CSC 325 Grinnell College Fall, 2008
Databases and Web Application Design

Laboratory Exercise on Encryption in PHP


This laboratory exercise provides some practice in using encryption within a database application.

Getting Started

This lab uses three HTML/PHP scripts as a base for exploration: encryption-start.php, encryption-action.php and decryption-action.php. These scripts are available in directory ~walker/public_html/courses/325.fa08/examples/

  1. Copy encryption-start.php, encryption-action.php and decryption-action.php from directory ~walker/public_html/courses/325.fa08/examples/ to a subdirectory of your public_html directory, and change the permissions of these files to allow them to be executed.

  2. Run encryption-start.php a few times to see how this sequence of scripts works, and review the encryption/decryption steps in the code.

Some Details

As the accompanying scripts suggest, encryption/decryption in PHP is reasonably straightforward. In addition to the data to be encrypted (called the plain text message), specifics depend upon:

Normally, a particular script or application will determine the encryption algorithm and mode, and these will be hard-coded within PHP programs. But how should we handle the encryption key and initialization vector?

Storing Keys and Initialization Vectors

Encryption keys and initialization vectors can be stored following two basic approaches. Each has both advantages and disadvantages:

Note: As noted in the class examples for encryption, the Linux operating system stores a separate salt for each username in a public password file. Thus, Linux follows the second approach above, although the password application utilizes one-way encryption only — Linux provides no mechanism for decrypting passwords to get plain text back.

Assumptions for this Lab

In the rest of this laboratory exercise, we use a separate key and initialization vector for each record:

More specifically, this lab will store encrypted data in a table sampleEncryptedData, defined as follows:

   create table sampleEncryptedData (
      recordID bigint(20) unsigned not null auto_increment,
      username varchar(25),  
      initVector tinyblob,   /* binary field up to 255 bytes */
      encMessage blob,       /* binary field up to 65,535 bytes */
      primary key (recordID)


Lab Activities

  1. Modify encryption-start.php, so that it has two sections:

  2. Modify encryption-action.php, so that it proceeds as follows:

  3. Modify decryption-action.php, so that it proceeds as follows:

Work to Turn In

This document is available on the World Wide Web as

created 2 November 2008
last revised 25 November 2008
Valid HTML 4.01! Valid CSS!
For more information, please contact Henry M. Walker at