Encryption needs are very common among all the projects.
Please follow the encryption rules to save every kind of critical data within your web application.
- All Passwords stored in the database must be encrypted.
- Querystring must be encrypted. Please use fake variables and values to make your querystring disguised and difficult to be guessed easily. for example if user id has to be passed for information in querystring the wrong way that is being used in most of the sites is
Its very easy to break this and anyone can put any number instead of ‘12? at the end of querystring to obtain the information that will be processed with this perameter.
To make this secure and unguessable, we can modify the querystring in the following menner
In the above example, we have used disguised querystring where most of the information is either fake or is encrypted. Only variable ‘x’ in the above example contains the correct information which is userid encoded.
The encryption used for this string to encode is called MCrypt encryption that is a standard encryption method used in php. you can download the attached encryption class file to use in your application. Example of using the encryption class is as follow:
$enc = new encrypt;
echo "Encoded Value: ".$enc->enc("12");
echo "Decoded Value: ".$enc->dec($enc->enc("12"));
In the above example, the string to be encrypted can be passed in the class object function called ‘enc’ and the decryption can be done through ‘dec’ function.
- Security Audit rules are also modified according to the encryption rules defined above.