I have the following code which worked fine on PHP 5.5.9.
function index()
{
echo $this->encryptText_3des('TEST','JHHKJH9879');
}
function encryptText_3des($plainText, $key) {
$key = hash("md5", $key, TRUE);
for ($x=0;$x<8;$x++) {
$key = $key.substr($key, $x, 1);
}
$padded = $this->pkcs5_pad($plainText,
mcrypt_get_block_size(MCRYPT_3DES, MCRYPT_MODE_CBC));
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_3DES, $key, $padded, MCRYPT_MODE_CBC));
return $encrypted;
}
function pkcs5_pad ($text, $blocksize)
{
$pad = $blocksize - (strlen($text) % $blocksize);
return $text . str_repeat(chr($pad), $pad);
}
The encryption was happening fine.But in 5.6.9, the in the PHP doc of mcrypt_encrypt, they mention that
Invalid key and iv sizes are no longer accepted. mcrypt_encrypt() will now throw a warning and return FALSE if the inputs are invalid. Previously keys and IVs were padded with '\0' bytes to the next valid size.
How will I modify my current code with the fifth parameter without altering the encryption algorithm?
I tried
$iv_size = mcrypt_get_iv_size(MCRYPT_3DES, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
and given $iv as fifth parameter.
But it didn't work out. The encryption was different from the earlier one.
Don't emulate old PHP versions weak behaviour for initializing IV.
Use mcrypt_create_iv().
They removed the auto zero-byte iv for a reason.
Found the answer in case anyone need
$ivSize = 8;
$iv = str_repeat("\0", $ivSize);
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_3DES, $key, $padded, MCRYPT_MODE_CBC, $iv));
Pass a 5th parameter manually which the earlier version was doing on its own!
I would advise you against reinventing the wheel as your function has numerous cryptography engineering flaws.
- Don't use 3DES, use AES. The correct mcrypt constant for AES is
MCRYPT_RIJNDAEL_128, regardless of your desired key size. Mcrypt is pretty terrible.
- Don't use
md5() as a key derivation function. If you find yourself needing a KDF (e.g. because you're using a password instead of storing an encryption key), use hash_pbkdf2() with SHA-256.
- You are encrypting but not authenticating your ciphertext. Secret-key encryption without message authentication is NOT secure in any language! Encrypt-Then-MAC please.
If you're going to use mcrypt (our recommendations for secure data encryption in PHP are to use libsodium if you can; otherwise defuse/php-encryption; otherwise openssl), make sure you pass the correct constant to mcrypt_create_iv().
Bad:
$iv = mcrypt_create_iv(16, MCRYPT_RAND); // BAD EXAMPLE
Good:
$iv = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); // YES!
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 贼婆χ 的文章《mcrypt_encrypt not working properly on PHP 5.6.9》','https://www.manongdao.com/article-781950.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}