search

noprotocol / php-mysql-aes-crypt

Encrypt/decrypt data in PHP to a format compatible with MySQL AES_ENCRYPT & AES_DECRYPT functions.
MIT License
23 stars 9 forks source link

Check if the encryption can be handled through SQL #10

Open ghost opened 6 years ago

ghost commented 6 years ago

As I mentioned in an another issue, it can be a little pain in the ass to (for an example) order the content through a SQL query. Example: ORDER BY CAST(AES_DECRYPT(string, "encryption-key") AS CHAR).

I got it to work by shorten the encryption key from 128 characters to 64 characters. But when I started a new project and used the same amount of characters in the encryption key, the string was empty (NULL).

So to prevent this in the future, it would be very effective to add a small function that checks if the chosen encrypion key can be used in a SQL query, or not. And if the encryption key is not fitted for (for an example) a ORDER BY CAST(AES_DECRYPT(string, "encryption-key") AS CHAR), return a error message that says what the problem is and how you can solve it.

ghost commented 6 years ago

I have tested your class versus the built in AES_ENCRYPT() in MySQL.

When I add data into my table with your class, the data will be stored like this: 0x233BFB487DF13B63B193362355A08E7A. This string is not working with the following SQL query (the encryption key is just for test and will not use in the final stage of my website).

SELECT *
FROM users
WHERE AES_DECRYPT(data_email, '9XQYPMG3LN7VCW38G5Y8976Y572793QJRE422MD5') LIKE '%edgren%'

But when I use the built in function in MySQL, the SQL query above will work.

INSERT INTO users(data_email)
VALUES(AES_ENCRYPT('edgren', '9XQYPMG3LN7VCW38G5Y8976Y572793QJRE422MD5'))

Also, the data string will now look like this: 0xE2576083EB290A600E74E9A84372C9FB. It will always look like that, no matter how many times I use the INSERT INTO query above.

Because of this experiment, I think that your class is creating a "not real" encryption string that MySQL can't read.

But if I use AES_ENCRYPT(), your class can't decrypt the string, even if I change between 128-bit, 192-bit, and 256-bit. It will only return a string with jibberish characters, instead of edgren.

$test = sql("SELECT data_email FROM users", Array(), 'fetch');
echo decrypt($test['data_email']);    # returns *��8cIX���`�

If I try to decrypt the string with the built in AES_DECRYPT(), it will only return empty, so I have no idea about this on :/

$test = sql("SELECT AES_DECRYPT(data_email, '9XQYPMG3LN7VCW38G5Y8976Y572793QJRE422MD5') FROM users", Array(), 'fetch');
echo $test['data_email'];    # returns empty

Here's how my field for data_email looks like:

`data_email` varbinary(256) NOT NULL
verschuur commented 6 years ago

Hi, thanks for the information, very interesting. We'll have a look at it!

ghost commented 6 years ago

How long have you come with this issue? :)

verschuur commented 6 years ago

How long have you come with this issue? :)

Due to time constraints within the office, we haven't been able to look at it yet I'm afraid.

However, pull requests are always welcome 😉

ghost commented 6 years ago

How long have you come with this issue? :)

Due to time constraints within the office, we haven't been able to look at it yet I'm afraid.

However, pull requests are always welcome 😉

That's too bad :/ But understandable :)

Hehe. Yes. I wish I could add one, but I am such a n00b with classes, haha!