2 Replies Latest reply on Oct 31, 2018 3:34 AM by sinious

    basic PHP encryption help needed

    revdave Level 1

      Hi all,

       

      Using PHP, I am trying to connect to an external service which requires authentication. Rather than storing the private authentication text in the clear on a PHP Page with variables, I'm curious what the best encryption method would be for this purpose.

       

      some choices i've seen - mcrypt - openssl_encrypt and others...

       

      Some of the possibilities seem outdated.

       

      Can anyone point me to a current basic standard for 2018 to get me started?

       

      Thanks

      Dave

        • 1. Re: basic PHP encryption help needed
          David_Powers Adobe Community Professional

          There's not much point in trying to use encryption to store your credentials.

          • Most encryption methods are one-way, so you can't decrypt them.
          • Even if you use a method that allows decryption, you've got to do that within your script so that the actual credentials are sent to the remote service. Consequently, anyone who is able to access the raw script will be able to decrypt them.

          The key is to prevent others from accessing your script or where the credentials are stored.

           

          A simple approach would be to store your credentials in a file outside the server's document root. PHP includes are capable of finding files outside the document root; but no one else can access them unless they have direct access to your server. Alternatively, store your credentials in a database.

          1 person found this helpful
          • 2. Re: basic PHP encryption help needed
            sinious Most Valuable Participant

            Extending upon what David has said as a timeless way.

             

            One thing that's typically saved on the filesystem, away from prying eyes, is the salt used per your given encryption choice. The salt alone will be what you store in that file. When a user logs in, you'd take the password they supply in a login form, read your 'secret salt file', encrypt that value and then compare the encrypted value against a password you stored for them in your database. Since the salt is the same, the one-way encrypted value will match it. Then you can store those passwords in the database and have a way to quickly check against them in a login.

             

            Another way PHP offers is password_hash(). This function handles the salt for you automatically based on time. It then encrypts whatever string you give it and embeds a salt into the encrypted string it returns as well. Then you can skip the step of putting the salt on the filesystem altogether. You use PHP's password_verify() function which will compare what the user sends as the passwords while auto-reading it's own embedded salt. It is doing the same salting method as above, only every password has a unique salt already inside it, encrypted. Take a look at the pages, the functions are very simple to use. e.g.:

             

            $hash = password_hash( "aStr0ngp@$swoRd", PASSWORD_DEFAULT ); // hash created using a generated salt for you
            
            if ( password_verify( "aStr0ngp@$swoRd", $hash ) ) {
                // validated! do stuff..
            }
            

            The documentation recommends that you do not provide a salt, but you may. the PASSWORD_DEFAULT is also a CONST specifying the type of encryption you want. There are other options you can read about to suit your needs. This is all in the realm of a basic setup.