PHP + AES Security Glitch

Question

Hello,

I have been implementing AES onto my website for security and I have ran into a glitch/problem to which I am un-able to find an answer and I find it quite bizzare.

I BELIEVE I know where it resides but I don't know how/where to do the fix. Currently I have PHP 5 and the latest MySQL running on my local server.

Here is a small test that I am running which seems to work great.

<?php

$fName = "Giesbrecht";

$fNameEncrypt = common::encryptMe($fName);
echo $fNameEncrypt ."<br />";
echo common::decryptMe($fNameEncrypt);

?>

My function for actually using the common:encryptMe()

public static function encryptMe ($value)
// USE THE AES ENCRYPTION TO ENCRYPT ANY VALUE
{
   include_once('../resources/crypt/AES.php');

   $aes = new Crypt_AES();
   $aes->setKey(AES_KEY);
   return $aes->encrypt($value);
}

So the problem seems to run when I insert my values into my MySQL server. So I thought it might have been my Character Set, which WAS set to Latin1, and now I have moved to utf8 -- UTF-8 Unicode

Other factors regarding my MySQL setup: I have attempted at using field types such as: varchar, varbinary (where I currently sit), and text with a length of (256 on all). I do have many column fields in my table, and many of them will need to be encrypted, although i'm just testing with 2 until I have everything figured out.

So the glitch that i've run into is when I insert into the Database and I actually look at the value inside my Database I have the characters value, they equal ¥ÄÎó¸LOI„˜:é0 (although i'm sure the trans-coding on here will modify it) I have inserted a screenshot of the actual value in the database here:

But when I try to DeCrypt the value, I get nothing, and it runs blank. It seems as if there is an issue with any word that starts with a CAPITAL "G". if I have a lower case "g" it seems to work just fine...

I am completely stumped on this and have no idea how to troubleshoot this anymore.

Any help would be greatly appreciated. PS. I am also curious to know if using PHP AES_Encryption is better or using MySQL AES_ENCRYPT is better?

Thanks.

I have now added a new section of working code based off of responses using base64... Please notify me if there is anything wrong with this structure.

<?php

$connect = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
mysql_select_db(DB_NAME, $connect);

$fName = "Giesbrecht";

$encode = common::cleanUp($fName);
$encode = common::encryptMe($encode);
$encode = base64_encode($encode);

mysql_query("INSERT INTO contacts (userId, firstName, lastName) VALUES ('15', 'Justin', '".$encode."')") or die(mysql_error());

$results = mysql_query("SELECT * FROM contacts WHERE userId = '15'") 
or die(mysql_error());

while ($row = mysql_fetch_array($results)) 
{
    echo "<br />FN: ". $row['firstName'];
    echo "<br />LNE: ". $row['lastName'];   
    echo "<br />LN: ". common::decryptMe(base64_decode($row['lastName']));  
}

?>

Answer 1

As far as I know, there is no AES encryption function within PHP (there are 3rd party implementations, and mcrypt has one / usually ships with PHP).

Most implementations will return a binary value for the encrypted string (try base64 encoding/decoding before inserting/retrieving).

When I last looked at this in some detail (admitedly some time ago) mcrypt returned a a PHP string which contained the actual encrypted value as a C string (null terminated). i.e. it often contained additional chars after then end of the value.

HTH

C.