Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Problem decoding encrypted info
Problem decoding encrypted info
  • El Forum
    Guest
  •  
#1
07-06-2009, 06:26 AM

[eluser]Adrian Walls[/eluser]
Hi,

I have recently upgraded the version of CI in one of my sites from v1.5.2 to v1.7.1 following the upgrade instructions at http://ellislab.com/codeigniter/user-gui...ading.html. Unfortunately it appears that this has introduced some errors into my site which I hope someone here can help me with. I have been though all the forums and can't find a solution.

Basically I have some sensitive details (bank account details) stored in a database table. These would have been added under the 1.5.2 version of CI using the encrypt lib. However when I try to retrieve these now in my upgraded version 1.7.1 using the
Code:
$this->encrypt->decode()
it is returning back a string such as *©+@eKK£4‡.>øU}a~pò$3°"J#c÷â.

I have gone over my upgrade to check and double check my upgrade steps but I can't find any issues.

Any help or pointers in the right direction would be greatly appreciated.

Cheers,
Wallzy
  • El Forum
    Guest
  •  
#2
07-06-2009, 06:50 AM

[eluser]Michael Wales[/eluser]
Did the following setting within your application's config.php change?
Code:
$config['encryption_key'] = "";
  • El Forum
    Guest
  •  
#3
07-06-2009, 06:59 AM

[eluser]Adrian Walls[/eluser]
No it's the same key.
  • El Forum
    Guest
  •  
#4
07-07-2009, 10:11 AM

[eluser]Adrian Walls[/eluser]
Guys,

Been doing more investigation on this and have discovered that if I replace my system/libraries/Encrypt.php file packaged as part of CI 1.7.1 with that from CI 1.5.4 the encoding/decoding starts working again. It's the upgrade to Encrypt.php in CI 1.6.0 that breaks it. I see from the CI changelog that there were some changes and bug fixes to Encrypt.php in 1.6.0.

I'm assuming if this was causing issues across the board then others would have complained, but this is broken for us on three separate environments.

1. Live (Linux) server running PHP4.4.2, mcrypt v2.4
2. Live (Linux) server running PHP5.2.5, mcrypt v2.5.8
3. Dev (Windows) server running PHP5.2.6, mcrypt v2.5.7

In turn, data encoded with a post CI 1.5.4 version of the Encrypt.php file is not decodable once I revert the version of that file to 1.5.4. I wouldn't normally expect this to be the case anyway as there could be mismatches with other files cross CI versions, but it may be relevant.

Cheers,
Wallzy
  • El Forum
    Guest
  •  
#5
07-07-2009, 10:16 AM

[eluser]Michael Wales[/eluser]
Two choices:
1. 1.5.2 has inherent security vulnerabilities that are documented well around the net but none of them were within the Encrypt library. Upgrade to 1.7.1 and continue using the 1.5.2 Encrypt library.

2. Reverse engineer the changes in the two libraries between versions and update the keys in your database to validate against 1.7.1.
  • El Forum
    Guest
  •  
#6
07-07-2009, 10:31 AM

[eluser]Michael Wales[/eluser]
Bah - I'm slow today. It's a two-way encryption, decrypt() with 1.5.2 dump to a temporary table, bring in 1.7.1 encrypt() and go-live again.
  • El Forum
    Guest
  •  
#7
07-07-2009, 10:32 AM

[eluser]Adrian Walls[/eluser]
Thanks for the quick reply.

I assume there are no issues with running the version of Encrypt in CI 1.5.4 with CI 1.7.1???

Also interested to hear if anyone else has had similar problems with encrypt.

Wallzy
  • El Forum
    Guest
  •  
#8
07-08-2009, 04:20 AM

[eluser]Adrian Walls[/eluser]
[quote author="Michael Wales" date="1247002268"]Bah - I'm slow today. It's a two-way encryption, decrypt() with 1.5.2 dump to a temporary table, bring in 1.7.1 encrypt() and go-live again.[/quote]

Thanks Michael. To get working again I have just used the 1.5.x encrypt lib. I'll get a look at your solution above when time permits over the next day or two. My main priority was to get it working again.

Just out of curiosity, should the encrypt lib in 1.6.x where I found this problem was introduced not have been backward compatible with the 1.5.x lib? Does that mean that everyone who was using the 1.5.x lib and then upgraded to a version of CI > 1.6.x would have experienced the same problem or do you suspect it is more an issue with the way I have implemented this?

Wallzy
  • El Forum
    Guest
  •  
#9
07-08-2009, 05:28 AM

[eluser]Michael Wales[/eluser]
Without seeing your code it's hard to say whether it was a problem in your code or something that was introduced by CodeIgniter. You are the first I have heard with this issue but honestly, the Encryption library isn't that widely used anyways (primarily in a transparent way, encrypting the session cookie).
  • El Forum
    Guest
  •  
#10
07-08-2009, 05:48 AM

[eluser]Adrian Walls[/eluser]
We are using it at its most basic:

Code:
$this->load->library('encrypt');

$accountNo = $this->encrypt->encode($this->input->post('account_number));

$accountNo = $this->encrypt->decode($accountNo);

The result of the encode is written to a table in the database (varchar(255)), and when it is required again the encrypted value is decoded and passed to the view to be displayed. Could be some other CI setting somewhere but the call to encode/decode is as simple as that.

Possibly it could be a CI issue.




Theme © iAndrew 2016 - Forum software by © MyBB