By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,158 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

Mcrypt Issue

100+
P: 384
I'm encrypting data and when i try to insert it into the mySQL database it wont enter it and throws an error, i think its to do with these strange characters, they are a little box with four characters in it like two zeros on top and underneath there is like a zero and a nine, any ideas??
Oct 20 '08 #1
Share this Question
Share on Google+
7 Replies


Atli
Expert 5K+
P: 5,058
Hi.

How exactly does the INSERT query look like?
What error are you getting?

As a general rule, you should always run all data that is to be a part of a MySQL query through the mysql_real_escape_string function (or it's MySQLI equivalent) before adding it to the query.
That will make sure the data will not mess up the query with weird characters or SQL Injection.
Oct 20 '08 #2

100+
P: 384
The query look like this:
Expand|Select|Wrap|Line Numbers
  1. $query = mysql_query("INSERT INTO reports VALUES (NULL,'".secure_data($_REQUEST['name'],"encrypt")."')")
This is the secure_data function:
Expand|Select|Wrap|Line Numbers
  1. function secure_data($input,$type) {
  2.  $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
  3.  $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
  4.  $key = "an#$298d&"; 
  5.  $data = "";
  6.  if($type=="encrypt")
  7.  {
  8.     $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $input, $iv);
  9.  }
  10.  else
  11.  {
  12.     $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $input, $iv);
  13.  }
  14. return data;
  15. }
Oct 20 '08 #3

Atli
Expert 5K+
P: 5,058
A couple of thoughts on that code...

First, as I suggested earlier, your should ALWAYS use the mysql_real_escape_string function on ALL data you plan on using in a MySQL query.
This will probably fix the problem you were posting about now, although I can not be sure without seeing the actual error.

Also, when writing a INSERT query, you should always specify the columns you want to use, rather then leave it up to MySQL.
This will ensure that the order in which you add the values is correct, it will allow you to add columns to the table without breaking the query, and more importantly; it will allow you to leave out columns that don't need to be filled.
For example:
Expand|Select|Wrap|Line Numbers
  1. /* Assuming `UserTable` is a table with an AUTO_INCREMENT
  2.  * ID field and a VarChar Name field */
  3.  
  4. /* Rather than doing: */
  5. INSERT INTO `UserTable` VALUES (NULL, 'Name');
  6. /* Do: */
  7. INSERT INTO `UserTable`(`Name`) VALUES ('Name'); 
  8.  
There in the first query, a NULL value would have to be passed to the AUTO_INCREMENT ID field, which I simply left out in the second query, removing the need to pass the NULL value.

Third, and least important, your secure_data function takes a $type value as it's second parameter. You use this as a string, passing "encrypt" when you want the function to encrypt rather than decrypt.
I would suggest changing this to a boolean and giving it a default value.
It should both slightly decrease the memory usage and execution time of your program (*slightly* being the keyword there), and make the function easier to use.
Consider this:
Expand|Select|Wrap|Line Numbers
  1. function secure_data($input,$encrypt=false) {
  2.   if($encrypt) {
  3.     // encrypt
  4.   }
  5.   else {
  6.     // decrypt
  7.   }
  8. }
  9.  
  10. // Then you could use it like so:
  11. $encrypted = secure_data('data', true);
  12. $decrypted = secure_data($encrypted);
  13.  
Hope this helps.
Oct 20 '08 #4

100+
P: 384
Thanks for your reply, i understand about the INSERT statement, i've spent time going over the fields being entered and they are never going to change, every field is always going to be entered hence why i left out the field names the data was going into.
With the html entities thing, as the data is encrypted will this effect the data so when its called from the DB again and decrypted will it decrypt properly??
I don't have access to the error right now but i'll try and post it as soon as possible.

Thanks again.
Oct 20 '08 #5

Atli
Expert 5K+
P: 5,058
Thanks for your reply, i understand about the INSERT statement, i've spent time going over the fields being entered and they are never going to change, every field is always going to be entered hence why i left out the field names the data was going into.
Ok, I see. Personally I would always write out the names, even if they were all being used... but that's just me :)
With the html entities thing, as the data is encrypted will this effect the data so when its called from the DB again and decrypted will it decrypt properly??
The mysql_real_escape_string function has nothing to do with HTML entities. It simply makes sure that no part of this string will cause an error in the SQL query, escaping anything that would do so.
It won't affect the data you are using in any way. The data stored and returned by MySQL when you select it will be exactly the same as the data before it was escaped.
Oct 20 '08 #6

100+
P: 384
Heres the error i'm getting:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ØT rw޼OL8','?J8 I-M'ÿ́','john.doe@hot' at line 1
Oct 20 '08 #7

100+
P: 384
The mysql_real_escape_string function solved my problem, thanks again!
Oct 20 '08 #8

Post your reply

Sign in to post your reply or Sign up for a free account.