Data encryption and hashing in PHP

Encryption and hashing, both are the techniques to transform the data into an unreadable form. Encryption can protect data at rest, stored on certain computer or server in the form of files, or database tables. The data can be in transit as well, like the classic case of web applications. It also becomes important to protect such data. The data transmitted over the internet across servers on various networks is also prone to attacks. On the web applications, it is so often required to encrypt the data for storing it safely. Let’s think about a web application involving user management. The most common data that requires a protected storage is the user password. It should be saved and transmitted in encrypted form.

Encryption Vs Hashing

The terms are often misunderstood as same and used alternatively. Both serve the identical purpose of transforming the data to a non interpretable form. Still, there is a difference in how the two techniques work.
Let’s take the case of PHP in-built function md5(). It converts a string into hash. Most of us using the function for first time might expect it to recreate the original string from the hash. But, it doesn’t. Because this is where hashing is different from encryption.
Encryption is two way process but hashing is unidirectional. Encryption is based on certain fixed algorithm, which can be reversed to recreate the original information. On the contrary, hashing converts the data into a unique string that can’t be reconstructed. You may try some brute force methods; but those are neither quick nor reliable. The output of a hashing method, called hash or checksum, is a string which has a fixed length, 32 characters for md5 and 40 characters for sha1(). No two strings can have the same hash.

Why Hashing? Masking password

You might be wondering why we need hashing when the data encrypted can’t be retrieved. Imagine the case of user password protected by encryption. It doesn’t offer a maximum security as the encryption algorithm can be reversed to generate the original password. So, we use hashing method, say md5() (it is most common and reliable as well) for this particular scenario. Obviously, for use authentication, you can always hash the password input in the form before comparing it with the password hash saved in the database. From security point of view, it’s good to hash the password before saving into the database because it still denies access to your actual password, even if the access to server has been compromised.
Hashing also finds use in database indexing. A hash table stores hashes to reference data. Usually, this forms an associative array with hash being the key or identifying value. The value in the associative array is the associated reference value. Hash table can also be used in implementing the Cache for faster access to the stored information.

What are salts in hashing?

Hashes for common words can be easily searched and found on Google. So, it’s important to attach a salt with string before hashing. This adds a new level of security to routine hashing.

PHP – Encryption and hashing Samples

PHP has a huge set of in-built functions making it possible to perform so many operations with just one call to an in-built function. And PHP doesn’t disappoint, when it comes to encryption and hashing techniques. Let’s try some examples.
1. base64_encode and base64_decode 

Update: The functions encode and decode the string using base conversions. Technically, its not exactly the modern encryption, but encoding. I am using the example to introduce encryption. Encryption is referred as key (string/algorithm) based coding/decoding. Enciphering (now encoding) is a form of encoding that has been used for encryption till the key based techniques arrived. In recent times, encryption is used to refer computer encryption based on a key (string/algorithm). The topic is vast and we will cover encryption using mcrypt and AES in some upcoming posts.

 $string="refulzPhp is growing"

$encrypted = base64_encode($string);

echo $encrypted;  // displays “cmVmdWx6UGhwIGlzIGdyb3dpbmc=”

$decrypted = base64_decode($encrypted);

echo $decrypted;  // displays “refulzPhp is growing”

You may also try mcrypt() extension for modern encryption/decryption option. The mcrypt extension itself, offers a list of encoding/decoding algorithms to choose from. You may also want to try the PHP implementation of popular AES encryption cipher. It uses pure PHP and no new extensions are required to be compiled. There are multiple encryption modes and only one of the mode is free to use.
Additionally, you can always write your own algorithms for coding-decoding the data.

2.Hashing with md5

 $string = 'Today I am writing about encryption and hashing';

echo md5($string);  //displays “a2aa00dad98ad00d355d415a4e36cf7e”

3. Hashing with “salt”

 $string = 'Today I am writing about encryption and hashing';

$salt = “Hg3EmQww”;

echo md5($salt.$string);  //displays “bb0191e8cba1888b26229b503bea194a”

On the patterns of md5(), sha1() function implements Secure hashing Algorithm for generating 160 bit hash. Then, there is another in-built function crypt() that allows you to define the algorithm from the list of available algorithms. The default, however, is standard Unix DES-based algorithm. Provided the support on server, other possible algorithm options are Extended DES-based hash, MD5, Blowfish hashing, SHA-256 and SHA-512.

  • Gavin Staniforth

    Base64_encode() is certainly not encryption its just changing the base of value, you could change it to base16 for HEX or base10 for our number system, certainly nothing to do with encryption. base_convert() will convert to any base you like but certainly isnt encryption

    Should look at real encryption

    • Anonymous

      Real or unreal base64_encode encrypts strings by encoding with base64. The converted data can be decoded. So, it satisfies the definition of encryption.
      I have made a mention of mcrypt extension and much stronger AES implementation. That was beyond the scope of my first article on the subject. Couldnt cover everything in a single post. It was just a basic example.
      Keep visiting for more on encryption and hashing.