SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    USA
    Posts
    1,407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    how do you add a binary element to an array?

    I want to add a binary element (AES_ENCRYPT()) to a $_POST array. I need to make it binary because it is going into a BLOB field.
    PHP Code:
    $res $dbr->Execute('select * from table1 where id='.$_GET['id']);
    ...
    // validation take place and now is processed
    $_POST["field1"] = $dbr->GetOne('select AES_ENCRYPT('.trim($_POST['field1']).', \'salt*&)#\')');
    // there are other $_POST fields that are in cluded in the next line
    $dbr ->GetInsertSQL($res$_POSTtrue); 
    It decrypts most records (field1) but not all. After researching it, I think the problem lies in how I am adding the encrypted field.

    I think I need to make the $_POST["field1"] binary.

    If so, how do I do that?

    Any other ideas?

    (the $db is an ADODB element.)

  2. #2
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure what you mean by making the $_POST array "binary". You mentioned encryption, which you could do easily with a single value from $_POST, but you would need to loop through that array if wanted to encrypt all the values. Review the documentation on the encryption function you want to use for details.

    Encrypting a datafield is fine but while you're thinking about the security of that data, how about escaping input values before they go into a SQL query. Never put $_POST,$_GET or $_COOKIE values directly into an SQL query. Research "SQL injection".

    If you are just trying to encode not encrypt that data just use..

    PHP Code:
    $binvalue base64($_POST['valueToEncode']); 
    If I may ask, why is it necessary to encode/encrypt this data?

  3. #3
    SitePoint Wizard
    Join Date
    Dec 2004
    Location
    USA
    Posts
    1,407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am encrypting on behalf of the customer who specifically wanted this field encrypted.

    I am well aware of the vulnerability but inherited this script and am adding the record to the database AFTER that field has been validated. Thanks for being security-conscious as well.

    I only want that one field encrypted using AES_ENCRYPT() which the documentation says to store in a BLOB field, which it is. However, when I use AES_DECRYPT() (with the same salt) either from code or straight SQL at the server, there are several records that do not decrypt.

    I think it has to do with the above code but am not sure what is wrong with it. I think the code:
    PHP Code:
    $_POST["field1"] = $dbr->GetOne('select AES_ENCRYPT('.trim($_POST['field1']).', \'salt*&)#\')'); 
    is passing it as a string so it is not storing it correctly as a binary.

    Any ideas?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •