duangang3832 2013-10-06 13:02
浏览 34
已采纳

使用PHP / mysql进行简单的防弹加密

I need a secure way to temporarily store my users contact information in a mysql database.

I don't want my customers sensitive information ending up in the wrong hands, so this is what I'm looking for:

  • Only the intended recipient should be able to decrypt the info (usernames are unique and could maybe be used as signature/key?)
  • The encryption has to be handled completely within the function, no external programs or services, in other words invisible for the end user.
  • Simple, bulletproof, and easy to understand since I'm far from a security expert, and possible loopholes could pass me by.

Does anyone have any tips for me? Articles to read, frameworks I could look at or even some example code? Any help is deeply appreciated.

  • 写回答

2条回答 默认 最新

  • duanbianweng5353 2013-10-06 13:11
    关注

    Well, the question is actually a very good one. There is one way to ensure this kind of problems dont happen though. But first i'd like to clear out the difference between hashing and encrypting

    Hashing is when we convert the subject into a long hash. This is very hard to reverse and requires a lot of resources to do it. We usually hash passwords e.t.c. Encrypting is when we want to store data securely but want to be able to get it back, we convert it into another long thing but we can also reverse it easily(If we know the key)

    You can use what is called a 'salt' to protect hashes like your password, since we know that Hash(x) is gonna be VERY different from Hash(x+y), we can use that. Although i wouldnt use MD5 if i were you, it is still great but collisions have been seen in it(A lot of hashing algorithms have them, but being found reduces their security). I recommend you use sha256/sha512. They are very secure and no known collisions have been seen in them so far.

    Me being nerdy aside, your problem is very simple. I am going to use the hash function of php in my example. Since you said the usernames are unique, you can use this for a very safe hashing system

    $password = YOUR_PASSWORD_HERE;
$username = USERNAME_OF_USER;
$safe_hash = hash("sha512",$password.$username);

    This merges the two username and password and hashes them with the sha512 algorithm(Change the algorithm if you want). This is very safe as 'password'.'user1' is having a unique and different hash than 'password'.'user2'

    If you want to make it even more secure, you can add other stuff like creation times, last names,first names, mobile number, email, creation time, anything that you know and is preferably unique really.

    As for encrypting the data(So that you can get it back if you want to) you can use mcrypt. You can use mcrypt_encrypt and mcrypt_decrypt. You can specify the cipher you want to use and also the mode you want to use. Then when you want your data back, you can again give mcrypt the key, algorithm, mode and the nonsense output that mcrypt_encrypt gave you and you'll have your original data.

    I recommend using a very secure key by using hashes, since its very hard to reverse engineer them. Using a sha-256 hash with a good and unique string(I recommend mixing multiple pieces of data in the hash string) will help you secure the data needed.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 r语言神经网络自变量重要性分析
  • ¥15 基于双目测规则物体尺寸
  • ¥15 wegame打不开英雄联盟
  • ¥15 公司的电脑,win10系统自带远程协助,访问家里个人电脑,提示出现内部错误,各种常规的设置都已经尝试,感觉公司对此功能进行了限制(我们是集团公司)
  • ¥15 救!ENVI5.6深度学习初始化模型报错怎么办?
  • ¥30 eclipse开启服务后,网页无法打开
  • ¥30 雷达辐射源信号参考模型
  • ¥15 html+css+js如何实现这样子的效果?
  • ¥15 STM32单片机自主设计
  • ¥15 如何在node.js中或者java中给wav格式的音频编码成sil格式呢