I have a search function that I am upgrading to support AES Encryption and for the life of me I don't know what I'm doing wrong.
I am passing the same queries through a search box as I did before I encrypted the data on the database side and I'm not returning any SQL errors. It just shows zero results every time.
Example of the database before encryption:
*****************************************************
* Firstname * Surname * Telephone * Email *
*****************************************************
* Bob * Smith * 0193847 * bob@me.com *
* Jane * McBean * 0584383 * jane@mail.com *
*****************************************************
Example of the database with encryption:
*****************************************************
* Firstname * Surname * Telephone * Email *
*****************************************************
* 2d1c5749 * 82559acc* fa3bc41c5 * 759d082559 *
* 13c5802a * 070e76f8* 70e76f8fe * feaa0ac1635c *
*****************************************************
The previous working (non encrypted) version:
if(isset($_POST["search"]) && strlen($_POST["search"]) > 3) {
$Search = filter_var($_POST["search"], FILTER_SANITIZE_STRING);
$Search = strip_tags($Search);
$Search_String = filter_var($_POST["search"], FILTER_SANITIZE_STRING);
$Search = "%$Search%";
$Search_String = filter_var($Search_String, FILTER_SANITIZE_STRING);
if(strlen(empty($Search_String))){ $error[] = 'The search string is empty';}
if(!isset($error)) {
$Search_list = $dbconn->prepare("SELECT sql_calc_found_rows
event_candidate.id AS candidate_id,
event_candidate.firstname,
event_candidate.surname,
event_candidate.telephone,
event_candidate.email,
FROM event_candidate
WHERE CONCAT_WS(' ', event_candidate.firstname, event_candidate.surname, event_candidate.telephone, event_candidate.email) LIKE ?
");
$Search_list->execute(array($Search));
New code that doesnt return anything:
$Search = filter_var($_POST["search"], FILTER_SANITIZE_STRING);
$Search = strip_tags($Search);
$Search_String = filter_var($_POST["search"], FILTER_SANITIZE_STRING);
$Search = "%".$Search."%";
$Search_list = $dbconn->prepare("SELECT sql_calc_found_rows
event_candidate_demo.id AS candidate_id,
event_candidate_demo.firstname,
event_candidate_demo.surname,
event_candidate_demo.telephone,
event_candidate_demo.email,
FROM event_candidate_demo
WHERE CONCAT_WS(' ', AES_DECRYPT(event_candidate_demo.firstname, UNHEX(:key)), AES_DECRYPT(event_candidate_demo.surname, UNHEX(:key)), AES_DECRYPT(event_candidate_demo.telephone, UNHEX(:key)), AES_DECRYPT(event_candidate_demo.email, UNHEX(:key))) LIKE ':search'
");
$Search_list->bindParam(':key', $Site_Key, PDO::PARAM_INT);
$Search_list->bindParam(':search', $Search, PDO::PARAM_STR);
$Search_list->execute();
So if i searched for anything realted to Bob it would load the correct record, however I do the same with the encrypted data and it always returns zero results.
I'm not sure if it's the AES_DECRYPT
causing the issue or the switch to BindParam
.