English
English
When building secure PHP applications, developers often face encryption needs, including data storage encryption, user password protection, data transmission encryption, etc. PHP natively supports a variety of encryption methods, among which the crypt() function is suitable for password hashing, while the openssl_* series function is suitable for symmetric and asymmetric encryption, key generation, encrypted communication and other tasks.
In this article, we will use crypt() and openssl_* functions to build a custom encryption process to take into account both password hash security and data encryption flexibility.
We hope to achieve the following goals:
User password hashing – use crypt() to perform irreversible hashing;
Data Encryption – Encrypt user sensitive data using OpenSSL symmetric encryption algorithm;
Key protection - generate and manage keys to ensure the security of the encryption process;
Data decryption - The ciphertext can be restored to plaintext, provided that there is the correct key.
crypt() is a function for hashing passwords. We recommend using the bcrypt algorithm, a proven algorithm for password hashing.
function hash_password($password) {
$salt = '$2y$10$' . substr(str_replace('+', '.', base64_encode(random_bytes(16))), 0, 22);
return crypt($password, $salt);
}
Verify password:
function verify_password($password, $hash) {
return crypt($password, $hash) === $hash;
}
In order to encrypt user-sensitive data, such as email and ID number, we use OpenSSL's symmetric encryption method, such as AES-256-CBC .
function encrypt_data($plaintext, $key) {
$iv_length = openssl_cipher_iv_length('AES-256-CBC');
$iv = openssl_random_pseudo_bytes($iv_length);
$ciphertext = openssl_encrypt($plaintext, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
return base64_encode($iv . $ciphertext);
}
function decrypt_data($encrypted, $key) {
$data = base64_decode($encrypted);
$iv_length = openssl_cipher_iv_length('AES-256-CBC');
$iv = substr($data, 0, $iv_length);
$ciphertext = substr($data, $iv_length);
return openssl_decrypt($ciphertext, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
}
You can use openssl_random_pseudo_bytes() to generate a security key:
function generate_secure_key($length = 32) {
return base64_encode(openssl_random_pseudo_bytes($length));
}
In real projects, you should use a secure way to store your keys, such as using environment variables or key management services, rather than hard-coded in your code.
$password = 'myStrongPassword123!';
$hashed = hash_password($password);
if (verify_password('myStrongPassword123!', $hashed)) {
echo "Password verification passed\n";
}
$key = base64_decode('pL2u0xJNzYX2+x5sK8Xt5c34BLTPWhMHn0h0snA4MlQ='); // Sample key
$secret = 'User email: user@example.com';
$encrypted = encrypt_data($secret, $key);
$decrypted = decrypt_data($encrypted, $key);
echo "Encrypted data: $encrypted\n";
echo "Decrypted data: $decrypted\n";
Use HTTPS for data transmission, and encrypted data should not be sent through plain text channels;
Key management is the core of system security, and it is recommended to cooperate with security modules such as HashiCorp Vault;
Regularly rotate keys and algorithms;
Never hardcode the encryption key into a Git repository or front-end code;
Regularly audit the encryption process and timely patch known vulnerabilities.
This combination of crypt() and openssl_* is suitable for scenarios where user authentication and sensitive data encryption are required, such as:
Encrypted storage of bank card number and ID card;
Protect user chat history or private information;
Build a multi-layer security mechanism to separate user passwords and data;
Automatically decrypt and analyze encrypted data in the background regularly (extremely careful about key leakage issues).
By combining the irreversible hashing function of crypt() and the symmetric encryption capability of OpenSSL, we can establish a relatively complete and secure encryption system that is suitable for user password management and meets the needs of data encryption storage. With the evolution of business needs and security threats, this solution also has good scalability.
For more relevant implementation plans and best practices, you can visit official documentation or community discussion platforms, such as:
