Re: [PHP] Re: Encryption
I have found some code and set up a test bed for it, but it fails to return the same value after the 26th item. I was hoping someone could take a look and maybe tell me why? There is very little help out there for encryption. If you know of a working example/tutorial, can you please reply with a link? Many thanks, Darren ? global $arrAlphaVals; global $intTot; 'global' makes NO SENSE outside the context of a function body. Get rid of these. $intTot = 5000; $arrAlphaVals = array(); function init() { global $arrAlphaVals; global $intTot; for ($i=0;$i$intTot;$i++) { $arrAlphaVals[$i] = sprintf(%016s, strtoupper(dechex($i))); } return $arrAlphaVals; } function main() { global $arrAlphaVals; global $intTot; init(); $arrError = array(); echo Encryption testbr\n; for ($i=0;$i$intTot;$i++) { if ($i%1000 == 0) { echo $i.br; flush(); } $strInit = $arrAlphaVals[$i]; $strEncVal = encryptIt($strInit); $strOut = decryptIt($strEncVal); //echo In: .$strInit., Enc: .$strEncVal., Out: .$strOut.br; if ($strOut != $strInit) { $strError .= Failed on: .$i.br\n; $arrError[$strInit] = $strOut; } } if (sizeof($arrError) 0) { // There were errors foreach ($arrError as $strKey = $strVal) { echo Input: '.$strKey.' failed with result '.$strVal.'br\n; } echo hr.$strError; } echo hrTested .$i. cases. Done.br\n; } function encryptIt($strIn) { $key = biteme; $strRet = _mencrypt($strIn, $key); return $strRet; } function decryptIt($strIn) { $key = biteme; $strRet = _mdecrypt($strIn, $key); return $strRet; } function _mencrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $key = substr(md5($key),0,24); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); Where did you call srand() as the manual says you should? http://php.net/mcrypt_create_iv mcrypt_generic_init ($td, $key, $iv); Why are you not checking your error codes here? This function alone has -3, -4, and unknown error codes you should be checking. *EVERY* function with a documented error code return mechanism needs you to write code to *CHECK* that return code. You'll find a *TON* of things out a lot faster if you write that extra few lines of code for each function call. $encrypted_data = mcrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop(base64_encode($encrypted_data))); } //$input - stuff to decrypt //$key - the secret key to use function _mdecrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $input = trim(chop(base64_decode($input))); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $key = substr(md5($key),0,24); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $decrypted_data = mdecrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop($decrypted_data)); } main(); ? The original encryption and decryption code came from Jeremy Stansfield (http://www.weberdev.com/get_example-3752.html) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Encryption
Richard, Thanks for your help. The code (as I mentioned) was not mine. I did however find the example from the link you sent me to and followed that. It works quite well. Again, thanks for your time. Darren Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have found some code and set up a test bed for it, but it fails to return the same value after the 26th item. I was hoping someone could take a look and maybe tell me why? There is very little help out there for encryption. If you know of a working example/tutorial, can you please reply with a link? Many thanks, Darren ? global $arrAlphaVals; global $intTot; 'global' makes NO SENSE outside the context of a function body. Get rid of these. $intTot = 5000; $arrAlphaVals = array(); function init() { global $arrAlphaVals; global $intTot; for ($i=0;$i$intTot;$i++) { $arrAlphaVals[$i] = sprintf(%016s, strtoupper(dechex($i))); } return $arrAlphaVals; } function main() { global $arrAlphaVals; global $intTot; init(); $arrError = array(); echo Encryption testbr\n; for ($i=0;$i$intTot;$i++) { if ($i%1000 == 0) { echo $i.br; flush(); } $strInit = $arrAlphaVals[$i]; $strEncVal = encryptIt($strInit); $strOut = decryptIt($strEncVal); //echo In: .$strInit., Enc: .$strEncVal., Out: .$strOut.br; if ($strOut != $strInit) { $strError .= Failed on: .$i.br\n; $arrError[$strInit] = $strOut; } } if (sizeof($arrError) 0) { // There were errors foreach ($arrError as $strKey = $strVal) { echo Input: '.$strKey.' failed with result '.$strVal.'br\n; } echo hr.$strError; } echo hrTested .$i. cases. Done.br\n; } function encryptIt($strIn) { $key = biteme; $strRet = _mencrypt($strIn, $key); return $strRet; } function decryptIt($strIn) { $key = biteme; $strRet = _mdecrypt($strIn, $key); return $strRet; } function _mencrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $key = substr(md5($key),0,24); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); Where did you call srand() as the manual says you should? http://php.net/mcrypt_create_iv mcrypt_generic_init ($td, $key, $iv); Why are you not checking your error codes here? This function alone has -3, -4, and unknown error codes you should be checking. *EVERY* function with a documented error code return mechanism needs you to write code to *CHECK* that return code. You'll find a *TON* of things out a lot faster if you write that extra few lines of code for each function call. $encrypted_data = mcrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop(base64_encode($encrypted_data))); } //$input - stuff to decrypt //$key - the secret key to use function _mdecrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $input = trim(chop(base64_decode($input))); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $key = substr(md5($key),0,24); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $decrypted_data = mdecrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop($decrypted_data)); } main(); ? The original encryption and decryption code came from Jeremy Stansfield (http://www.weberdev.com/get_example-3752.html) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Encryption
If nobody has a better suggestion I am simply going to do a reverse check and for those that fail implement a massive hack. I really don't want to do that... Please, if you have any ideas give me a yell? D Darren Wheatley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hey all. I am trying to get encryption working for my site. I have found some code and set up a test bed for it, but it fails to return the same value after the 26th item. I was hoping someone could take a look and maybe tell me why? There is very little help out there for encryption. If you know of a working example/tutorial, can you please reply with a link? Many thanks, Darren ? global $arrAlphaVals; global $intTot; $intTot = 5000; $arrAlphaVals = array(); function init() { global $arrAlphaVals; global $intTot; for ($i=0;$i$intTot;$i++) { $arrAlphaVals[$i] = sprintf(%016s, strtoupper(dechex($i))); } return $arrAlphaVals; } function main() { global $arrAlphaVals; global $intTot; init(); $arrError = array(); echo Encryption testbr\n; for ($i=0;$i$intTot;$i++) { if ($i%1000 == 0) { echo $i.br; flush(); } $strInit = $arrAlphaVals[$i]; $strEncVal = encryptIt($strInit); $strOut = decryptIt($strEncVal); //echo In: .$strInit., Enc: .$strEncVal., Out: .$strOut.br; if ($strOut != $strInit) { $strError .= Failed on: .$i.br\n; $arrError[$strInit] = $strOut; } } if (sizeof($arrError) 0) { // There were errors foreach ($arrError as $strKey = $strVal) { echo Input: '.$strKey.' failed with result '.$strVal.'br\n; } echo hr.$strError; } echo hrTested .$i. cases. Done.br\n; } function encryptIt($strIn) { $key = biteme; $strRet = _mencrypt($strIn, $key); return $strRet; } function decryptIt($strIn) { $key = biteme; $strRet = _mdecrypt($strIn, $key); return $strRet; } function _mencrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $key = substr(md5($key),0,24); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $encrypted_data = mcrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop(base64_encode($encrypted_data))); } //$input - stuff to decrypt //$key - the secret key to use function _mdecrypt($input,$key) { $input = str_replace(\n,,$input); $input = str_replace(\t,,$input); $input = str_replace(\r,,$input); $input = trim(chop(base64_decode($input))); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $key = substr(md5($key),0,24); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $decrypted_data = mdecrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop($decrypted_data)); } main(); ? The original encryption and decryption code came from Jeremy Stansfield (http://www.weberdev.com/get_example-3752.html) Thanks again! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: encryption needed?
if there is a system of your id's, like 1.. 2... 3... 4.. and such, you should consider obfuscating the id's. Especially if you dont have any form of login system that serve the client the id they want. What you really should consider is having a login system that after the user is logged in you serve the user the correct content, and all from what is stored in the session. Meaning you dont need client side javascript or hidden forms at all. If the id's are unguessable however I wouldt care that much, on the other hand - is the information in mention sensitive? If so you are back to the login system again. -- Kim Steinhaug - There are 10 types of people when it comes to binary numbers: those who understand them, and those who don't. - www.steinhaug.com - www.easywebshop.no - www.easycms.no www.webkitpro.com - Klaus [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I am to set up a service where users can view news of companies. To identify the company selected an easy way is to use the company-id. The id is not displayed but stored in the client browser as JS-variable. Question: Is it ok to use the company-id or do I have to encrypt the id using mcrypt (takes some time)? Thanks in advance Klaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Encryption Question
Jay Blanchard wrote: Good morning gurus! I am encrypting some data on one server and now I am attempting to decrypt on another server using mcrypt_encrypt and mycrypt_decrypt (using same key and initialzation vector). It is almost working but I seem to still have a little problem, that data is missing the last character which still seems to be encrypted. I am putting the data in the database with addslashes, and retrieving with stripslashes, but I get things like this; 45221141¤Þ,]¹9Ñ 7775ÿåZ|z while($arrEncInfo = mysql_fetch_array($dbGetSub)){ $stripDataA = stripslashes($arrEncInfo['dataA']); $stripIV = stripslashes($arrEncInfo['iv']); $dataA = mcrypt_decrypt($encAlg, $encKey, $stripDataA, $encMode, $stripIV); echo $dataA . \n; } Has anyone seen this? Could there be a difference between the PHP installs? Both are version 4.3.7. Thanks! Jay You should probably use mysql_escape_string or mysql_real_escape_string instead of addslashes and stripslashes. IMHO addslashes and stripslashes are pretty much useless. -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: Encryption Question
[snip] You should probably use mysql_escape_string or mysql_real_escape_string instead of addslashes and stripslashes. IMHO addslashes and stripslashes are pretty much useless. [/snip] That is an interesting take, why so? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Encryption Question
Jay Blanchard wrote: [snip] You should probably use mysql_escape_string or mysql_real_escape_string instead of addslashes and stripslashes. IMHO addslashes and stripslashes are pretty much useless. [/snip] That is an interesting take, why so? Because it can easily cause more problems than it fixes. Actually, it's also a part of my dislike for the magic_quotes system... At the very least, mysql_(real_)escape_string should be always used for mysql code instead of addslashes as it *will* do the right thing. -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Encryption Question
Do you really need to use stripslashes when retrieving the data? Wouldnt stripslashes only affect magic quotes or already added slashes, I mean when you addslashes to the SQL the slashes are indeed removed when inserted in the table. -- -- Kim Steinhaug -- There are 10 types of people when it comes to binary numbers: those who understand them, and those who don't. -- www.steinhaug.com - www.easywebshop.no - www.webkitpro.com -- Justin Patrin [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Jay Blanchard wrote: Good morning gurus! I am encrypting some data on one server and now I am attempting to decrypt on another server using mcrypt_encrypt and mycrypt_decrypt (using same key and initialzation vector). It is almost working but I seem to still have a little problem, that data is missing the last character which still seems to be encrypted. I am putting the data in the database with addslashes, and retrieving with stripslashes, but I get things like this; 45221141¤Þ,]¹9Ñ 7775ÿåZ|z while($arrEncInfo = mysql_fetch_array($dbGetSub)){ $stripDataA = stripslashes($arrEncInfo['dataA']); $stripIV = stripslashes($arrEncInfo['iv']); $dataA = mcrypt_decrypt($encAlg, $encKey, $stripDataA, $encMode, $stripIV); echo $dataA . \n; } Has anyone seen this? Could there be a difference between the PHP installs? Both are version 4.3.7. Thanks! Jay You should probably use mysql_escape_string or mysql_real_escape_string instead of addslashes and stripslashes. IMHO addslashes and stripslashes are pretty much useless. -- paperCrane Justin Patrin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Encryption of emails.
Hello, On 09/05/2002 02:29 AM, Bob Irwin wrote: Hey guys, Can anyone recommend any PHP functions or plugins that will allow me to send encrypted emails via PHP? Something similar to PGP would be excellent. I have use PGP with a formmail cgi previously, but obviously it'd be easier to have in-PHP support for it. It ise not much different. You still have to use PGP shell program from PHP probably with the popen() function and collect the encrypted results to send in a message with the mail() function. There are some MIME standards for sending encrypted messages signed and with public keys, but I am not sure if you need that. -- Regards, Manuel Lemos -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: encryption code in php
Never mind! It took me all day to find out what the problem is. It turned out that PHP use $SSL_PROTOCOL, $SSL_CIPHER_USEKEYSIZE, etc. It is displayed automatically when the register_global is turned on. With some research, found out that it is part of Mod_SSL where PHP use it from. Yet, I still struggle and I tried specifying the environment variables like file put_env(), etc. So, far they never work. Until I got to the documentation at http://www.php.net/release_4_1_0.php and I got the clue from it saying that REMOTE_ADDR is part of $_SERVER. I never knew that. So, I began to understand that any environment variables like REMOTE_ADDR or SSL_PROTOCOL, etc is part of $_SERVER. I'm going to need better documentation on what variables are include in things like $_GET, $_COOKIE, $_ENV, $_SERVER, etc. So, I can use whatever the variables I never heard of and put it to good use on the website. Anyone know? ?php phpinfo();? This will tell you everything, no matter what your server and/or environment do that's screwy... Nobody can tell you in advance, since PHP simply sucks in what's there. If your Server don't set 'FOO', then $_SERVER['FOO'] ain't set. If your server does, it is. If you are writing code to be distributed to the public for a zillion different servers, don't assume that $_SERVER['SSL_PROTOCOL'] or whatever is going to be there, and not somewhere else, or, err, whatever... Assume nothing. Always safer. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: encryption and HTTP
Yeah the idea of php md5() hash is for data integrity, by taking a hash of some data and taking a hash of it later, allows you to compare the results and see if the data hash been changed, such as a database value. You have to use some form of client side technology to pass variables encrypted. e.g. using Javascript or implementing SSL. U could always use Java applets. Muz Erik Price [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Without using SSL or JavaScript, is there any way to make an md5 hash or encrypt a string before sending it out as a POST request? It seems that without encrypting the data before sending it, it can still be intercepted. Once intercepted, it doesn't matter if I use md5() on the $_POST['password'] once it gets to the script, because anyone can submit the same intercepted string to the script via POST and it will be md5()ed when it gets there, thus defeating the purpose. Maybe I haven't quite wrapped my brain around a decent authentication scheme yet. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Encryption
As far as I'm aware, as long as you use the same seed or salt value, encrypting material will always yield the same results. However, remember that not all servers have support for mcrypt... You may find it better to use something simpler like md5($seed . $data), where $seed is a unique (and hireable) value that you have created. Anas Mughal [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am totally new to encryption. My question is very simple. If I use the mcrypt module to encrypt and decrypt some data, would it guarantee to work consistently with future versions of the mcryp module (or PHP versions). (i.e. Would decription always give me the same result?) Thanks. = Anas Mughal [EMAIL PROTECTED] [EMAIL PROTECTED] Tel: 973-249-6665 __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]