dlf1987

i got it to work by replacing the 2nd \b with a \s but then it removes the following whitespace... product and product.test to replace_with_meand product.test

im trying to preg_replace the word product in a string, but if i use something like .. $k = 'product'; $str = 'product and product.test' preg_replace("/\b$k\b/", 'replace_with_me', $str); it will replace product and product.test instead of just product.

Thanks for discussing this with me. I know i at least need to do something other than cookies since they can be logged on the server.

I dont have much knowledge in that area

i guess i could store the private key in a file on a local computer and create a local script that querys the webserver mysql db for the encrypted data and decrypts it locally, so that its not passed through cookies.

so let me ask this, everything else aside, whats a safer way of using the private key, than storing it in a cookie or is there?

Not true, we have multiple employees able to access the data this way, all employees have the private key. After making the openssl script, a couple days later i stumbled upon phpcreditcard.com. I bought it to see if they were doing the same thing i was, and they were, except that they used a desktop app that had the private key. But i didnt want employees to have to open the app and copy/paste the decrypted data when needed. So instead of using the app, i send the private key in a cookie so they can view the decrypted data directly on the website. --------------------------------- At this point im not really asking for help, im pretty happy with the way i got it, except that the private key is stored in employees browser cookie. But heres the code incase your interested. CREATES KEYS function create_keys() { $configargs = array( 'config' => 'C:/wamp/bin/php/php5.3.5/extras/openssl/openssl.cnf', 'digest_alg' => 'md5', 'private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => true, ); $dn = array( "countryName" => "US", "stateOrProvinceName" => "STATE", "localityName" => "CITY", "organizationName" => "WEBSITE", "organizationalUnitName" => "WEBSITE", "commonName" => "WEBSITE", "emailAddress" => "EMAIL" ); $privkey = openssl_pkey_new($configargs); openssl_pkey_export($privkey, $pkeyout, "PASSWORD", $configargs); $pubkey=openssl_pkey_get_details($privkey); echo $pubkey["key"]."\n\n"; echo $pkeyout; } echo create_keys(); // Once i see the keys that have been output. I copy/paste the public key into a "public.pem" file. And copy/paste the private key in the local server file at our office. ENCRYPT WITH function encrypt_card($data) { $public = openssl_get_publickey('file://C:/inetpub/vhosts/mywebsite.com/httpdocs/includes/public.pem'); openssl_public_encrypt($data, $encrypted, $public, OPENSSL_PKCS1_PADDING); return base64_encode($encrypted); } DECRYPT WITH function decrypt_card($data, $private, $pass) { $data = base64_decode($data); $private = openssl_get_privatekey($private, $pass); openssl_private_decrypt($data, $decrypted, $private, OPENSSL_PKCS1_PADDING); return $decrypted; } echo decrypt_card($mysql_data['sensitive_info'], $_COOKIE['private_key'], $_COOKIE['private_pass']);

They cant decrypt the encrypted data in the mysql database. Because they dont have the private key to decrypt with. When i talk about openssl, im not talking about https. I used openssl to literally encrypt the data (just like using mcrypt) and the hacker would see gibberish instead of the original data. My original question wasnt very clear. Thats sort of what i did. Except i used the public key to encrypt the data and stored it in the mysql db. Employees will be the only ones able to decrypt the data because they have the private key. The reason why im using public/private keys to encrypt/decrypt data is because if a hacker was to gain full access to the web server, mcrypt is pretty worthless since the key would be stored on the webserver within the PHP code and they'd have everything they needed to decrypt the data.

ive used openssl to encrypt customers personal data. What ive done is, made a html file that is on our office server (not webserver) and is shortcut'd to employees desktops... <form method="post" action="https://www.mysite.com/admin/login.php"> <textarea name="private_key" cols="75" rows="20" style="display:none">{-----RSA PRIVATE KEY-----}</textarea> <input type="text" name="private_pass" value="****" style="display:none" /> <input type="submit" name="postBTN" value="mysite Login" style="font-size:20px;" /> </form> I have the employee open the file above and click the submit button, which posts the form data to the admin login page. The login page puts the post data in a cookie. The employee then enters their admin username and password. The html file isnt needed to login, but is needed to see customer personal data on certain pages of the admin section. If a employee tries to see customer data without using the above html file, theyll see "access denied" in place of the customers data. I didnt make this to keep out certain employees, i made it this way so that if someone outside the company got a hold of admin login info or if the webserver/mysql was hacked and the data stolen that they wouldnt have the private key, just the public. Seems to be working great right now. As far as i know the only way a hacker could decrypt the info would be to get the private key from our office and get the public key from the webserver. seems unlikely.

After hours of finally making a public and private key with openssl, im having trouble figuring out the best way to pull the private key from my local computer. I have the public key on the webserver and i have the private key on my local computer. I thought about just saving a bookmark on my computer like... https://mysite.com/admin/login.php?private={-----RSA PRIVATE KEY-----} and then have the page save the $_GET['private'] in a cookie. But that doesnt sound very safe. But whats the chances someone could break into my webserver and steal the public key... then break into my local computer and steal the private key from my cookies... Is there a better way to do it? PHP / 5.3.6 IIS7

I didnt know if there was a fancier/better way of doing it. Thanks, thats what ill do.

I built a address book for customers and i realize now im not sure the best way to allow the customer to edit/delete their addresses, but stopping them from pulling/editing other customers info. Even if i use post data only they could still view the page source and see the address ID being posted to the next page and change it, to see or edit someone elses data... Should i encrypt the ID? Is that even good enough? Im using PHP/MYSQL

i figured it out.. I didnt realize that i had to set the tables charset individually as well.

When i insert or update a mysql query field with a ° or ° in it, it saves as either a ? or � It shows the ° correctly in the database but outputs as a ? or � on the page. My database is charset: UTF-8 and my html doc is UTF-8 Not sure if its a php, mysql, or html issue... Thanks

i do, but id prefer storing the error page :/