php AES encryption

[squinky86]

I am having much difficulty with string encryption in PHP. Take the following scenario:

//Thanks to [email protected] for this function.
function AESEncrypt($text, $password)
{
        $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        $iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
        return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $text, MCRYPT_MODE_ECB, $iv);
}

//Thanks to [email protected] for this function.
function AESDecrypt($encrypted_text, $password)
{
        $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        $iv = mcrypt_create_iv($size, MCRYPT_DEV_URANDOM);
        return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, $encrypted_text, MCRYPT_MODE_ECB, $iv);
}

//AES Encryption Passwords: KEEP THESE SECRET AND SECURE
$AESServerKey = 'MLtZ}(==';
$AESClientKey = 'saO32.>>';

//string to encode
$toEncode = "See Spot Run.";

echo "Checking PHP server key...";
$encoded = AESEncrypt($toEncode, $AESServerKey);
$decoded = AESDecrypt($encoded, $AESServerKey);
if (strcmp($toEncode, $decoded) == 0)
{
        echo "ok!\n";
}
else
{
        echo "FAILED(".strcmp($toEncode, $decoded).")!\n";
        echo "Original: --$toEncode--\n";
        echo "Encoded: --".bin2hex($encoded)."--\n";
        echo "Decoded: --$decoded--\n";
}

echo "Checking PHP client key...";
$encoded = AESEncrypt($toEncode, $AESClientKey);
$decoded = AESDecrypt($encoded, $AESClientKey);
if (strcmp($toEncode, $decoded) == 0)
{
        echo "ok!\n";
}
else
{
        echo "FAILED(".strcmp($toEncode, $decoded).")!\n";
        echo "Original: --$toEncode--\n";
        echo "Encoded: --".bin2hex($encoded)."--\n";
        echo "Decoded: --$decoded--\n";
}
?>

outputs the following:

Checking PHP server key...FAILED(-3)!
Original: --See Spot Run.--
Encoded: --9182b9639292aa05bd440a29e78f3e1e--
Decoded: --See Spot Run.--
Checking PHP client key...FAILED(-3)!
Original: --See Spot Run.--
Encoded: --235f2d545623280b68c61051bec7e74d--
Decoded: --See Spot Run.--

I am trying to actually use this in conjunction with a MySQL database. Note that the encrypted string is stored as:

UPDATE users SET password = AES_ENCRYPT('TestPass') WHERE username = 'testuser' LIMIT 1;

Whenver I pull the data from the database and try to decrypt it with this code:

echo "Obtaining information from database...";
$query = "SELECT password FROM users WHERE username = '".Queryize($username)."'";
$result = $mdb2->query($query);
if (PEAR::isError($result))
{
        echo "FAIL!\n";
        exit(1);
}
echo "ok!\n";
echo "Checking password equivalence...";
$dbPass = $result->fetchOne();
$encryptedPass = AESEncrypt($password, $AESServerKey);
$decryptedDbPass = AESDecrypt($dbPass, $AESServerKey);
if ($decryptedDbPass == $password)
{
        echo "ok!\n";
}
else
{
        echo "FAIL!\n";
        echo "dbPassword: --".bin2hex($dbPass)."--\n";
        echo "encryptedPass: --".bin2hex($encryptedPass)."--\n";
        echo "decryptedDbPass: --$decryptedDbPass--\n";
        echo "decryptedPass: --$password--\n";
}

I obtain the following result:

Obtaining information from database...ok!
Checking password equivalence...FAIL!
dbPassword: --998f63867971939b3be6fdc606eb2a55--
encryptedPass: --3775da514a4394dbe03ac9478e8924f4--
decryptedDbPass: ----stPass
decryptedPass: --TestPass--

Note how close the PHP AESDecrypt function came to actually decrypting the string stored in the MySQL database. I know I'm close, but have probably done something stupid. Anyone want to lend a pointer on what I'm doing wrong?

[squinky86]

I had the AES keys wrong in the example above. The actual AES keys that generated the output above are:

$AESServerKey = 'ML*r}(l=';
$AESClientKey = '--R[8BCA';[/code

I guess what I'm trying to ask is, when is "See Spot Run." not the same as "See Spot Run."?