base64_encode() ????

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

elitecodex
New php-forum User
New php-forum User
Posts: 68
Joined: Tue Jul 09, 2002 8:45 am
Location: East Coast, USA
Contact:

base64_encode() ????

Postby elitecodex » Thu Aug 08, 2002 2:21 pm

I have a question regarding security and the base64_encode() function. Lets say that for some ungodly reason that someone hacks and gets access to my database. What would stop someone from taking the encrypted strings and manually putting them into a base64_decode() function on their own script and can figure out the string. This defeats the purpose of security doesnt it? Or am I misunderstanding this? Any help is greatly appreciated.

Will

nike
New php-forum User
New php-forum User
Posts: 7
Joined: Fri Sep 06, 2002 7:59 am
Location: Ukraine
Contact:

Postby nike » Sat Nov 23, 2002 5:46 am

Hello, Will!

For the security purpose you can use Encode Function

ENCODE(str,pass_str)
Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The results is a binary string of the same length as string. If you want to save it in a column, use a BLOB column type.

None can see your content until he didn't get the encription password.

------------------------------------
Bereza Nikita
Rapid Internet Development Department
E-mail: nike@alarit.com
Alar Information Technologies,
URL: http://www.alarit.com

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Thu Oct 21, 2004 4:15 am

Well... if you dont need to decode the password -- use md5()

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Thu Oct 21, 2004 5:38 am

base64_encode() is not an encryption function (it is an encoding function) and should not be treated as such. Base 64 is just a convenient way to represent (encode) data in an ASCII format, and should never be used for any security purpose.

You can use nike's advice and use MySQL's ENCODE() function, but if someone hacks into your system and you happen to have the password in one of your PHP files (which I assume you will if you're handling the data with PHP), they're gonna be able to decode it easily (maybe even without the password -- I don't think ENCODE() uses very strong encryption).

Your best bet is to make sure that your server is secure in the first place, keep abreast of security fixes for all the software on your server, and store sensitive data (like credit card numbers) behind as much protection as you can.

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Thu Oct 21, 2004 11:14 am

Hehe... i should read a bit better when i read posts :)
I thought we were talking abou different things..
But it is possible to create an encode function that uses a high encryption... try replicating RSA or something like that..
Sorry for my bad explanations..

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Thu Oct 21, 2004 11:58 am

PEAR has several good encryption packages.

Why don't people ever check PEAR?

User avatar
Alexej Kubarev
Site Admin
Site Admin
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län
Contact:

Postby Alexej Kubarev » Thu Oct 21, 2004 12:25 pm

Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?

User avatar
swirlee
Moderator
Moderator
Posts: 2272
Joined: Sat Jul 05, 2003 1:18 pm
Location: A bunk in the back
Contact:

Postby swirlee » Fri Oct 22, 2004 6:11 am

Alexei Kubarev wrote:Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?


Yes, plenty. Their authentication and database abstraction classes are particularly useful.


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 0 guests

cron