• 0

PHP & MySQL: AES_Encrypt / AES_Decrypt


Question

Alrighty then. If I were to use the following commands they work just fine:

AES_Encrypt (PHP):

$un = david;

$pw = pass;

mysql_query(INSERT into tablename (un,pw) values ('$un',aes_encrypt('$pw','key'))",$db);

AES_Encrypt (Command Prompt):

SELECT un, aes_decrypt(pw,'key') from tablename where id=1;

However. I'm trying to write a login page based upon the encrypted data via PHP (send the data via a form and process it). I had it working perfectly - but as soon as encryption is entered things don't go my way. Here's a sample of my efforts which aren't looking too good (I am extracting from a form, but for simplicity I'm using static data).

<?php

$un = david;
$pw = pass;

$result = mysql_query("SELECT un, aes_decrypt(pw,'key') FROM table_login where un='$un' and pw='$pw' ",$db);

$array_r = mysql_fetch_array($result);

echo "User". $array_r["un"] ."<br />";
echo "Pass". $array_r["pw"];
?>

I searched google and other sites with no luck, but from what I'm told - the aes_decrypt function has to remain in the SELECT clause because it's a MySQL function and not a PHP function.

Please help me and thanks in advance.

Link to comment
https://www.neowin.net/forum/topic/290091-php-mysql-aes_encrypt-aes_decrypt/
Share on other sites

11 answers to this question

Recommended Posts

  • 0
  flightmike1 said:
Your WHERE clause is comparing the unencrypted password(submitted by the user) to the encrypted password in the database, it might be easier if you use PHP to do the encryption.

585535073[/snapback]

Exactly what I meant - what I cannot figure out is how to do this in PHP :(

  • 0

Why don't you try to do 2 querys?

<?php

$un = david;
$pw = pass;

$result = mysql_query("SELECT aes_encrypt(pw,'key')");
$encrypted = mysql_fetch_array($result));
$result = mysql_query("SELECT un, aes_decrypt(pw,'key') as pw FROM table_login where un='$un' and pw='$encrypted[0]' ",$db);

$array_r = mysql_fetch_array($result);

echo "User". $array_r["un"] ."<br />";
echo "Pass". $array_r["pw"];
?>

:unsure:

  • 0
  GatorV said:
Why don't you try to do 2 querys?

<?php
$un = david;
$pw = pass;

$result = mysql_query("SELECT aes_encrypt(pw,'key')");
$encrypted = mysql_fetch_array($result));
$result = mysql_query("SELECT un, aes_decrypt(pw,'key') as pw FROM table_login where un='$un' and pw='$encrypted[0]' ",$db);

$array_r = mysql_fetch_array($result);

echo "User". $array_r["un"] ."<br />";
echo "Pass". $array_r["pw"];
?>

:unsure:

585544078[/snapback]

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\site\login_check.php on line 4

  • 0

Well the code was wrong, but try this:

<?php
$un = "david";
$pw = "pass";

$result = mysql_query("SELECT aes_encrypt('$pw','key')");
$encrypted = mysql_fetch_array($result));
$result = mysql_query("SELECT un, aes_decrypt(pw,'key') as pw FROM table_login where un='$un' and pw='$encrypted[0]' ",$db);

$array_r = mysql_fetch_array($result);

echo "User". $array_r["un"] ."<br />";
echo "Pass". $array_r["pw"];
?>

:cool:

  • 0

If you must use AES encryption do the comparision in PHP, i.e. have the query return the decrypted password and then do a simple == comparision in PHP.

<?php

$un = "david";
$pw = "pass";

$result = mysql_query("SELECT un, aes_decrypt(pw, 'key') as pw FROM table_login where un = '$un'");
$array_r = mysql_fetch_array($result);

if ($array_r['pw'] == $pw) {

   // Password is okay

   echo "User", $array_r["un"] ."<br />";
   echo "Pass", $array_r["pw"];

}else {

   // password is invalid!

   echo "Boo! Hiss!";
}

?>

  • 0

FINALLY..! (1 query aswell)

$un = $_POST["un"];
	$pw = $_POST["pw"];

	$result = mysql_query("SELECT un, aes_decrypt(pw,'mykey') from tb_login where un='$un' ",$db);
	$encrypted = mysql_fetch_array($result);

if ($encrypted[1]==$pw)
{
echo "yes";
}
else
{
echo "no";
}

I had to encrypt the password into the BLOB field first. Thanks for all the help guys.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Ah .. lockout for suspicious activity. I bet they uploaded the SanDisk utility detected as malware
    • Microsoft 365 will soon disable outdated authentication protocols for file access by Usama Jawad On a fairly regular basis, Microsoft disables outdated protocols that are used to access its services. In the past few years, the company has deprecated Basic Auth in Exchange Online and cut access to Outlook for third-party apps relying on this protocol. Now, it has decided to get rid of old authentication protocols for file access across Microsoft 365 services. As reported by Bleeping Computer, Microsoft has posted a message on its Microsoft 365 Admin Center. Starting from mid-July 2025, the company will begin disabling legacy authentication protocols used to access files across Microsoft 365 and Office apps, SharePoint, and OneDrive. Essentially, applications or services which use the Relying Party Suite (RPS) or FrontPage Remote Procedure Call (FPRPC) will to perform browser-based authentication to perform open operations on Office files will no longer be able to do so. As expected, this is primarily being done to improve the cybersecurity posture of various services. Microsoft states that RPS can be brute-forced and phished with relative ease as it is fairly outdated. Similarly, FPRPC is typically used for remote web page authoring and it is susceptible to exploitation through various vulnerabilities too. As such, both of these protocols will be disabled by default starting from mid-July 2025, with the rollout of this change targeting completion by August 2025. The Redmond tech giant will update the protocol baseline by default without mandating any licensing changes for customers. In addition, once these modifications are rolled out, Microsoft 365 will require admin consent to get third-party access to files and sites. IT admins can view the guidance available here to configure admin consent workflows. Microsoft says that these changes align with the principles of its Secure Future Initiative (SFI). Earlier today, it announced the rollout of improved security defaults for Windows 365 citing the same reasons too.
    • It does and it can... I took an i3 board and upgraded it to my FX8350... no issues, just put in new drivers over the top that Windows didn't. Not the issue for me, (though I eventually did do a new install from 23H2 to 24H2)... I was on 22H2 at the time. The issue is activation. You may get hit with having to activate again.
  • Recent Achievements

    • First Post
      Fuzz_c earned a badge
      First Post
    • First Post
      TIGOSS earned a badge
      First Post
    • Week One Done
      slackerzz earned a badge
      Week One Done
    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      705
    2. 2
      ATLien_0
      283
    3. 3
      Michael Scrip
      217
    4. 4
      +FloatingFatMan
      195
    5. 5
      Steven P.
      130
  • Tell a friend

    Love Neowin? Tell a friend!