Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

base64_encode() ????

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

base64_encode() ????

Postby elitecodex » Thu Aug 08, 2002 2:21 pm

I have a question regarding security and the base64_encode() function. Lets say that for some ungodly reason that someone hacks and gets access to my database. What would stop someone from taking the encrypted strings and manually putting them into a base64_decode() function on their own script and can figure out the string. This defeats the purpose of security doesnt it? Or am I misunderstanding this? Any help is greatly appreciated.

Will
elitecodex
New php-forum User
New php-forum User
 
Posts: 68
Joined: Tue Jul 09, 2002 8:45 am
Location: East Coast, USA

Postby nike » Sat Nov 23, 2002 5:46 am

Hello, Will!

For the security purpose you can use Encode Function

ENCODE(str,pass_str)
Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The results is a binary string of the same length as string. If you want to save it in a column, use a BLOB column type.

None can see your content until he didn't get the encription password.

------------------------------------
Bereza Nikita
Rapid Internet Development Department
E-mail: nike@alarit.com
Alar Information Technologies,
URL: http://www.alarit.com
nike
New php-forum User
New php-forum User
 
Posts: 7
Joined: Fri Sep 06, 2002 7:59 am
Location: Ukraine

Postby Alexej Kubarev » Thu Oct 21, 2004 4:15 am

Well... if you dont need to decode the password -- use md5()
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby swirlee » Thu Oct 21, 2004 5:38 am

base64_encode() is not an encryption function (it is an encoding function) and should not be treated as such. Base 64 is just a convenient way to represent (encode) data in an ASCII format, and should never be used for any security purpose.

You can use nike's advice and use MySQL's ENCODE() function, but if someone hacks into your system and you happen to have the password in one of your PHP files (which I assume you will if you're handling the data with PHP), they're gonna be able to decode it easily (maybe even without the password -- I don't think ENCODE() uses very strong encryption).

Your best bet is to make sure that your server is secure in the first place, keep abreast of security fixes for all the software on your server, and store sensitive data (like credit card numbers) behind as much protection as you can.
User avatar
swirlee
Moderator
Moderator
 
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back

Postby Alexej Kubarev » Thu Oct 21, 2004 11:14 am

Hehe... i should read a bit better when i read posts :)
I thought we were talking abou different things..
But it is possible to create an encode function that uses a high encryption... try replicating RSA or something like that..
Sorry for my bad explanations..
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby swirlee » Thu Oct 21, 2004 11:58 am

PEAR has several good encryption packages.

Why don't people ever check PEAR?
User avatar
swirlee
Moderator
Moderator
 
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back

Postby Alexej Kubarev » Thu Oct 21, 2004 12:25 pm

Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby swirlee » Fri Oct 22, 2004 6:11 am

Alexei Kubarev wrote:Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?


Yes, plenty. Their authentication and database abstraction classes are particularly useful.
User avatar
swirlee
Moderator
Moderator
 
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.