PHP for the World Wide Web (Visual QuickStart Guide)

Encrypting and Decrypting Strings

For security reasons, encryption and decryption are a necessary aspect of most Web sites, especially those that deal with e-commerce. Frequently, in order to protect data, programmers will encrypt italter its state by transforming it to a form that's more difficult, if not virtually impossible , to discern. Passwords are an example of a variable you might want to encrypt. Depending upon the level of security you want to establish, usernames, e-mail addresses, and phone numbers are likely candidates for encryption, too.

Note, however, that merely encrypting data does not guarantee the security of your Web site. First, with enough effort, encrypted data can be broken into. Second, since PHP is a server-side technology, it can only introduce a level of security once the information has been received by the PHP module on the server. While in transit from the user 's computer to the server, data must be secured using other methods (like a secure socket connection), if security is so desired. See Appendix B, Security, for more information and resources on this topic.

I'll introduce three functions for encrypting and decrypting your strings and you'll incorporate one into your script for demonstration purposes.

The first function crypt() can be used to encrypt data, but be aware that there is no decryption option available. So a password may be encrypted using it, then stored, but the decrypted value of the password can never be determined. Using this in a Web application, you might have a user's password encrypted upon registration and then when the user logs in, the password they enter at that time will also be encrypted and the two protected versions of the password will be compared. The syntax for using crypt() is:

$Data = crypt($Data);

A second encryption function is encrypt(), which can be decrypted, using the appropriately named decrypt() function (note that crypt() and encrypt() are two different functions). Unfortunately, to be able to use these two functions, the crypt extension must be installed with the PHP module. You will need to check with your ISP to see if this is the case. Do not be surprised if these two functions are not available and you are therefore limited to just crypt() encryption without the possibility of decryption. (In fact, you should get used to the idea of your ISP not supporting any number of features, as they have to make choices, which translates to limits in what you can do. It is the resourceful programmer who learns how to work around the inevitable obstacles.)

To encrypt data using crypt():

1. Open HandleForm.php in your text editor (Script 5.4).

2. Replace lines 15 and 16 (where you used urlencode () to pass the user's name to the welcome.php page ) with (Script 5.6):

   $CryptName = crypt($Name); print ("<P>This is the crypt() version of your name: $CryptName\n");

   Script 5.6. I've added the crypt() lines just to demonstrate how it functions. Although this would not be a productive use of the technology in reality, it quickly reveals how encryption works with strings.

   There's no reason to encrypt a URL-encoded version of your name, so you've replaced that part of the script.

3. Save your script, upload it to your server, and test it in your Web browser (Figure 5.15).

   Figure 5.15. The crypt() function returns a unique, 12-character long version of whatever it encrypts.

Tip

There is a similar encryption function to crypt() called md5(), which you'll use later in this chapter. To learn more about its use, as well as the syntax for encrypt() and decrypt(), see Appendix C, PHP Resources.

Tip

A direct way to know if a function is not supported by the PHP installation on the server is if you see an error message like the one in Figure 5.16, derived by calling the encrypt() function on a server that doesn't support it. As a precaution, before assuming that something is not supported, double-check your spelling and syntax. (In the figure, if I called an encrpyt() function, it would generate a similar error message.)

Tip

Be careful not to confuse encrypting a string and encoding it. Enc ryption is used for security purposes and changes the entire text. Encoding only replaces certain characters with equivalents that can be used within a URL.