Chris Gmyr
Developer, entrepreneur, drummer, biker, dog owner, husband, and proud dad. Loves Laravel and coffee

Encrypt/Decrypt Secure Data with PHP

04/05/2011

Mcrypt is a very powerful library in PHP that can give you a number of ways to encrypt then decrypt data in a secure way. If you need to keep sensitive data in your database like credit cards, social security numbers, bank account numbers, etc – this library is a must for you.

Let’s start with the basic functions:

<?php
function encrypt_text($value)
{
   if(!$value) return false;

   $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'SECURE_STRING_1', $value, MCRYPT_MODE_ECB, 'SECURE_STRING_2');
   return trim(base64_encode($crypttext));
}

function decrypt_text($value)
{
   if(!$value) return false;

   $crypttext = base64_decode($value);
   $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, 'SECURE_STRING_1', $crypttext, MCRYPT_MODE_ECB, 'SECURE_STRING_2');
   return trim($decrypttext);
}

In addition to using the mcrypt library we are also going to use the base64 encode/decode functions for an extra level of protection. You will want to choose 2 random string values before you run these and update SECURE_STRING_1 and SECURE_STRING_2. You want to make sure these are the same every time you call these functions or else these will not encrypt/decrypt correctly. Once you have updated these values, you can test using something like this:

<?php
$my_credit_card = '5105105105105100';
$secure_credit_card = encrypt_text($my_credit_card);
echo $secure_credit_card; //JIkkfj6yzQqMTZoUufuyI8FL1isqH/QXblQk90IIuqA=

$unsecure_credit_card = decrypt_text($secure_credit_card);
echo $unsecure_credit_card; //5105105105105100 (original card number)

All you have to do is save $secure_credit_card to your database and you are all set.

Taking this to the next level

If you are interested in kicking the security up a notch you can always come up with some random strings on the fly and also save these to your database. You want to be careful to save the correct keys per user so that you can decrypt the information correctly at a later time. Let’s say for example that when your user registers they enter a first name, last name, email address, and password. You can take this information and create the user’s encryption keys by doing something like this:

<?php
$first_name = 'Chris';
$last_name = 'Gmyr';
$email = 'email@domain.com';
$password = 'mypassword123';

$secure_string_1 = md5($first_name.'|'.$email);
echo $secure_string_1; //9c46de8e3b1f557c20c964be2b54d4d9

$secure_string_2 = md5($last_name.'|'.$password);
echo $secure_string_2; //131d88ad82d9c94c65ba3945c38b06e1

Even though the user could change their information in the future, you do not want to change the encryption keys in your database. After some slight modifications to pass the 2 keys to the functions, you have something like:

<?php
function encrypt_text($value, $key1, $key2)
{
   if(!$value || !$key1 || !$key2) return false;

   $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key1, $value, MCRYPT_MODE_ECB, $key2);
   return trim(base64_encode($crypttext));
}

function decrypt_text($value, $key1, $key2)
{
   if(!$value || !$key1 || !$key2) return false;

   $crypttext = base64_decode($value);
   $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key1, $crypttext, MCRYPT_MODE_ECB, $key2);
   return trim($decrypttext);
}

$my_credit_card = '5105105105105100';
$secure_credit_card = encrypt_text($my_credit_card, $secure_string_1, $secure_string_2);
$unsecure_credit_card = decrypt_text($secure_credit_card, $secure_string_1, $secure_string_2);

Your Turn

How do you secure data in your applications? Do you have any other tips that you would like to share?