开发者

How should I encrypt my data in a PHP application?

I was trying to use the Paypal PHP SDK and I noticed a warning that says I should encrypt my API username and password for use in production environments. I do agree开发者_如何学Python on this statement, but I'm wondering how I should go about doing that. I currently have no clue.

Here's what the warning says, just for the record:

Do not embed plaintext credentials in your application code. Doing so is insecure and against best practices. Your API credentials must be handled securely. Please consider encrypting them for use in any production environment, and ensure that only authorized individuals may view or modify them.

Thanks in advance.


Generally, you can store credentials like this in a file outside of the web root. This limits risk, but doesn't get rid of it entirely.

If they can see your code (or even worse, edit it), then they can get your credentials anyway. Encrypting it means you need your encryption key somewhere that would be just as visible as the username/password itself.


First, set an encryption key:

$key = 'yourpasswordhere';
$string = ' confidential information here '; // note the spaces

Encrypt it on DB entry or from another file and only store the encrypted string in the file itself:

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
var_dump($encrypted); // "ey7zu5zBqJB0rGtIn5UB1xG03efyCp+KSNR4/GAv14w="

Decrypt it later:

$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
var_dump($decrypted); // " confidential information here "
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜