CakePHP: the rapid development php framework: CakeBot

Log message #4184175

#	At	Username	Text
#	Apr 23rd 2019, 15:38	neon1024	..and that I should visit his sandbox for an example
#	Apr 23rd 2019, 15:38	dereuromark	Actually, no :)
#	Apr 23rd 2019, 15:38	josbeir	:)
#	Apr 23rd 2019, 15:38	neon1024	He’ll say he’s got a plugin
#	Apr 23rd 2019, 15:38	neon1024	@phantomwatson Hopefully you can learn it before implementing it into prod :P
#	Apr 23rd 2019, 15:38	josbeir	i have the feeling @dereuromark has something very interesting to add to the conversation
#	Apr 23rd 2019, 15:37	josbeir	:)
#	Apr 23rd 2019, 15:37	neon1024	Thanks! :P
#	Apr 23rd 2019, 15:37	neon1024	Yeah good idea, I’ll ask the user with their primary key is
#	Apr 23rd 2019, 15:36	josbeir	i'm no expert tho
#	Apr 23rd 2019, 15:36	josbeir	you should lookup your db row with some other identifier and do the comparison after fetching
#	Apr 23rd 2019, 15:36	slackebot	<neon1024>
#	Apr 23rd 2019, 15:35	phantomwatson	Huh. I also assumed that it would always be the same output for the same input.
#	Apr 23rd 2019, 15:35	neon1024	Guess I’ll rewatch this https://www.youtube.com/watch?v=RTZXgxYGOWAandlist=PL_aPVo2HeGF9Hf1dr6lI7f6jJ48zqcz_fandindex=8andt=0s
#	Apr 23rd 2019, 15:34	phantomwatson	Note `$iv = openssl_random_pseudo_bytes($ivSize);`
#	Apr 23rd 2019, 15:34	phantomwatson	Oh, I'm just now seeing ``` public static function encrypt($plain, $key) { $method = 'AES-256-CBC'; $ivSize = openssl_cipher_iv_length($method); $iv = openssl_random_pseudo_bytes($ivSize); return $iv . openssl_encrypt($plain, $method, $key, OPENSSL_RAW_DATA, $iv); } ```
#	Apr 23rd 2019, 15:34	josbeir	learned that to at some point :slightly_smiling_face:
#	Apr 23rd 2019, 15:34	neon1024	I don’t fancy reading and decrypting my whole database table
#	Apr 23rd 2019, 15:34	josbeir	yeah, i get that
#	Apr 23rd 2019, 15:33	neon1024	I certainly didn’t, but I did totally miss the fact that encryption does not produce consistant output
#	Apr 23rd 2019, 15:32	josbeir	people always confuse encryption with hashing
#	Apr 23rd 2019, 15:32	neon1024	@josbeir `ctype_xdigit($value)`
#	Apr 23rd 2019, 15:32	josbeir	yes
#	Apr 23rd 2019, 15:32	josbeir	or you could decrypt it and compare that
#	Apr 23rd 2019, 15:32	neon1024	:P
#	Apr 23rd 2019, 15:32	neon1024	So I’ve filled my database with gibberish! :,(
#	Apr 23rd 2019, 15:32	josbeir	but you should be able to check if the string is encrypted using a specific cypher method
#	Apr 23rd 2019, 15:31	josbeir	so you will not be able to compare it
#	Apr 23rd 2019, 15:31	josbeir	security::encrypt produces an encrpyted string wich will be always random stuff, it does not produce a hash
#	Apr 23rd 2019, 15:31	neon1024	Which could well be how I’ve ended up in this hole
#	Apr 23rd 2019, 15:31	neon1024	This feels intentional to me, which means the hole is in my understanding of encryption
#	Apr 23rd 2019, 15:31	neon1024	The same results occur when using a CONST
#	Apr 23rd 2019, 15:29	phantomwatson	I mean. Maybe not having different results in _the same test_, but it's still worth checking.
#	Apr 23rd 2019, 15:28	phantomwatson	If your test system is creating random configuration values for every test, that could explain it.
#	Apr 23rd 2019, 15:28	phantomwatson	Try doing it the other way. Use a variable as your second parameter instead of a method call.
#	Apr 23rd 2019, 15:27	phantomwatson	Even a hash function shouldn't produce different results every time.
#	Apr 23rd 2019, 15:27	neon1024	It uses Configure::read
#	Apr 23rd 2019, 15:26	phantomwatson	The obvious place to look is your parameters. Are you calling `Configure::read()` every time, or are you saving the output to a `$key` variable and reusing that variable?
#	Apr 23rd 2019, 15:26	neon1024	This means, in my limited understanding, that Security::encrypt is working more like a hash
#	Apr 23rd 2019, 15:25	neon1024	Yes, I’m using 3.7.6
#	Apr 23rd 2019, 15:25	neon1024	You can see here running the same test case file twice, gives different results