使用密钥文件加密成员数据

时间:2015-03-02 16:29:23

标签: php mysql encryption pdo mcrypt

我正在一个网站上工作,我希望会员能够在其帐户中维护项目列表。此外,他们应该能够查看/浏览其他成员拥有的所有项目(除非没有看到任何所有权信息)。

我希望能够为成员提供一些实际的安全保证,这样如果他们从没有密钥文件的设备登录他们的帐户,他们仍然可以访问和使用他们的帐户,但它会只是被限制,因为它不会显示他们拥有任何项目(因此将没有更新任何项目或创建新项目的权限)。我一直试图让它与下面的东西一起工作,但我没有太多 - 任何建议都会非常感激!... 

<?php

#Encryption/decryption functions ;
function encrypt($value, $key) {
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); 
    $iv     = mcrypt_create_iv($ivSize, MCRYPT_RAND); 
    return    mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $value, MCRYPT_MODE_CBC, $iv); 
}
function decrypt($value, $key) {
    $ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); 
    $iv     = mcrypt_create_iv($ivSize, MCRYPT_RAND); 
    return    mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $value, MCRYPT_MODE_CBC, $iv);
}

#Encryption key that would normally be seeded by user ;
$keyfile='9TOxo1Uy5JsiW1jRPS61';



#Database sandbox;
#------------------------------------------------------------------------------;
$db = new PDO('mysql:dbname=mydb;host=localhost', 'root', '' );
#$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

#Create dummy table ;
$db->exec("CREATE table items (
owner_id VARCHAR( 20 ) NOT NULL,
ownername VARCHAR( 50 ) NOT NULL, 
itemname VARCHAR( 100 ) NOT NULL,
itemdetails VARCHAR( 250 ) NOT NULL);");



#Populate with test data ;
session_start();
$insert= $db->prepare("INSERT INTO items(owner_id, ownername, itemname, itemdetails) VALUES (?,?,?,?)");
$_SESSION['user_id']=0001;
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Bob","Bobs 1st Item","Item description of Bobs first item");
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Bob","Bobs 2nd Item","Item description of Bobs second item");
$_SESSION['user_id']=0002;
$db->execute(array(encrypt($_SESSION['user_id'],$keyfile)),"Tom","Toms Item","Item description of Toms first item");


#Only return items belonging to the current user - but returns nothing without their keyfile present even if the user is logged in)
$userquery = $db->prepare(" SELECT decrypt(ownername, :ownerkey) as ownername, itemname, itemdetails FROM items WHERE $_SESSION('userid') == decrypt(owner_id, :ownerkey) ");
$userquery->execute(array(':ownerkey'=> "$keyfile"));
$result=$userquery->fetchall();


#Without their keyfile a user can still search the items table but with meaningless owner information ;
$fullquery = $db->prepare("SELECT ownername, itemname, itemdetails FROM items");
$userquery->execute();
$result=$fullquery->fetchall();


?>

0 个答案:

没有答案
相关问题
最新问题