnLgQEAgAp15bNTMHbve8kNpa7AW8NCpQbiX36gEu+/7FeEc6FtXs
> Yon86E+6Lb76yUtCzgKR/LmsXYPjJNnyCcM4szNsR3EzZuTp0ghf9kjUcBFHz1od
> OVj50RvkxyLWu+VcncJpKSuXfckRqI923ymiwmHDrCenBJ+E26WUdxp6CVmAZz4f
> XXppnrLo9ge2+ZsG15mKTmvJIoPa9X2czs7tA1J/fDjPUlyjmrzSaHElnHLuQ4cA
> AAqdNZfcy+b6Gt6c44JaCU7RwB/4A7w6Mewoq7mDtInZEDUX4q0C9mDv05FbAVFs
> Ml5n6XgXCne0HRQSLfgoB5KZ3frVvsxz7Jy7oZkFcQgAuOvH0JZG4L1W9+b40nXZ
> tnX0t2fKdiBUTCPW8ZWGW0EBHU2UjxsTXGXWTZaHWfM8nALG07aBixBkaQU7F7gv
> RSzmUaZSHBrCHaZVxrozW0IUEQPTeAGx1pOCzS799jGXXatGrvcAOge/xKwAhS18
> XiQ8aMecYv5fcwNgglsVbnwUxBoxEVv8PlopEMAlJv0fqC+ojWuRkR82AM/1ejBX
> mdYwYdtToWcF47kgEPN5fF811LMC5H8cSWFEa82vRSi9tZR8+6n6rEVmsQpxhyRY
> GmcdLctSMdsy5OMxQcajQg07WAurNYqJR3G1CwbHL0StDZ5Zta/Oq14NqMNuOcdW
> 3dJiARSpV3oLPhlj7StP/9DRWpnBFzMnjUjEju2FA0r6+WCkTlC1KqF0s8mPQiIv
> epkP1Yo9QfctIQB4dUAP2W1shQeeN6d1BLJSMbiOr91ESzV2lYudLYIeXJEtwinQ
> gSgzXgo=
> =8Uhz
> -----END PGP MESSAGE-----
>
> ... but it bears pointing out that *decrypting* securely through a web
> interface is a little trickier, is it not?
>
> I think there's a recipe that's on point in the venerable (but alas, now
> rather dated) "PHP Cookbook" (Sklar & Trachtenberg).
>
> ---
> David Mintz
> http://davidmintz.org/
More information about the talk
mailing list