dmxtutorials

How to Secure Fields on a Insert/Update Record

So let's say you have form which contains a credit card number.

Let's apply the Secure Encrypt Server Behavior

Then the Secure Encrypt Dialog Box will appear. Enter a secret keyword. This keyword is what the field values will be encrypted with.

You will now see the Secure Decrypt Behavior in the Server Behaviors list.

That's it - your done!

Be sure to upload the /includes/ folder. There is a file in here that has the encryption & decryption code.

How to Decrypt an Encrypted Feild

If you put a recordset containing an encrypted field on a page, here's how it will look:

Decrypting fields is also very quck & easy. The first step is to add the Secure Decrypt Server Behavior to the page.

Now enter the same key you originally used to encrypt the field with. It must be exactly the same.

Now we need to apply the decryption format to all the data bindings on the page that are encrypted.
Then look at the Server Behavior list and you will see it highlighted. Now double click on it.

Now in the Dynamic Text properties box, select the "Secure Decrypt" format.

Do this for all the bindings on the page that you need to decrypt.

Finally, how our page looks now...

Watch the flash tutorial on how to secure a record being inserted or updated

Watch the flash tutorial on how decrypt a secure field from a recordset

After purchasing the extension we'll provide you a link to a zip file.

Open this zip file up and upload it's contents to your website.

From the index page, choose the option for: "Encrypt a column in a database that has not been encrypted yet. (Currently plain text)"

On the following page fill out information and then the script will apply encryption to all the clear text.

OK, lets talk security for a bit, how secure could it possibly be right? The answer is a disappointing "it's all relative". The way most encrypted data is cracked is by brute force, all algorithms should be considered vulnerable to this sort of attack, but this attack on average takes a long time. The second type of attack is a more intensive approach where the attacker will have to mathematically create collisions or to learn something usefull about the original un-encrypted data, this sort of approach does not occur often these days and takes a fair amount of skill as it ussually involves a bit of math and a bit of dissassembly.

Both attack types come down to the same factors, if the attacker has enough time, skill and intent, they will probably be able to get your data. Let me put it in perspective, if you were trying to encrypt CIA secrets then you have to consider someone is going to have enough time, skill and intent to link together a network of boxes or borrow a super computer and wait around for 12 years in which case NO algorithm can be considered secure, if however, you want to encrypt some arbitrary code in a PHP application or a users password for a forum you can rest pretty easy. Its all relative. It is really important to know that no method of encryption is 100% secure, nor will it ever be, wether it is one or two way encryption and this is almost entirely because of Moore's Law which states that our computer proccessor power will double every 2 years, just because its not viable to crack something today it does not mean it will always be that way. Basically as far as all this computer security stuff is concerned, nothing is ever secure.

That being said, I feel safe in using Secrypt (I am biased though) in my scripts, it would be *extremely* hard, if not, impossible to engineer a collission because during encryption three entirely different md5 hashes are created. As long as you keep the keys and the application seperate you should be fine, the fact that it is an unknown algorithm bodes well too as your attacker would need to work that out and have to build his own brute force cracker to even think of brute forcing it and the cherry on top is that brute forcing it will take extemely long if the keys are anything over 4 characters each, that in my opinion at least, makes it even more secure that something like md5 (which to be technical isn't encryption) for storing passwords because as you probably know, there are many finely optimized md5 brute force cracking applications out there that can go through all the possible character combinations up to 6 characters long in a matter of seconds.

writted by: Warren Smith | taken from PHPclasses.org