encryption

Dave,
you can use DES algorithm to encrypt and decrypt data.
Use DES_ENCRYPT() function in Before Add and Before Edit events to encrypt user entered data.

Then add DES_DECRYPT() to SQL query in PHPRunner to display decrypted data.
Read the MySQL manual for more info:

http://dev.mysql.com/doc/refman/5.0/en/enc...-functions.html

Thanks Alexey,
I need to mention I am using phprunner 3.1.
I had already read the mysql docs you pointed me to. From that I realized that the best encryption method would be AES_ENCRYPT(str,key_str)
I also set my database field to blob and field length to 27 after using the calculation described on the page you linked me to.
Ok, now for the real programming. I have added the following to the "before add" page.
// put your custom code here^M

$secret = "somestring";^M

$values["sn"] = "AES_ENCRYPT(".$values["password"],$secret")";^M

return true;
I get a parse error on the list page immediately.
Parse error: parse error in /var/www/vhosts/local.solution-group.com/httpdocs/include/z_dave_events.php on line 14
I know it is my php inexperience. I made various changes, but cannot get rid of the error and of course my field is not getting encrypted.
I will continue to google for my answer, but any help would be greatly appreciated.
Thanks,

Dave

Hi all,
I have an error in the code I pasted on the above post. it should read:
// put your custom code here^M

$secret = "somestring";^M

$values["sn"] = "AES_ENCRYPT(".$values["sn"],$secret")";^M

return true;
I guess I just don't understand the "." and such.
Dave

Hello all,

I am getting further, but still no dice. I have changed the before add function to this:
// put your custom code here^M

$secret = "somestring";^M

$usn = $values["sn"];

$values["sn"] = AES_ENCRYPT("$usn,$secret");^M

return true;
No more parse error on the list page, but I have this error when I go to the add page:
Fatal error: Call to undefined function: aes_encrypt() in /var/www/vhosts/local.solution-group.com/httpdocs//include/z_dave_events.php on line 15
line 15 is actually

$values["sn"] = AES_ENCRYPT("$usn,$secret");
Does this mean that I need to actually use the sql command here and add the field to the database???
Or have I not compiled php to properly use encryption?
I have looked on the forum, but haven't found any examples I could use.
Still working.
Any help would be greatly appreciated.
Dave

Dave,
with PHPRunner 3.1 you need to use PHP functions to encrypt data.

Here is the sample code:

$secret = "somestring";

Here is mcrypt_encrypt function reference:

http://www.php.net/manual/en/function.mcrypt-encrypt.php
You need to know some PHP to be able to write events code.

Here is the source of information on PHP syntax:

http://www.php.net/manual/en/langref.php

Thanks Alexey for the pointers. What I found out was, I needed to install libmcrypt and php-mcrypt. Funny how things work much better when you have the correct software.
I found an example which works for encrypting the data. I think I will enhance it a bit and probably use a different encryption algorithm, but I start with something simple and move forward. Here is the code I use to encrypt the "sn" field. BTW, it is very important to define the encrypted field as BLOB in mysql.
include/...events.php
function BeforeAdd(&$values)

{
// Parameters:

// $values - Array object.

// Each field on the Add form represented as 'Field name'-'Field value' pair
//** Custom code ****^M

// put your custom code here^M

$secret = "some phrase";^M

$iv_size = mcrypt_get_iv_size(MCRYPT_XTEA, MCRYPT_MODE_ECB);^M

$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);^M

$values["sn"] = mcrypt_encrypt(MCRYPT_XTEA, $secret, $values["sn"], MCRYPT_MODE_ECB, $iv);

// return true if you like to proceed with adding new record

// return false in other case
}^M
As I said, this definitely encrypts the data.
Now for part 2. I need to decrypt the data when the list page is loaded. Here is my code:
include/....events.php
function ListOnLoad()

{

global $strSQL;^M

global $values;

//** Custom code ****^M

// put your custom code here^M

$secret = "some phrase";^M

$iv_size = mcrypt_get_iv_size(MCRYPT_XTEA, MCRYPT_MODE_ECB);^M

$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);^M

$values["sn"] = mcrypt_decrypt(MCRYPT_XTEA, $secret, $values["sn"], MCRYPT_MODE_ECB, $iv);^M

}
With the ListOnLoad function, I get an error when opening up the list page.

"Undefined variable: values" on line 30 which is
$values["sn"] = mcrypt_decrypt(MCRYPT_XTEA, $secret, $values["sn"], MCRYPT_MODE_ECB, $iv);
I resolved this by adding a global variable $values in function ListOnLoad. Maybe that is not the proper way to handle this because the data does not get decrypted.
I am not sure how to overcome this. Obviously, I don't understand how to load and pass the $values["sn"] to the list page.
Thanks for any help and suggestions.
Dave

Hello forum.
Seems like I take 2 steps forward and 1 step backward. Here is where I am at. I really would appreciate any help I can get. Seems to me, that many of us store information in a database that we wouldn't want an intruder to be able to view. So encrypt we must.
I have followed my own advice and tried to make this simple at first and build on success. Here is what I have. I have a BeforeAdd event that encrypts the data in 1 field. It is sucessfully encrypting the field.
Here is the code in the include/.._events.php program
function BeforeAdd(&$values)

{
// Parameters:

// $values - Array object.

// Each field on the Add form represented as 'Field name'-'Field value' pair
//** Custom code ****

// put your custom code here

$key = "C770634F437346D7";

$string = $values["sn"];
// Encryption Algorithm

$cipher_alg = MCRYPT_3DES;
// Create the initialization vector for added security.

$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND);

$encrypted_string = mcrypt_encrypt($cipher_alg, $key, $string, MCRYPT_MODE_CBC, $iv);
$values["sn"] = $encrypted_string;

return true;

// return true if you like to proceed with adding new record

// return false in other case
}
Now I would love to have the field unencrypted on the List Page. I am not quite understanding how to do this. When searching the forum, I find a few examples and it looks as if I need to embed sql commands into my ListOnLoad page.
Anyway, that comes later. What I need to do now is decrypt the data when the "View" page is selected. It should just be a matter of decrypting the field. Here is my code:
function ViewOnLoad()

{

global $where;

// Parameters:

// $where - string with WHERE clause pointing to record to be viewed

//** Custom code ****

// put your custom code here

$key = "C770634F437346D7";

$encrypted_string = $where["sn"];
$cipher_alg = MCRYPT_3DES;

$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND);

$decrypted_string = mcrypt_decrypt($cipher_alg, $key, $encrypted_string, MCRYPT_MODE_CBC, $iv);

$where["sn"] = $decrypted_string;

}

?>
The "sn" field displays the encrypted data and not the decrypted data. Hmmm! I can run this simple php script outside of phpRunner and it works fine.
<?php
// Designate string to be encrypted

$string = "Applied Cryptography, by Bruce Schneier, is a wonderful cryptography reference.";
// Encryption/decryption key

$key = "C770634F437346D7";
// Encryption Algorithm

$cipher_alg = MCRYPT_3DES;
// Create the initialization vector for added security.

$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND);
// Output original string

print "Original string: $string ";
// Encrypt $string

$encrypted_string = mcrypt_encrypt($cipher_alg, $key, $string, MCRYPT_MODE_CBC, $iv);
// Convert to hexadecimal and output to browser

print "Encrypted string: ".bin2hex($encrypted_string)." ";

$decrypted_string = mcrypt_decrypt($cipher_alg, $key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
print "Decrypted string: $decrypted_string";

?>
Can anyone see something obvious that I am doing wrong??
Thanks for your time.
Dave

Dave,
ListOnLoad and ViewOnLoad events wouldn't help you here.

I recommend you to use DES_DECRYPT() MySQL function for decrypting the data.

I.e. modify your query this way:

select

To get this working you need to use simple DES (MCRYPT_DES) algorithm, not the MCRYPT_3DES.

Thank you Alexey for the reply.
I have changed my encrytion algorithm to MCRYPT_DES (set the $cipher_alg = MCRYPT_DES). Is this correct, or do I need to rewrite the entire function?
You said "modify your query this way" and I assume you mean step 4 of 12 on v 3.1. So I modify my query here, but always get an error.
here is the original query:
select `seq`,

`date`,

`sn`

From `z_dave`
here is my modified query:

select `seq`,

`date`,

`DES_DECRYPT(sn,'346D7') as sn`

From `z_dave`
and I know I have problems, because when I click next I get a pop up box that says:
Cannot retrieve columns information. Please modify SQL query and try again.
Error message:

Failed to read server's response.
Could you please hold my hand just a bit more? All I need to do is get a simple encryption algorithm working. Then when I see that it can be done, I will work on using stronger encryption. Whatever you give me will be as is with no guarantees. I am responsible for securing the data on my sites and really just need a good nudge in the right direction.
As I stated before, there has to be many others who need to encrypt sensitive data. When I finally get this mastered, I will gladly post the code on the forum for others to gain from.
Thanks in advance.
Dave

Dave,
here is the correct SQL query.

select `seq`,

I recommend you to learn some MySQL syntax to construct queries.

Here is the good source of MySQL syntax information:

http://dev.mysql.com/doc/refman/5.0/en/lan...-structure.html