How should I encrypt my data in a PHP application?

Question

I was trying to use the Paypal PHP SDK and I noticed a warning that says I should encrypt my API username and password for use in production environments. I do agree on this statement, but I'm wondering how I should go about doing that. I currently have no clue.

Here's what the warning says, just for the record:

Do not embed plaintext credentials in your application code. Doing so is insecure and against best practices. Your API credentials must be handled securely. Please consider encrypting them for use in any production environment, and ensure that only authorized individuals may view or modify them.

Thanks in advance.

Answer 1

First, set an encryption key:

$key = 'yourpasswordhere';
$string = ' confidential information here '; // note the spaces

Encrypt it on DB entry or from another file and only store the encrypted string in the file itself:

$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
var_dump($encrypted); // "ey7zu5zBqJB0rGtIn5UB1xG03efyCp+KSNR4/GAv14w="

Decrypt it later:

$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
var_dump($decrypted); // " confidential information here "

Answer 2

Generally, you can store credentials like this in a file outside of the web root. This limits risk, but doesn't get rid of it entirely.

If they can see your code (or even worse, edit it), then they can get your credentials anyway. Encrypting it means you need your encryption key somewhere that would be just as visible as the username/password itself.