Class for storing personal details, inc. bank account info, in PHP (Mcrypt) - is this ok? How could it be improved?
Question
I've been given the task of writing an encryption function that'll let my boss easily encrypt various bits of data to go into a database. This will include
credit card details
bank account information. I've never used encryption within PHP before so am a touch worried.
Here's what I've done so far with the help of O'reilly's Essential PHP Security: http://pastebin.com/7L2GxPNJ
The IV doesn't actually seem to do anything, which concerns me. Why's that?
Would appreciate it very much if someone could look through this code and check it out. I've spoken to a friend who reckons it'd be better off written as a daemon on another server that PHP would then connect to, however that can't be done yet - I'm just following orders.
For the moment, are there any improvements that could be made? What's the deal with the IV?
Thanks.
1 answers
solution1
0 2011-02-01 12:59:14
The IV doesn't actually seem to do anything, which concerns me. Why's that?
An initialization vector is rather important - particularly when encrypting lots of small fragemnts of data. Somethnig is amiss if the encrypted data is not modified by the IV. And if you're storing the encryption key on the same filesystem as the encrypted data, it's just security by obscurity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.