使用wordpress进行PHP加密

My website is built in Wordpress and we are collecting personal information that I will need to place in my database. Here is my php so far for the insertion:

//defined in wp-config.php
$key = KEY_ENCRYPT;

function encrypt($text) 
{   
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)))); 
} 


if($_POST){ 
    //POST object placed in variables
    $user_domain = $_POST['domain'];
    $s_user = $_POST['s-username'];
    $s_pass = $_POST['s-password'];
    $w_user = $_POST['w-username'];
    $w_pass = $_POST['w-password'];

    //encrypting data
    $encrypted_server_username = encrypt($s_user); 
    $encrypted_server_password = encrypt($s_pass);
    $encrypted_wordpress_username = encrypt($w_user); 
    $encrypted_wordpress_password = encrypt($w_pass);

    //set up array for options table
    $user_website_data = array(
        'domain'=>$user_domain,
        'server_username'=>$encrypted_server_username,
        'server_password'=>$encrypted_server_password,
        'wordpress_username'=>$encrypted_wordpress_username,
        'wordpress_password'=>$encrypted_wordpress_password
        );  

        update_option($user_domain . '_website_data', $user_website_data);

This code successfully stores the information in an array. You can even see this code working and the process at http://thewpvalet.staging.wpengine.com/sign-up/?plan=basic. Please use 4242424242424242 as the CC number to test.

Now I'm trying to implement the decode on the backend admin area so that I can search by domain and pull up credentials. This is my code:

if(isset($_POST['domain'])){
        function decrypt($text) 
        {
            $key = KEY_ENCRYPT;

            return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
        }


        $search_domain = $_POST['domain'];
        $url_removal = array("http://","www.");
        $clean_search_domain = str_replace($url_removal, '', $search_domain);
        $user_options = get_option($search_domain.'_website_data');

        echo '<strong>Login Information:</strong></br>' .
        'Domain:' . $user_options['domain'] . '</br>' .
        'Server Username:' . decrypt($user_options['server_username']) . '</br>';

    }

This returns mcrypt_decrypt() [function.mcrypt-decrypt]: Size of key is too large for this algorithm in /nas/wp/www/staging/thewpvalet/wp-content/plugins/user-info/index.php on line 43

Any idea what I could be doing wrong here?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duanfan1965 2015-08-18 13:35
关注
Any idea what I could be doing wrong here?

Yes, the thing you're doing wrong is rolling your own cryptography. Let's add some whitespace and look at your function in detail:

/** * THIS CODE IS INSECURE. DO NOT USE IT. PURGE IT FROM YOUR CODEBASE! */ function encrypt($text) { return trim( base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, // Non-standard block cipher; not AES $key, $text, MCRYPT_MODE_ECB, // ECB mode is insecure mcrypt_create_iv( // ECB mode doesn't use an IV anyway mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND // you want MCRYPT_DEV_URANDOM ) ) ) ); }

You're generating an IV (insecurely) with ECB mode (which discards the IV anyway), for a non-standard Rijndael variant, and you're not employing message authentication. Encryption without message authentication is a fatal mistake.

Marc B, the key is 34 characters long

If you're using MCRYPT_RIJNDAEL_256 or AES (which is exclusively MCRYPT_RIJNDAEL_128 by the way; mcrypt is considered harmful), these are the only acceptable key sizes:

16 bytes

24 bytes

32 bytes

The reason you are getting the error is that 34 is an invalid input. This likely means that you are using a human-readable password instead of encryption key.

TL;DR: Don't roll your own crypto, use a well-studied implementation instead. defuse/php-encryption and Zend\Crypt are your best bet.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

使用PHP修改WordPress中的类别模板 php
2018-07-04 09:05

回答 1 已采纳 I have worked it out. If anyone needs similar thing i am posting how i converted the code i posted
访问Wordpress functions.php php
2018-07-21 02:14

回答 1 已采纳 I understand that you are having issues in accessing your theme's functions.php and not with the c
PHP IF标签Wordpress php
2018-05-02 15:31

回答 1 已采纳 I'm not entirely sure that I understand the question, but this will show the error template if the
php中如何给页面进行加密
2022-05-24 22:15

ThundersArk的博客无论是在网站设计中，还是个人博客的搭建过程中，如(Typecho,Wordpress等)，我们都会遇到一个常见的问题，那就是如何给我们不想让他人所见或者只想给特定人群所见的网页加密，需要密码才能访问，本文将从以下几个...
使用php WordPress提交表单 php
2017-10-22 12:49

回答 1 已采纳 you can never catch the post value from id of the form input field.only way that you can get value
AJAX在Wordpress插件中使用PHP文件 ajax php
2017-04-14 23:36

回答 1 已采纳 Doing ajax in WordPress should all be sent to /wp-admin/admin-ajax.php, to do that, in your plugin
在Wordpress主题中使用sidebar.php php
2016-10-25 15:49

回答 1 已采纳 In woocommerce/templates/global/sidebar.php, you can see how woocommerce displays the sidebar. &l
上传外链加密php源码,WordPress实现外链加密和伪静态跳转代码
2021-04-29 09:37

知书达的博客 empty($t_url)) { //判断取值是否加密 if ($t_url == base64_encode(base64_decode($t_url))) { $t_url = base64_decode($t_url); } //对取值进行网址校验和判断 preg_match('/^(http|https|thunder|qqdl|ed2k|...
在WordPress页面中禁止PHP警告和通知 php
2018-04-18 08:11

回答 2 已采纳 You can combine WordPress build-in constants and PHP's ini settings. Place these lines in your w
Wordpress使用自定义single.php php
2012-11-14 14:34

回答 2 已采纳 Yes, this is possible, but I think you need to take a look at the Wordpress Template Hierarchy fir
wordpress PHP与Ajax调用 html javascript jquery php
2019-04-08 11:13

回答 2 已采纳 You are echoing the html without stopping it anywhere, you can use json response here, for json, f
stack:PHP 5.3〜8.0 + Nginx +加密+ MariaDB + App自动安装
2021-05-28 11:54

PHP 5.3〜8.0 + Nginx +让我们加密+ MariaDB +应用程序会自动安装。特征专为轻松，快速地安装，操作和更新而设计轻松更新支持。（仅需使用官方+热门存储库即可完成yum update ）通过最小化对首选项文件的修改...
以编程方式在Wordpress中编辑PHP文件 php
2019-03-22 23:18

回答 1 已采纳 Where do I start... let me count the ways. function update_GTour_theme_files() { $new_update
PHP追格商城小程序(开源版)
2023-08-15 09:02

追格商城小程序（开源版）是由追格基于WordPress和Uniapp进行开发的微信商城系统，代码无加密、无后门，简单配置即可发布！安装说明 1、上传zhuige-shop到WordPress插件目录，并启用； 2、使用HBuilderX导入...
资源站主题 WordPress高仿交易网源码.zip
2021-03-20 11:18

WordPress程序 1：直接将下载的压缩包上传到/wp-content/themes/直接解压即可完成后到后台-外观-启用子主题 2：基本设置-网站整体使用宽屏模式(nwe)（开启） 3：顶部设置-导航风格（选择常规） 4：顶部设置-全宽...
没有解决我的问题, 去提问

悬赏问题

¥15 关于#matlab#的问题：在模糊控制器中选出线路信息，在simulink中根据线路信息生成速度时间目标曲线（初速度为20m/s，15秒后减为0的速度时间图像）我想问线路信息是什么
¥15 banner广告展示设置多少时间不怎么会消耗用户价值
¥16 mybatis的代理对象无法通过@Autowired装填
¥15 可见光定位matlab仿真
¥15 arduino 四自由度机械臂
¥15 wordpress 产品图片 GIF 没法显示
¥15 求三国群英传pl国战时间的修改方法
¥15 matlab代码代写，需写出详细代码，代价私
¥15 ROS系统搭建请教（跨境电商用途）
¥15 AIC3204的示例代码有吗，想用AIC3204测量血氧，找不到相关的代码。

使用wordpress进行PHP加密

1条回答 默认 最新

悬赏问题

1条回答默认最新