Hi,

I am trying to test the encryption class, and find that even with a static key, the result changes every single time the script is run.

Also if I paste back into the script an encrypted string then even if the key is changed the string is decrypted..... That cant be right surely, because every single person that runs your class would be able to just decrypt strings without knowing the key?

running this code will replicate the issue

<?php

use Lablnet\Encryption;

require 'vendor/autoload.php';

$encryption = new Encryption('openssl','test');

//Encrypt the message
$encrypt = $encryption->encrypt('some text');
echo strlen(utf8_decode($encrypt)).'<br>';

echo 'Encrypted text: '.$encrypt;
echo "<br\>";

//Decrypt the message
$decrypt = $encryption->decrypt('SWJuRkE1SmxUS0FrRHpacXc0OG9raXl0MUZITnl3T3ZzM2FjcnlYbWViQT0mJmQwMzg3ZjUxYzliNzdmOThmZTRiNjQ0M2E0ODFiMmQ1');
echo '<br> Decrypted/plain text: '.$decrypt;
$decrypt2 = $encryption->decrypt($encrypt);
echo '<br>Decrypted/plain text: '.$decrypt2;

Can you tell me what the encoded string resolves too? Even though the key that encrypted it was not the one in the script?

Posted

Jason Ellmers in phpclasses site form.

As title, it seems that the Encryption::__construct has the $key argument and it has the default key value.

I think it's not required because this key is up to the users to specify their key.

The $key always should be the required argument.

We don't have to set the default key because this will cause security problem.

Once someone know the default key from this repo, they will try to do some crack work.