laravel 4.2查询带有加密列 [英] laravel 4.2 queries with an encrypted column
问题描述
我目前有这个代码在我的控制器,显示一组记录这里是我的代码
public function view
{
$ title =查看守护信息;
$ vPa = DB :: table('dbo_guardianinformation')
- > join('dbo_cities','dbo_guardianinformation.CityID','=','dbo_cities.CityID')
- > select('dbo_guardianinformation.ParentAccountID','dbo_guardianinformation.FirstName','dbo_guardianinformation.LastName','dbo_guardianinformation.Roles',
'dbo_guardianinformation.Address','dbo_cities.CityName','dbo_guardianinformation.Status' 'dbo_guardianinformation.EmailAddress')
- > get();
// encrypt decrypt algo
// $ sptkey = md5('sample_encryptkey');
// $ enPass = rtrim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,$ sptkey,$ defPass,MCRYPT_MODE_ECB)));
// $ decPass = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,$ sptkey,base64_decode($ enPass),MCRYPT_MODE_ECB));
return View :: make('ssims.view_parentAccount',compact('title','vPa'));
}
我的问题是列 dbo_guardianinformation.Address
包含加密记录我目前不知道应该放在哪里解密代码,以便当 $ vPa
将被传递给它已经包含的视图解密记录。有任何想法吗?感谢任何人帮助
索引加密数据
您需要在SQL数据库中搜索加密列并且有效地,你需要构造一个盲目的数据索引(即在附加列中存储 hash_hmac('sha256',$ plaintext,$ separate_key_here)
查询。 (链接的文章解释安全要求。)
这可以避免你做一个 foreach()
loop但是,由于使用了HMAC-SHA256,因此访问数据库的攻击者不太可能能够从系统中挑出纯文本。
也就是说,还有一些我想说的:
弱加密
请不要使用您的问题中包含的加密代码。这是非常不安全。 Laravel有自己的加密类;请使用它。它做了很多正确的代码片段,你包括没有。例如:它提供验证的加密。
$ sptkey = md5('sample_encryptkey');
如果你想在你的应用程序中有一点安全,不要使用 md5($ string)
以生成密钥。这只是一个不好的主意:
-
md5()
返回32 -char十六进制字符串 - 大多数加密函数都需要一个原始二进制字符串
- MD5是一个难以置信的散列函数
- 要将密码转换为加密密钥,您需要使用密钥派生函数,即 P assword- B , K 请考虑使用SHA-256(PBKDF2-SHA256)。
define('MY_APP_PBKDF2_ITERATIONS',86000);
define('MY_APP_KEY_LENGTH',32); //或16 for AES-128
// ...
$ sptkey = hash_pbkdf2(
'sha256',
$ your_password,
$ salt,// 32位元组来自/ dev / urandom
MY_APP_PBKDF2_ITERATIONS,
MY_APP_KEY_LENGTH,
true
);
我在这里展开了空格,并留下了一些inline-comments:
$ enPass = rtrim(//不必要,base64_encode不留空格
base64_encode(
mcrypt_encrypt(
MCRYPT_RIJNDAEL_256 ,//这不是AES-256的方式
$ sptkey,
$ defPass,
MCRYPT_MODE_ECB // ECB模式是最差的模式
)
)
);
$ decPass = rtrim(// Padding oracle attack
mcrypt_decrypt(
MCRYPT_RIJNDAEL_256,
$ sptkey,
base64_decode($ enPass),//没有错误检查
MCRYPT_MODE_ECB
)
);
进一步阅读具体问题:
该怎么办(选择一个):
- 使用 Laravel的加密因为您已经在使用Laravel。
- 使用 libsodium (强烈推荐)
- 使用取消安全性PHP加密类
- 当 Halite 达到1.0.0时,切换到它(它基本上libsodium为新手)
i currently have this code in my controller which display a set of records here is my code
public function view() { $title = "View Guardian Information"; $vPa = DB::table('dbo_guardianinformation') ->join('dbo_cities', 'dbo_guardianinformation.CityID', '=' , 'dbo_cities.CityID') ->select('dbo_guardianinformation.ParentAccountID','dbo_guardianinformation.FirstName','dbo_guardianinformation.LastName','dbo_guardianinformation.Roles', 'dbo_guardianinformation.Address','dbo_cities.CityName','dbo_guardianinformation.Status','dbo_guardianinformation.EmailAddress') ->get(); //encrypt decrypt algo // $sptkey = md5('sample_encryptkey'); // $enPass = rtrim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $sptkey, $defPass, MCRYPT_MODE_ECB))); // $decPass = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), MCRYPT_MODE_ECB)); return View::make('ssims.view_parentAccount',compact('title','vPa')); }
my problem is that the column
dbo_guardianinformation.Address
contains encrypted records i currently have no idea on where should i put the decryption code so that when the$vPa
will be passed to the view it already contained the decrypted records. any ideas? thanks to anybody who would help解决方案Indexing Encrypted Data
If you need to search an encrypted column in a SQL database quickly and efficiently, you need to construct a blind index of the data (i.e. store
hash_hmac('sha256', $plaintext, $separate_key_here)
in an additional column) and structure your select queries based on that. (The linked article explains the security requirements.)This saves you from having to do a
foreach()
loop but, since HMAC-SHA256 is used, it's incredibly unlikely that an attacker with access to the database will be able to tease the plaintext out of the system.
That said, there's something else I would like to address:
Weak Cryptography
Please don't use the encryption code you included in your question. It's very insecure. Laravel has its own encryption class; please use that instead. It does a lot of the things right that the code snippet you included does not. For example: it provides authenticated encryption.
$sptkey = md5('sample_encryptkey');
If you want a modicum of security in your application, don't ever use
md5($string)
to generate a key. This is just a bad idea all around:md5()
returns a 32-char hex string- Most encryption functions expect a raw binary string
- MD5 is an incredibly broken hash function
- To transform a password into an encryption key, you need to use a key derivation function, i.e. Password-Based Key Derivation Function #2 with SHA-256 (PBKDF2-SHA256).
Consider, for example, this code instead:
define('MY_APP_PBKDF2_ITERATIONS', 86000); define('MY_APP_KEY_LENGTH', 32); // or 16 for AES-128 // ... $sptkey = hash_pbkdf2( 'sha256', $your_password, $salt, // 32 bytes from /dev/urandom MY_APP_PBKDF2_ITERATIONS, MY_APP_KEY_LENGTH, true );
I've expanded the whitespace here and left some inline-comments below:
$enPass = rtrim( // Unnecessary, base64_encode doesn't leave whitespace base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, // This isn't AES-256 by the way $sptkey, $defPass, MCRYPT_MODE_ECB // ECB mode is the worst mode ) ) ); $decPass = rtrim( // Padding oracle attack mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $sptkey, base64_decode($enPass), // No error checking MCRYPT_MODE_ECB ) );
Further reading on the specific issues:
What to do instead (choose one):
- Use Laravel's encryption features, since you're already using Laravel.
- Use libsodium (highly recommended)
- Use Defuse Security's PHP Encryption class
- When Halite hits 1.0.0, switch to that (it's basically libsodium for novices)
这篇关于laravel 4.2查询带有加密列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!