Introduction Encryption and decryption is fairly common in many web applications today.

If you are using an Oracle Database as your data store, then you can easily implement encryption and decryption at the database level using the DBMS Obfuscation Toolkit provided by Oracle.

Establish Table and Package Create the table.

Simply cut and paste the PL/SQL as shown in Listing 1.

Listing 1:

Create Encryption Table

create table encryption ( ID number, uname varchar2(25), password varchar2(32) );

Next you will need to create the package and package body.

Simply cut and paste the PL/SQL in Listing 2.

Listing 2:

Create Package and Package Body

CREATE OR REPLACE PACKAGE user_security

AS FUNCTION encrypt (p_text  IN  VARCHAR2) RETURN RAW;

FUNCTION decrypt (p_raw  IN  RAW) RETURN VARCHAR2;

PROCEDURE update_user_password ( p_username       IN   VARCHAR2, p_new_password   IN   VARCHAR2); END user_security;

/

CREATE OR REPLACE PACKAGE BODY user_security

AS g_key     RAW(32767)  :=UTL_RAW.cast_to_raw(’12345678′); g_pad_chr VARCHAR2(1) := ‘~’; PROCEDURE padstring (p_text  IN OUT  VARCHAR2);

FUNCTION encrypt (p_text  IN  VARCHAR2) RETURN RAW IS l_text       VARCHAR2(32767) := p_text; l_encrypted  RAW(32767);

BEGIN padstring(l_text);

DBMS_OBFUSCATION_TOOLKIT.desencrypt(input         => UTL_RAW.cast_to_raw(l_text), key            => g_key, encrypted_data => l_encrypted); RETURN l_encrypted; END; FUNCTION decrypt (p_raw  IN  RAW) RETURN VARCHAR2 IS l_decrypted  VARCHAR2(32767);

BEGIN DBMS_OBFUSCATION_TOOLKIT.desdecrypt(input=> p_raw, key  => g_key, decrypted_data => l_decrypted); RETURN Rtrim(UTL_RAW.cast_to_varchar2(l_decrypted), g_pad_chr);

END;

PROCEDURE padstring (p_text  IN OUT  VARCHAR2)IS l_units  NUMBER;

BEGIN IF LENGTH(p_text) MOD 8 > 0 THEN l_units := TRUNC(LENGTH(p_text)/8) + 1; p_text  := RPAD(p_text, l_units * 8,g_pad_chr); END IF; END;

PROCEDURE update_user_password ( p_username       IN   VARCHAR2, p_new_password   IN   VARCHAR2 ) AS v_rowid   ROWID;

BEGIN SELECT     ROWID INTO v_rowid FROM encryption t WHERE t.uname = (p_username) FOR UPDATE;

UPDATE encryption SET encryption.password =encrypt(p_new_password) WHERE ROWID = v_rowid; EXCEPTION WHEN NO_DATA_FOUND THEN raise_application_error (-20000,’Invalid username/password.’); END; END user_security; /

to encrypt the password:

begin update_user_password(:p_username,:p_password); end; /

The usual security stuffs PHP developers handle are
1. Encryption / decryption
2. Validating the User with session Login

Since PHP is to develop web applications, the major secjurity issues with web applications are
1. Cross Site Scripting
2. SQL Injection
3. Trusting User Input
4. Check the referrer

These are the 4 major secutity issues we need to handle in our PHP scripts

1. Cross Site Scripting Prevention

Most of the developers won’t validate the incoming data like querystring and post data.As a result this leads to stealing of cookie or redirecting to different site, etc€¦ For eg, A user will post comment in a blog with a code €œNice Post <img src=€http://site.com/images/myimage.gif€ onload=€window.location=’http://mysite.com/’€ />

This results in redirection of site to €œhttp://mysite.com/€, whenever a user visits the blog.

To prevent from XSS attacks in PHP
Check and validate properly all user inputted data that you plan on using and dont allow html or javascript

code to be inserted from form.

you can Use htmlspecialchars() to convert HTML characters into HTML entities

you can use strip_tags() to only allow some tags

2. SQL Injection Prevention
For eg:

<?php

$firstname = €œJulien’); DELETE FROM mytable; INSERT INTO mytable (firstname) VALUES (’hacked€;

$sql = €œINSERT INTO mytable (firstname) VALUES (’$firstname’)€;

//€¦running the $sql query

?>

To Prevent in PHP

i. Use the addslashes() function which will escape both single and double quotes, by adding backslashes before them, to prevent multiple queries from being executed.

ii. Validate the data with the length of the input field. For eg:

<?php

//escape trouble characters
$firstname = addslashes(firstname);

//make sure not longer than expected length
$firstname = substr($firstname, 0, 32);

$sql = €œINSERT INTO mytable (firstname) VALUES (’$firstname’)€;

//€¦run the $sql query

?>

3. Check the referer: Check to make sure that the information being sent to your script is from your website and not from an outside source. While this information can be faked, it’s still a good idea to check.

For eg: If you have a Login form in your website with username and password textbox. There may be some other hacker who can create same type of form and can use form action to your website. To prevent this type of attack, we can get the referer using $_SERVER['HTTP_REFERER'] and validate before processing.

4. Don’t trust user input anytime. Don’t include, require, or otherwise open/delete a file with a filename based on user input, without thoroughly checking it first.

€œThe better way to reduce programming effort with better security is using a good framework to develop the project.

For eg: Symfony, CakePHP, Zend Framework, etc all these frameworks provides good solution for all the major security issues which we face and also you can maintain the standard in your code and deliverables.€