Jump to content

Adding encryption to a website.


DarkHavn

Recommended Posts

Was just wondering your regards and feedback on this one.

Things like ssl on a webpage, 128bit encryption on websites that handle sensitive data like credit card numbers and such.

Do you guys prefer, or recomend anything?

Should i rely on php for this, or something else?

Just thought i would get some feedback on this before i go ahead with anything.

Cheers
Link to comment
Share on other sites

Lol, sorry should of been more descriptive of what i was meaning, Yeah ssl is apart of the server that is running apache or depending on your flavour.

Guess what i was truley meaning is, is there any means or methods you guys recomend of encryption via php if that is possible at all?
Link to comment
Share on other sites

I am suprised that this has not be posted before. Normaly when it comes to a question in reguards to security, of any kind, there are a thousand posts.

There are a couple ways of encrypting the sensitive data. here is an example function that would encrypt the data before passing it to a database.

[code]
<?php
$cc_number = "0000000000000000";

function encryptData($data) {
      $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
      $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
      $key = "your_key";

      $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
      return $crypttext;
}

$encypted_cc = encryptData($cc_number);

// now you can pass the encrypted data to the db


// and here is a function for decrypting the data.

fuction decryptData($data) {
       $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
       $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
       $key = "your_key";
       $decrypted_data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
       return $decrypted_data;
}

//here is a simple sql call to get the encrypted cc number
$sql = mysql_query("SELECT * FROM `your_table` WHERE `something` = '$something'");

while ($rw = mysql_fetch_assoc($sql)) {
     $cc_number = decyptData($rw['cc_number']);
}
?>
[/code]

Now as far as the key goes. I randomly generate a key and then on a couple of random days each month I decrypt all of the encrypted data in the db and then encypt it again with a new random key. I then store the key in another function.

This may be over kill but what the hell, I am responsible for that data. So I will try my best to secure it to the best of my ability.

I hope that this helps.

If anyone has any suggestions on a better way to encrypt the data or a fault in my script, please feel free to reply.

Thanks,
Tom
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.