Re: [PHP] Studying mcrypt
Alex Nikitin wrote: [snip] Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Hello, since this thread is about studying mcrypt... In another language, for a top security with the ability to retrieve data situation, I use a method that stores an encrypted key, but then also, the entire pages are encrypted as well, with a separate utility, where I only know the key. Think of it as compiling your software, only it is not compiling, it's encrypting, and it's then able to run as if it were compiled. The end result is that the key to any encrypted sensitive info does not reside on the server, it resides with me on my local system... thus the passwords are safely encrypted, yet I can retrieve them manually. I don't know that PHP has the ability to run in compiled or encrypted form.. does it? If not, I guess a 1 way, non-key encryption would be the only way to be absolutely secure with saved data in PHP (such as a hash). Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
On Thu, Aug 4, 2011 at 10:31 AM, Donovan Brooke li...@euca.us wrote: Alex Nikitin wrote: [snip] Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Hello, since this thread is about studying mcrypt... In another language, for a top security with the ability to retrieve data situation, I use a method that stores an encrypted key, but then also, the entire pages are encrypted as well, with a separate utility, where I only know the key. Think of it as compiling your software, only it is not compiling, it's encrypting, and it's then able to run as if it were compiled. The end result is that the key to any encrypted sensitive info does not reside on the server, it resides with me on my local system... thus the passwords are safely encrypted, yet I can retrieve them manually. I don't know that PHP has the ability to run in compiled or encrypted form.. does it? If not, I guess a 1 way, non-key encryption would be the only way to be absolutely secure with saved data in PHP (such as a hash). Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You can have multiple ways to encrypt data and store it pretty securely. For example i had a system that would encrypt passwords for other services and store them in the database along with an iv, the key was hard coded into the application and salt came from the user and was never stored, this way even if someone got my database and code which would be a feat not for the faint of heart, they still wont be able to get the data decrypted... What makes your local system any less vulnerable of a point than your server, of anything, its more vulnerable and failure-prone, so unless i'm not getting something, that seems like a poor design decision (i'm sorry) There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
Alex Nikitin wrote: [snip] What makes your local system any less vulnerable of a point than your server, of anything, its more vulnerable and failure-prone, so unless i'm not getting something, that seems like a poor design decision (i'm sorry) [snip] In the model I profiled, it is a system design that * requires * the ability to retrieve secured data. For my solution, they would have to have physical entry into the premises that hold the key/s (local encryption done offline). Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
Alex Nikitin wrote: [snip] There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... [snip] Of course, obfuscation is never a great security solution. Compiling it into C++ is interesting... the question would be if the code could be de-compiled.. if so, then probably not a great solution either. Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
On Thu, Aug 4, 2011 at 12:23 PM, Donovan Brooke li...@euca.us wrote: Alex Nikitin wrote: [snip] There is code obfuscation with PHP, and you can compile it into C++ with HipHop for php for example... [snip] Of course, obfuscation is never a great security solution. Compiling it into C++ is interesting... the question would be if the code could be de-compiled.. if so, then probably not a great solution either. Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It's never a good idea to store all your keys in code, that is why we have an iv, and a salt that you can use... neither is program encryption, since i can dump it in it's executing form out of memory fairly easily; this is why hard drive encryption without a controller that does crypto off the main system is fairly pointless... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
Alex Nikitin wrote: [snip] It's never a good idea to store all your keys in code, True, but in the system I was referring to, only the closed source app knows how to see the key in the encrypted templates and there is no way for another to know how to decrypt the encrypted templates to see any of the other keys in the code... It's a unique solution for this type of topic. I don't want to go into too many details because it's not about PHP and my intention with bringing it up was to see if others knew of a similar solution within PHP.. which I'm thinking there is not. that is why we have an iv, and a salt that you can use... neither is program encryption, since i can dump it in it's executing form out of memory fairly easily; Well, not with the situation/app I was talking about.. this is why hard drive encryption without a controller that does crypto off the main system is fairly pointless... I'm not exactly sure what you are saying here.. but there are good reasons to have built the system that I was referring to... safe retrieval of secured data being the main idea. Look, I agree that in a typical online passphrase type of setup, creating a hash to be matched for access is a great solution under sensitive situations. You don't need to retrieve the pass as the owner can change it if they forget... however, encryption is absolutely not worth nothing and the O.P. stated he was trying to learn about PHP's mcrypt. Much of the time, a spec requires the access retrieval of secured data and a developer will have no choice anyway ;-). Not all sensitive data is at the same sensitivity level either... so mcrypt has its place. Cheers, Donovan -- D Brooke -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Studying mcrypt
Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q�j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Studying mcrypt
I have a neat class you can play with... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 2:27 PM, Alex Nikitin niks...@gmail.com wrote: Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
Hi Ash, Please don't top-post :) *Huge sigh* OK, OK! But still it's too uncomfortable to read bottom-posting! :P You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob Thanks, will try!) -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
Hello Alex, I have a neat class you can play with... Could you give me the link, please?) -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Studying mcrypt
On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk Isn't that a bit counterproductive though, storing it in binary? Purely storage-related: Say we are storing a 128byte result of encryption. Storing it in a varbin would mean that you would use up 128+1 bytes of storage, where as if you were to base64 encode it, data length would be 170 or so bytes, +1byte or 171bytes... 42 bytes difference... This was a crypto class i wrote for something, i cant even recall exactly what project it was for, it is making it's way into the framework, but for now, i've changed it to be normal again Hopefully it should be pretty straight forward: http://pastebin.com/TFn468dM -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
Re: [PHP] Studying mcrypt
On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote: On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk Isn't that a bit counterproductive though, storing it in binary? Purely storage-related: Say we are storing a 128byte result of encryption. Storing it in a varbin would mean that you would use up 128+1 bytes of storage, where as if you were to base64 encode it, data length would be 170 or so bytes, +1byte or 171bytes... 42 bytes difference... This was a crypto class i wrote for something, i cant even recall exactly what project it was for, it is making it's way into the framework, but for now, i've changed it to be normal again Hopefully it should be pretty straight forward: http://pastebin.com/TFn468dM -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray The beauty of encoding something into base64 is that you can then easily move that data around to systems that can't handle binary. You can pass a base64 image down to the browser to display, without requiring a second script to create the image used in the img tag. Javascript can manipulate base64 data making it an alternative to json where json won't work. Command line environments won't be able to deal with binary arguments, but base64 is fine. It all depends on what you want to do with it at the end of the day. -- Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Studying mcrypt
On Wed, Aug 3, 2011 at 4:05 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote: On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: ** On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: Hello Alex, Thanks for the tip. I'm not storing it in the database (you see, it's asdfasdf and the key string is secret key), I'm just studying mcrypt's possibilities :-). -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: Andre Polykanine Date created: , 9:27:42 PM Subject: [PHP] Studying mcrypt Yes, since it's trying to represent in characters some purely binary data, it is not unlikely that you will get VERY weird characters (and you do). Also you shouldn't actually encrypt passwords, the proper way to store them is hashed, so that if someone grabs your database, they dont have your passwords, even if they have the key. Best way to check is to decrypt it and verify... -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine an...@oire.org wrote: Hello Php, It's my first time I use mcrypt. I've done everything like it's written in the php manuals, here is the code: ?php $d=mcrypt_module_open(rijndael-256, , ofb, ); $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); $ks=mcrypt_enc_get_key_size($d); $key=substr(md5(Secret key), 0, $ks); mcrypt_generic_init($d, $key, $iv); $cpass=mcrypt_generic($d, $_POST['opass']); mcrypt_generic_deinit($d); mcrypt_module_close($d); ? And here's what I get: Original password: asdfasdfasdf Encrypted password: Q� j�* Question: Is it normal to have such strange characters in the encrypted string? I'm hosted at http://godaddy.com/, shared hosting, if it does matter. Thanks! -- With best regards from Ukraine, Andre Skype: Francophile Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Please don't top-post :) You can use base64_encode() on it to convert it into something that's printable and storable in the DB without having to resort to a binary blob -- Thanks, Ash http://www.ashleysheridan.co.uk Isn't that a bit counterproductive though, storing it in binary? Purely storage-related: Say we are storing a 128byte result of encryption. Storing it in a varbin would mean that you would use up 128+1 bytes of storage, where as if you were to base64 encode it, data length would be 170 or so bytes, +1byte or 171bytes... 42 bytes difference... This was a crypto class i wrote for something, i cant even recall exactly what project it was for, it is making it's way into the framework, but for now, i've changed it to be normal again Hopefully it should be pretty straight forward: http://pastebin.com/TFn468dM -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray The beauty of encoding something into base64 is that you can then easily move that data around to systems that can't handle binary. You can pass a base64 image down to the browser to display, without requiring a second script to create the image used in the img tag. Javascript can manipulate base64 data making it an alternative to json where json won't work. Command line environments won't be able to deal with binary arguments, but base64 is fine. It all depends on what you want to do with it at the end of the day. -- Thanks, Ash http://www.ashleysheridan.co.uk That's why i prefaced it with purely storage-related. base64 is awesome, i use it as a hack to get around xss and sql injection, it works beautifully :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray