NYCPHP Meetup

[Brian Pang]

I do something similar to this when I need to be able to decrypt something.
As long as noone gets a hold of your code to reverse engineer it.

Is $sSecret user provided or are you re-using that for all records?

I usually also append/prepend/insert my own "garbage" strings to the
base64_encode results so that a simple base64_decode doesn't quite
produce the "encrypted" data.
Of course, don't forget to take them out again when you are decrypting.
Also, sometimes I base64_encode the base64_encode result, or three times
even... or four.. ain't I sneaky?
One other thing to do it to get the ord() value for each char before or
after base64-ing it, just to mess things up even more. Use chr() to do
the reverse.

Finally, write the code for this particular piece in the most cryptic
manner that you can and don't comment the code. Don't use easy to follow
var names like "sEncoded"   Use single letters or other nonsense or
random strings for var names, and put in lots of other useless code just
to make it hard to interpret should anyone get a hold of it.



> I may be faced with a situation where I don't have MCrypt for 
> encrypting/decrypting data. I need to store the PIN numbers in a 
> database and be able to retrieve them. Is there some other method I can 
> use instead? I was thinking, perhaps, something like the following:
> 
> $myPinNumber = "123DGH";
> $sSecret    = '7R5D1N3V5C4Y6Z2X';
> $ary    = array('PIN'    =>    $myPinNumber, 'Secret'    =>   
$sSecret);  
> $sEncoded    = base64_encode(serialize($ary));
> 
> Jeff Siegel
> 
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
> 
>