Page 1 of 2

Encrypting the form data to insert into DB

Posted: Wed Jun 09, 2004 1:24 am
by Calimero
This is my question:
Can the data be encrypted when the visitor inputs the form and then decripted to be inserted into the db.

Also the user data returned to "the one" should be encrypted, the code for this if possible.

NOTE: I have no expirience in encrypting in the PHP, so any help and major guidelines are appreciated

Posted: Wed Jun 09, 2004 1:45 am
by Weirdan
why even bother with home-made encryption? You can install SSL enabled server, put there your certificate and have the connection encrypted without any headache.

OK, so the steps that follow are ???

Posted: Wed Jun 09, 2004 4:57 pm
by Calimero
where to find this SSL server, note I use Zend for PHP optimising
and how is the certificate issued or what is done to it
Thanks ahead !

Posted: Wed Jun 09, 2004 5:11 pm
by feyd
check Verisign for SSL information.

Posted: Wed Jun 09, 2004 9:27 pm
by dull1554
if he just wants to encode it he could do a base64_serialize()
it think thats what it is and then base64_deserialize()

Posted: Wed Jun 09, 2004 9:52 pm
by feyd
[php_man]base64_encode[/php_man]() and [php_man]base64_decode[/php_man]() actually..

Posted: Thu Jun 10, 2004 6:03 am
by dull1554
man sorry i was tired, mixing up functions..... :)

Posted: Thu Jun 10, 2004 9:06 am
by fastfingertips
Just a question:

I i get the string and i'm running the decode what should i get? The values? Because in this way is useless :D.

In this case you may try to develop your own algoritm or use some already made functions (you will find plenty of them with google) because as i know you will have to pay for Verisign services.

Posted: Thu Jun 10, 2004 10:09 am
by feyd
true.. any real SSL cert you will have to pay for. Making your own encryption routine is a great learning experience too.

Posted: Thu Jun 10, 2004 10:18 am
by redmonkey
feyd wrote: true.. any real SSL cert you will have to pay for.
Whats wrong with openSSL?

Posted: Thu Jun 10, 2004 10:23 am
by Grim...
/reads question properly.

Move along now - nothing to see here :oops:

Posted: Thu Jun 10, 2004 3:28 pm
by dull1554
its not too hard to make a ssl cert with open ssl, and its just as secure as if you pay $400 for it, its just that it wont be signed by a trusted sorce so a user will get a warning when the browser encounters the cert

Posted: Thu Jun 10, 2004 8:46 pm
by feyd
exactly my point.

Posted: Thu Jun 10, 2004 8:59 pm
by dull1554
if you have openssl installed on your server here is an example to make a self signed cert straight from the manula

Code: Select all

<?php 
// Fill in data for the distinguished name to be used in the cert 
// You must change the values of these keys to match your name and 
// company, or more precisely, the name and company of the person/site 
// that you are generating the certificate for. 
// For SSL certificates, the commonName is usually the domain name of 
// that will be using the certificate, but for S/MIME certificates, 
// the commonName will be the name of the individual who will use the 
// certificate. 
$dn = array( 
   "countryName" => "UK", 
   "stateOrProvinceName" => "Somerset", 
   "localityName" => "Glastonbury", 
   "organizationName" => "The Brain Room Limited", 
   "organizationalUnitName" => "PHP Documentation Team", 
   "commonName" => "Wez Furlong", 
   "emailAddress" => "wez@php.net" 
); 

// Generate a new private (and public) key pair 
$privkey = openssl_pkey_new(); 

// Generate a certificate signing request 
$csr = openssl_csr_new($dn, $privkey); 

// You will usually want to create a self-signed certificate at this 
// point until your CA fulfills your request. 
// This creates a self-signed cert that is valid for 365 days 
$sscert = openssl_csr_sign($csr, null, $privkey, 365); 

// Now you will want to preserve your private key, CSR and self-signed 
// cert so that they can be installed into your web server, mail server 
// or mail client (depending on the intended use of the certificate). 
// This example shows how to get those things into variables, but you 
// can also store them directly into files. 
// Typically, you will send the CSR on to your CA who will then issue 
// you with the "real" certificate. 
openssl_csr_export($csr, $csrout) and debug_zval_dump($csrout); 
openssl_x509_export($sscert, $certout) and debug_zval_dump($certout); 
openssl_pkey_export($privkey, $pkeyout, "mypassword") and debug_zval_dump($pkeyout); 

// Show any errors that occurred here 
while (($e = openssl_error_string()) !== false) { 
   echo $e . "\n"; 
} 
?>

Posted: Thu Jun 10, 2004 9:05 pm
by redmonkey
A self certified/signed SSL certificate is still a 'real' certificate (i.e. it is not fake, forged or any less secure. it is 'real').