base64_encode() ????

[Anonymous]

I have a question regarding security and the base64_encode() function. Lets say that for some ungodly reason that someone hacks and gets access to my database. What would stop someone from taking the encrypted strings and manually putting them into a base64_decode() function on their own script and can figure out the string. This defeats the purpose of security doesnt it? Or am I misunderstanding this? Any help is greatly appreciated.

Will

 

[Anonymous]

Hello, Will!

For the security purpose you can use Encode Function

ENCODE(str,pass_str)
Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The results is a binary string of the same length as string. If you want to save it in a column, use a BLOB column type.

None can see your content until he didn't get the encription password.

------------------------------------
Bereza Nikita
Rapid Internet Development Department
E-mail: nike@alarit.com
Alar Information Technologies,
URL: http://www.alarit.com

 

[Alexej Kubarev]

Well... if you dont need to decode the password -- use md5()

 

[Anonymous]

base64_encode() is not an encryption function (it is an encoding function) and should not be treated as such. Base 64 is just a convenient way to represent (encode) data in an ASCII format, and should never be used for any security purpose.

You can use nike's advice and use MySQL's ENCODE() function, but if someone hacks into your system and you happen to have the password in one of your PHP files (which I assume you will if you're handling the data with PHP), they're gonna be able to decode it easily (maybe even without the password -- I don't think ENCODE() uses very strong encryption).

Your best bet is to make sure that your server is secure in the first place, keep abreast of security fixes for all the software on your server, and store sensitive data (like credit card numbers) behind as much protection as you can.

 

[Alexej Kubarev]

Hehe... i should read a bit better when i read posts
I thought we were talking abou different things..
But it is possible to create an encode function that uses a high encryption... try replicating RSA or something like that..
Sorry for my bad explanations..

 

[Anonymous]

PEAR has several good encryption packages.

Why don't people ever check PEAR?

 

[Alexej Kubarev]

Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?

 

[Anonymous]

Hmmz... i admit that i actually never looked at pear... never had time :S
Is there anything that i can use for building a webshop?

Yes, plenty. Their authentication and database abstraction classes are particularly useful.