Creating a Crypter Class

Creating a Crypter Class with PHP

on Sep 25th 2009 with 55 comments
Tutorial Details
  • Topic: PHP
  • Difficulty: Advanced
  • Estimated Completion Time: 1 hour
Download Source Files

In this article I will explain how to create a PHP Class that will encrypt and decrypt any data with a given password. It is object programmed and uses existing PHP algorithms.

Introduction

Think about what we might need a class like this for? We want to encrypt important data with a password for security reasons. We also want, as already mentioned, to be able to decrypt that data when necessary. Why should you use symmetric algorithms? It’s easy; when you’re offering a password sent via email or something like that, you need the password to be sent in plaintext. The hash algorithms are not reversible. Once you have hashed a string you can’t decipher the original text from the hash.

Maybe you have already heard of MD5? It’s not really the best option anymore because it tends to be unsafe. There are databases around the web – that I don’t want to mention – that can be used to retrieve the plaintext from a hash simply by typing in the hash into a search box. So you should use something like SHA which was developed by the NSA (National Security Agency). SHA is the abbreviation for Secure Hash Algorithm and is one of the most secure hash algorithms. There are some others as well, such as WHIRLPOOL, PANAMA and RIPEMD, but SHA is currently the secure standard for hashes and is used in numerous applications.

Step 1: Preparation

I think it is important to create an interface. This is because we can always use the methods which are defined in the interface without thinking, when instancing an object of a class, which implements that interface.

When a class implements an interface it has to implement the methods given in that interface, otherwise there will be an error! So here is an example:

  
		interface ICrypter{
			public function Encrypt($data);
			public function Decrypt($data);
		}
	
		class Crypter implements ICrypter{
			public function Encrypt($data){ ... }
			public function Decrypt($data){ ... }
		}

As you can see, the interface instructs the classes which implement ICrypter to have the public function Encrypt with one parameter $data. The public function Decrypt also has the parameter $data. You can try it out; if the class lacks one of the given methods in the interface, you get a fatal error. Here’s an example:

Fatal error: Class Crypter contains 1 abstract method and must therefore be declared abstract or implement the remaining methods (ICrypter::Decrypt) in C:\www\Nettuts\Crypter\crypter.php on line 32.

Nice error right? So you can be sure that the classes really have the methods!

Step 2: Password for Encryption and Decryption

As I said before, we want to be able to use a specific password for encryption and decryption. This password has to be accessible for the encrypt- and decrypt-function so we will define an instance variable, called key, which is passed to the constructor. The definition of $Key is only needed in the Crypter Class:

 
		private $Key;

However, the definition of the constructor has to be in the interface. Therefore, it is also needed in the class, because we have to implement everything we have defined in the interface. The interface will contain:

 
		public function __construct($Key);

and the class:

 
		public function __construct($Key){ ... }

Now that we know we get a key, we can use it to encrypt and decrypt!

Step 3: Constructor

In the constructor we have to set the key and choose an algorithm. We will use the Blowfish algorithm for this example and use it as a standard value. I will explain a bit more about the symmetric algorithms later in the text, but for simplicity we will use Blowfish. You can change this later if you want to. So we need another instance variable called Algo:

 
		private $Algo;

and the constructor…

 
		public function __construct($Key, $Algo = MCRYPT_BLOWFISH){
			$this->Key = substr($Key, 0, mcrypt_get_key_size($Algo, MCRYPT_MODE_ECB));
			$this->Algo = $Algo;
		}

The length of the key depends on the algorithm and the encryption mode. In this example we will use the ECB mode. You can make this variable like we have already done with the algorithm. We use the substring of the given key with the maximum allowed length. You can get this length with the mcrypt_get_key_size function which requires the algorithm and the encryption mode as parameters.

Now we give our instance variable Key the correct key for the algorithm and assign our instance variable Algo.

So now we have the constructor. As I said previously, you can change the standard value of Algo to any other algorithm that is supported by MCrypt.

List of supported algorithms from php.net:

  • MCRYPT_3DES
  • MCRYPT_ARCFOUR_IV (libmcrypt > 2.4.x only)
  • MCRYPT_ARCFOUR (libmcrypt > 2.4.x only)
  • MCRYPT_BLOWFISH
  • MCRYPT_CAST_128
  • MCRYPT_CAST_256
  • MCRYPT_CRYPT
  • MCRYPT_DES
  • MCRYPT_DES_COMPAT (libmcrypt 2.2.x only)
  • MCRYPT_ENIGMA (libmcrypt > 2.4.x only, alias for MCRYPT_CRYPT)
  • MCRYPT_GOST
  • MCRYPT_IDEA (non-free)
  • MCRYPT_LOKI97 (libmcrypt > 2.4.x only)
  • MCRYPT_MARS (libmcrypt > 2.4.x only, non-free)
  • MCRYPT_PANAMA (libmcrypt > 2.4.x only)
  • MCRYPT_RIJNDAEL_128 (libmcrypt > 2.4.x only)
  • MCRYPT_RIJNDAEL_192 (libmcrypt > 2.4.x only)
  • MCRYPT_RIJNDAEL_256 (libmcrypt > 2.4.x only)
  • MCRYPT_RC2
  • MCRYPT_RC4 (libmcrypt 2.2.x only)
  • MCRYPT_RC6 (libmcrypt > 2.4.x only)
  • MCRYPT_RC6_128 (libmcrypt 2.2.x only)
  • MCRYPT_RC6_192 (libmcrypt 2.2.x only)
  • MCRYPT_RC6_256 (libmcrypt 2.2.x only)
  • MCRYPT_SAFER64
  • MCRYPT_SAFER128
  • MCRYPT_SAFERPLUS (libmcrypt > 2.4.x only)
  • MCRYPT_SERPENT(libmcrypt > 2.4.x only)
  • MCRYPT_SERPENT_128 (libmcrypt 2.2.x only)
  • MCRYPT_SERPENT_192 (libmcrypt 2.2.x only)
  • MCRYPT_SERPENT_256 (libmcrypt 2.2.x only)
  • MCRYPT_SKIPJACK (libmcrypt > 2.4.x only)
  • MCRYPT_TEAN (libmcrypt 2.2.x only)
  • MCRYPT_THREEWAY
  • MCRYPT_TRIPLEDES (libmcrypt > 2.4.x only)
  • MCRYPT_TWOFISH (for older mcrypt 2.x versions, or mcrypt > 2.4.x )
  • MCRYPT_TWOFISH128 (TWOFISHxxx are available in newer 2.x versions, but not in the 2.4.x versions)
  • MCRYPT_TWOFISH192
  • MCRYPT_TWOFISH256
  • MCRYPT_WAKE (libmcrypt > 2.4.x only)
  • MCRYPT_XTEA (libmcrypt > 2.4.x only)

So which one should we use when we want to use the Crypter Class in our products? At the moment AES is the standard of the symmetric algorithms. It is used in many applications, but where is AES? AES was originally published as Rijndael which is listed. It is a really fast, but secure, algorithm and is even fast with 256-Bit key size. My advice is to use MCRYPT_RIJNDAEL_256 for your applications. Just as an example, AES is used in WPA2 which is a security standard for WLAN.

Step 4: Now to the Encryption

First thing to check: is there any data to encrypt? If not, you can go ahead and break the encryption. If you want to use any other encryption modes then you have to add the following code.

 
		$iv_size = mcrypt_get_iv_size($this->Algo, MCRYPT_MODE_ECB);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

This $iv is used for example in CBC, CFB, OFB and in some algorithms in STREAM encryption mode. If the parameter is not passed in these modes, the $iv will be set to '\0'. The next step is to encrypt the data with the simple function mcrypt_encrypt. Here we need our algorithm, the key, the data and an encryption mode. $iv is optional.

 
		$crypt = mcrypt_encrypt($this->Algo, $this->Key, $data, MCRYPT_MODE_ECB, $iv);

Finally encode the encrypted data with base64_encode and trim it before you return it.

 
		return trim(base64_encode($crypt));

We have to base64 encode the encrypted data to get URL-Safe data. This is needed because, if you want to use the encrypted data, for example in a URL, you will have problems with ‘&’ as it is a reserved character specified in the RFC. So you need something like alphanumeric characters – in other words, character that are safe. The base64 encode supplies these safe characters, which is why we’re using it. We do not know what will be done with the data after encryption.

Step 5: Decryption is Reversed Encryption

Again we ask the same first question. Is there data? If there is, you have to base64_decode the data as we have previously encoded it with base64_encode.

 
	$crypt = base64_decode($data);

Then the optional part with $iv.

 
			$iv_size = mcrypt_get_iv_size($this->Algo, MCRYPT_MODE_ECB);
			$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

Decryption with the simple function mcrypt_decrypt. Here we need – nearly – the same parameters. The difference is that the decrypt-function needs to access the crypted data rather than the original data. So here again we use, the algorithm, the key, the crypted data, the encryption mode, and the optional iv.

 
		$decrypt = mcrypt_decrypt($this->Algo, $this->Key, $crypt, MCRYPT_MODE_ECB, $iv);

Finally return the trimmed and decrypted data.

 
		return trim($decrypt);

Examples

Define a global Crypter. In this example we will use RIJNDAEL_256 (AES) with the password “Any password”. After instancing you call your functions or methods to test it. Here we call the function foo and the method foo1.

 
		$crypter = new Crypter("Any password", MCRYPT_RIJNDAEL_256);

		foo();
		
		$foo = new Foo();
		$foo->foo1();

You can get your crypter from the Superglobal variable called $GLOBALS. This is an associative array, so you can call all your global variables by the name you defined them with. You can retrieve the $crypter which is defined outside of the foo or foo1 block with $GLOBALS["crypter"]

 
		function foo(){
			...
			$encrypted = $GLOBALS["crypter"]->Encrypt($data);
			$decrypted = $GLOBALS["crypter"]->Decrypt($encrypted);
			...
		}
		
		class Foo{
			public function foo1(){
				...
				$encrypted = $GLOBALS["crypter"]->Encrypt($data);
				$decrypted = $GLOBALS["crypter"]->Decrypt($encrypted);
				...
			}
		}

Conclusion

Now you have a complete Crypter class and you can crypt and decrypt as many times as you wish! Download the complete source code with a nice example if you do not want to type it in yourself. I hope that you have enjoyed this article.

Tags: security
 
Enjoyed this Post?

Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!

By

Rollover to read this author's bio or click through to see a full list of posts by this author.

This author has yet to write their bio.  

Plus Premium
 
 
Note: Want to add some source code? Type <pre><code> before it and </code></pre> after it. Find out more
  • http://deanperry.net Dean

    First lol
    Great tut!

  • http://tuts.habber.dk BrunO

    nice tutorial

  • siempre

    second eheh
    i love this tuts. Helpfull for my current project.

    • Michele

      Nice gravatar. xD

  • http://www.yourflighttimes.com/ manchester airport arrivals

    Thanks i like crypter classes!

  • http://www.engram.nu Niklas

    Yes indeed helpful. Thank you.

  • Bruno

    really useful, thanks!

  • http://www.sorinistudor.ro Sorin Istudor

    This is a nice thing to know. Hope tu implement into my projects. Thank You!

  • http://www.webhostdesignpost.com WebHostDesignPost

    Nice Tutorial, crypters are really nice to have.

  • http://michael.theirwinfamily.net Michael

    Great tut! I’ll have to implement this one.

  • vista-design

    wowwwwww
    great tutorial

  • http://tutorialblog.info/ tutorial blog

    really useful, thanks for post …!!!

  • Nikola

    I’ve only had a chance to glance at this article but it looks like a great read. I’m really looking forward to digging into it…

  • http://www.indogeotech.net dadan

    great tutz…

  • basodo

    Crypt::Encrypt($data);

  • http://inspiredbywordpress.co.uk Daniel Groves

    Wil have to have a proper read of that later. Potentially very useful.

  • http://cypherq.wordpress.com cypherq

    Useful for what, for example?

  • http://www.berndartmueller.at Bernd Artmüller

    nice tut, mate :D

    keep on with this kind of tutorials

  • http://www.w2point.com Web 2.0

    That looks useful, great work :)

  • http://www.evanbot.com/ Evan Byrne

    Nice tutorial. The only thing I don’t get is why bother with having an interface for the class? I can see it making sense if you were planning on having different crypter classes and you wanted them to all have the same functions, but for a single class it doesn’t really have any practical use.

    • http://www.christianbeikov.at Christian Beikov
      Author

      It’s not really necessary but it’s always nice to have an interface. You should always make an interface before you write a class, then you know which methods you can use (public methods). It’s a matter of taste ;)

    • Patrick

      right, thought the same.

  • http://www.christianbeikov.at Christian Beikov
    Author

    Hello guys!
    Thanks for the comments!
    I hope you all enjoyed the tutorial, and look forward for my next one!

    • Patrick

      Why are you using base64encode/decode?

      • http://www.christianbeikov.at Christian Beikov
        Author

        If you use the encrypted data in an url for example you need to make it url-safe so you need base64encode/decode

      • Patrick

        Ah ok, youre right. I just thought about saving encrypted data in a database, not in urls. My fault :D

  • Kevin

    Why the hell are you using GLOBALS? Thats seriously bad practice.
    No Exceptions? An Interface that is not required…. you could at least have created a base class and extend it, to have own classes for each crypt algorithm,
    Indeed, thanks for the quick intro into de-/encryption ;)

  • http://www.7qiao.net.cn/ 种草人

    你的博客好漂亮。精彩,顶一下!

  • Callum

    I admit I didn’t read the whole article, but something that immediately struck me was that your class’s functions consist of encrypt and decrypt. If you’re encrypting a password for example (or anything for that matter) you don’t want to be able to decrypt it, you would just compare against the encrypted result.

    This just seems like a horribly insecure method – especially if someone knows the method in which it was encrypted with. It could easily just be reverse engineered. Just as an example, say WordPress decided to use something similar to this (ironic since WP don’t use password salts), anyone can just look through the source code and reverse the method used to encode whatever the data is.

    Excuse me if I’m muddling up encrypting and encoding. But I just thought I ought to point that out.

    • http://www.christianbeikov.at Christian Beikov
      Author

      That what you mean is a non reversable algorithm like a hash. Yes if you hash data (password for example) you can just encrypt (hash) the incoming data (from login form for example) and compare that to the previously encrypted (hashed) data.

      But here we use a reversable (symmetric) algorithm.
      And that’s the point, you encrypt/decrypt data (password) with a special key. Without that key and knowing how it is encrypted and with which cipher you can’t get to the data. Aside from cracking the encrypted data, how do you want to get the data? That’s the next point.

      So think about it again and maybe read the whole article!

      • Callum

        But the fact that it’s reversible whatsoever is still insecure somehow. Obviously it wouldn’t be very easy to obtain the ‘special key’ and the encryption method, but if somehow someone did find it (for example: a developer using this method incorrectly) then the encrypted information can be retrieved.

        Also, you mention that MD5 is becoming more insecure. There is no possible way to unencrypt an MD5 hash. Those database sites work in the same way as storing password using MD5 do – people just add MD5 hashes and their associated values, and they’re just compared against what’s put in the search field.

        That whole situation can be solved by using a password salt, or some extra method of encryption on top of regular MD5. For example:

        define(‘SALT’, ‘saltexample’);

        $password = md5(SALT . $password);

        Or even:

        $password = md5(str_rot13($password));

      • Darren

        @Callum, credit card details are the obvious example. If you go to a site that says ‘Do you want to use the credit card stored on file’, obviously you want that credit card number to have been encrypted and obviously the encrypted data needs to be decrypted to be used. You may chose never to store your card details – if you’re given the option – but plenty of people do. PayPal is an obvious example where storing your card information is mandatory.

      • Patrick

        @callum

        ahm, did you thought about your comment? Think you didn’t.

        > define(’SALT’, ’saltexample’);

        > $password = md5(SALT . $password);

        > Or even:

        > $password = md5(str_rot13($password));

        this methods are NOT rainbow table save, especially your rot13 method. everyone who know your code (because you’re using an popular cms, or hacked, or an insider) can fit his rainbow table to your code. It’s a bit dificult with a SALT-password, right, but not uncrackable. You have to save this salt somewhere – that’s your insecureness.

        I really won’t say it’s a bad idea to use your methods, but please don’t declare them as save.

        Hashes are only good to use, if you want encrypt passwords – or compare a cleartext string with it’s hash to prevent manipulations.

        Christians tutorial explains a way to encrypt data for saving in a database unreadable for anyone who don’t have the right to see whats behind the encrypted data. And THAT’s a good idea for creditcard numbers, your personal data (your telephone number, postal adress and so on). Noone says, that this way is uncrackable – but it’s really dificult for almost many guys…

      • http://www.circuitbomb.com Dustin

        If you ask me this was a very nice, simple tutorial which goes over symmetric-key based encryption, very useful for a person just getting familiar with Cryptography.

        The security of this encryption lies within the key, therefore putting the burden of it’s security where the script resides. A very practical application to make this even stronger would be to pull it’s functionality from another secure location, just in case the application which uses it fails to protect the source.

        MD5 is not recommended for one way hashing passwords on a live deployment anymore, even with a salt. However it is still very useful for (as Patrick said) preventing file manipulation by matching, and within a learning environment.

        SHA-1 hashing is by far, better than MD5, but not flawless.

  • http://en.rcthegreatblog.com Rahul Chowdhury

    Wow, Nice Algorithm. Good work, hope to see some more very soon!

  • http://www.christianbeikov.at Christian Beikov
    Author

    Look you always have a password on your server for something. MySQL login password or the one you use for your crypter. If you don’t store the MySQL password correctly you can get hacked too! So there is always a little insecureness, you can’t be absolutely secure.

    You should put all you passwords into a file outside of the HTTP-Root if you want to have something secure. But look, if someone can get access to your webserver/database then there is nothing you can do on it. It is how it is, then you got hacked. The one who gets access to MD5 encrypted passwords can use such big databases, others which get access to symmetric encrypted passwords can obviously get access to the password file too.

    In my next article you will see a nice example of using the crypter class. It’s surely always better for passwords to use a hash algorithm but a password is not the only data I want to encrypt/decrypt. For example what do you want to do with a credit card number? Do you want to hash it? Or store the plaintext in your database? No! Everyone would use a symmetric algorithm, like AES. Think about it again!

  • http://www.dynamicguru.com Mujtaba

    nice,,,
    i always wondered how is data encrypted and decrypted.,, and even came up with a simple php script of my own, but that was completely procedural, i really need to dig more into OOP php to better understand this TUT, didnt get what “interface” , “controller ” bla bla means….. :-)

  • Luca

    Superglobal variable?????? o_O

  • Peter

    Hi Christian, thank you for the article. I would like to share a few comments if I may.

    You seem to create the interface (ICrypter) almost without considering why an interface might be necessary. The article skirts around the reasons why an interface might be handy, instead preferring to mention that any class which implements a given interface must adhere to it (other than, “there will be an error!”). It is far outside the realm of a simple blog comment to delve into this subject so I can only suggest that readers take it upon themselves to build their own understanding of interfaces in general and in PHP. There is a lot of great information out there (for a recent insight into the subject, see http://www.brandonsavage.net/why-interfaces-rock/ ).

    The article doesn’t state anywhere (though it will be mightily obvious when a reader tries to use the code) that MCrypt is required. Readers, see http://php.net/mcrypt.requirements and http://mcrypt.sourceforge.net/

    With regards to the list of “supported algorithms from php.net” it would have been nice to have a source cited for reference. See http://php.net/mcrypt.ciphers

    The remarks about Base64 encoding/decoding values seems a little odd. Why would you automatically want to do this? Your argument is that the encrypted value might not be URL-safe but that is only an issue if the encrypted value is being placed in an URL. If you do need to use the encrypted value in an URL then it would make more sent to encode the value only when it needs to be. Base64 is not the only available option for making such a value URL-safe (the functions urlencode and http_build_query to name a few).

    It also puzzles me that you use the trim function on the Base64-encoded value since there will not be any whitespace present to be trimmed! The same goes for trimming the decrypted value since there may be important whitespace which really should not be trimmed.

    The article itself does not elude to why this helper class might be useful. Your comments state there will be a follow-up article with a more practical demonstration but sure it would have been nice to include a very brief situation and code example where this type of encryption/decryption is of particular benefit.

    I guess that is enough writing for a blog comment! Congratulations on publishing your first article on Nettuts+ and I look forward to your next ones.

    • Bo Hunter

      Man, you people beat all I’ve ever seen. It’s like all you want to do is attack someone for writing a simple encryption article that is just that, a simple encryption class that yo can use to encrypt or decrypt data. But no he needs to explain ever little detail including what interfaces are and how there are used when to use them and when not. I would assume that people reading this would have some php knowledge of some degree. If people need that kind of detail then there are plenty of books dedicated to the subject. I encourage you or anyone else to write your own article and show use how it’s done.

  • http://www.jimstoik.com St0iK

    Great tut,thanx a lit

  • PhilippineOutsourcing

    this is great.. very nice and uselful. thanks for sharing this, btw..^^

  • Adam C

    Developed by the NSA no less, huh? So I guess it’s totally secure. Apart from if they want to decypher it – because the government doesn’t snoop around on all our information – no, never.

  • http://giorgiosironi.blogspot.com Giorgio Sironi

    Nice tutorial about wrapping base functionality of php in a class, since it lacks a strong oop foundation library. SPL is trying to solve this problem.
    However, some suggestions:
    - the coding standard in php is different from the one used in this class
    - you should not put a constructor in an interface; if you want to abstract away the creation process, use an Abstract Factory pattern;
    - naming can be improved; I’d rather name the interface Crypter and the implementation McryptCrypter.

  • Learner

    Is there any reason to trim the encrypted and decrypted data?

  • Bjørn Langfors

    @Patrick

    There’s no need to hide the salt. If you, for example, generate a random 128 bit salt whenever you need to store a password, you can safely store that salt as-is alongside the hashed password to make all precomputation attacks (eg. rainbow tables) utterly infeasible.

    Another method, which is mentioned in the wikipedia article below, is key strengthening, which simply is re-hashing the hash a number of times before you store it. The user won’t notice the extra few milliseconds it takes to re-hash the submitted password a thousand times, but if you’re precomputing millions of hashes those extra milliseconds add up fast.

    http://en.wikipedia.org/wiki/Rainbow_tables#Defense_against_rainbow_tables

    There is a relation between salts and IVs (initialization vectors) which I miss more information about in the article. In addition, the author fails to mention the merits of the different encryption modes and most importantly why you shouldn’t use ECB for anything serious.

    Put simply, using a block-cipher in ECB (electronic codebook) mode is like hashing without a salt.

    In ECB-mode Each block of plaintext is encrypted separately, which might reveal a lot of pattern information. (There is a very visual example of this in the wikipedia article cited below). The same plaintext will always produce the same ciphertext, which is something you want to avoid.

    A better approach is to use CBC (Cipher-block chaining) mode with a randomly generated IV. As the name implies, in CBC mode each block of plaintext is XORed with the previous block of ciphertext which makes any block dependant of the blocks processed up to that point. This avoids revealing pattern information, and with a randomly generated IV you won’t get the same ciphertext given two identical plaintexts. The IV should be stored alongside the encrypted data (just like salt if you were storing hashed passwords). The key itself could (and should) be strengthed via several hashing iterations.

    http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29

    • Unknown_sucker

      I’m all for making cryptography easier to use by programmers, it’s a complicated area with many pits to fall into, however this class falls into almost everyone of them.

      As already mentioned the cipher mode ECB is just plain wrong and the key should be salted and hashed. Use something like sha256 when you’re using a 256-bit algorithm.

      Another big problem is using the system random number generator, MCRYPT_RAND, when generating the IV. It doesn’t provide much in terms of entropy (which is very important when generating the IV) sadly it’s the only option on windows, but if you’re on Unix you should use MCRYPT_DEV_RANDOM or MCRYPT_DEV_URANDOM for generating the IV. (Probably MCRYPT_DEV_URANDOM since it’s non-blocking.) If you’re stuck on windows you need to call srand(), according to the php documentation, before generating any IV.

      Lastly I don’t see the point of defaulting to MCRYPT_BLOWFISH for the cipher. AES-256 is the standard and most tested one and the one that should be used in most cases. If you need to use another one, then you change it! Having the user change to MCRYPT_RIJNDAEL_256 manually every time isn’t very good API design IMHO, but I digress.

      Hopefully I haven’t discouraged the author too much, but these are some serious security issues which sadly lingers around in various corners of the internet and they need to be addressed.

      • http://www.christianbeikov.at Christian Beikov
        Author

        Hello!

        So first of all, if you read the tutorial you would know that I recommend AES-256 and in this class i just showed an example!

        Next is the MCRYPT_RAND. Maybe here are some windows users too and they wonder why that script is not working on their servers if I would use such UNIX functions. I wanted to make that class work everywhere so that’s the point.

        And last, you are porbably right what you wrote about the ECB. Didn’t thought about that but thanks for you advice, I will change that.

        So finally you didn’t discouraged me, criticism is always okay and if I think something is not okay then I will tell you of course! I hope you enjoyed the general stuff about encryption and so on even if you disliked some things in that tutorial!

  • http://www.christianbeikov.at Christian Beikov
    Author

    This is just an example of how you can make that. I think I explained everything really clearly so you can easily change something. You don’t have to use this class 1:1 in your project. Concerning the base64 encode/decode, I don’t know who will use the class and in which way but maybe someone who doesn’t know much about that topic will use the data in an url for example and then it might not work. So if you are able to read and understand that you can easily change the source!
    You will see a nice example soon, just wait for the nettuts editor to post the new tutorial.

  • http://2px.net/ pix

    Hmm thanks for tut

  • InsiteFX

    Patrick,

    There is another article on here that metions about multiple re-hashing that exally weakens the encryption.

    Christian, very nice article, do not let others put you down, keep up the good work and stick to it. The whole point of these tutorial are to teach new comers how to do things!

    Enjoy
    InsiteFX

  • Vilson

    How to encrypt the php code?

  • Nox

    Globals…oh my…

  • Rahul

    Hi Christian Beikov,

    Cool Article… :)

    I am using “mcrypt_encrypt” for encryption. Before decrypting it i want to identify is the text or file already encrypted.

    Is there any way to identify an already encrypted text or file.

    Thanks
    Rahul :)

  • Daemorog

    first of all nice article but i don’t realy like using $GLOBALS.

    Btw is there any way to use asymmetric encryption?