Encrypting a Field that is used for searching

[icoso]

I have an issue that I've asked a lot of questions about on how to accomplish and not really getting anywhere or the question at hand is getting obscured.

1. How do I encrypt a field that I save in the database table, such as an SSN field, that I then use on the search screen to search for it. For example:

On my edit form I have a field named cust_SSN. I want to encrypt it and save it in the database (simple). There are MANY methods to do this and I am currently using the BEFORE SAVE to run a procedure that will encrypt the SSN field before it is saved. This part is done.

The PROBLEM: Searching for those records using the same cust_SSN field.

I need to be able to perform the form search USING the cust_SSN field. If I use my current and/or many other encryption routines to encrypt the data and save it in the database. I MUST always enter the FULL SSN when I search for the SSN. Because, for example, if I search for some subset of the SSN 123-45-6789 (last 4 = 6789), those last 4 numbers will NEVER be in the encrypted field in the same format with my current encryption routine. Someone suggested using base64_encode because they will always encrypt to be the same pattern. However, that doesn't seem to help because base64_Encode would then not be a good way to encrypt that field. It would be easily unencrypted, Right?

What Im trying to figure out is HOW do I use the search form, to enter an SSN (even the full SSN) encrypt it BEFORE I search for it and then have the results show the unencrypted data that is returned? So on the search results I would see all the records that contained 6789 as the last four of the SSN?

Kev1n suggested this: p

Declare a function nuOnSearchAction() in your form's Custom Code. Call a PHP Procedure in it to encrypt the search value and use nuJavascriptCallback to Refresh the Browse Screen. You will need the updated nuform.js:

I used the newest nuform.js and made sure that nuOnSearchAction was in it. I declared the nuOnSearchAction() function. I called the PHP function (that I created in the Procedures), and then looked at the nuRunPHPHidden & nuJavascriptCallback to see what they did. It didn't work.

function nuOnSearchAction() {
Sstring1=nuRunPHPHidden('encryptString($('#nuSearchField'))','0);
nuJavascriptCallback($string1);
result = false;
}

I know this function WILL NOT work as is. nuRunPHPHidden returns NOTHING. It is used to call the PHP Procedure that I created to encrypt the nuSearchfield. nuJavascriptCallback is a PHP function that calls a Javascript function or code.

1. Where does that Javascript have to exist? In the Custom Code of the form?

2. How do I pass the encrypted data string that nuRunPHPHidden('encryptString($('#nuSearchField'))','0); generated in the encryptString PHP procedure, to be used in the nuJavascriptCallback() function? If the nuRunPHPHidden returns NOTHING how do I get that data into the nuJavascriptCallback() function? Is this >>nuRunPHPHidden('encryptString($('#nuSearchField'))','0);<< even the proper way to grab what was entered in the search field and pass it to my PHP encryptString procedure?

3. OR do I call the nuJavascriptCallback() PHP function within my encryptString() PHP procedure? But then how does it CHANGE the search criteria on the screen before it searches the database?

Im not asking for help writing the code to encrypt the fields, Im asking for the overview on how these functions work and should be used to actually change the search criteria before the search occurs, then how to display the returned data in an unencrypted format in the record list? The definitions of the functions in the wiki's DO NOT provide for how to use them in real life.

For example, the nuRunPHPhidden example shows: "nuRunPHPHidden('INV', 1);" and states: "If placed on an Object's click event, it will run a Procedure on the server without anything visibly happening. " Procedure doesn't even link to what a procedure is. I had to guess at what that was. Then it says "If you want some JavaScript to run after the Procedure, you can add that within that Procedure with nuJavascriptCallback(). " Again how is this helpful in writing anything to affect a screen, a form, an object on the form, or in my case THE SEARCH criteria before it runs. Referring someone to the "Manual" or "Wiki" or the function itself does not help in any way because there is nothing there that provides real world examples on how to actually use it to do anything. Take a look at the PHP.net and how each function has a lot of examples in commentary, that's helpful.

Does this make sense at all or is NOBODY encrypting private data in their databases?

[icoso]

Is this how this functionality is accomplished? What am I missing? When I do the search, nothing happens. I get no results when I enter something in the search field.

This is my PHP Procedure:

Code: Select all

function encryptString($text)
{
    $secret = defined("ENCRYPT_SECRET") ? ENCRYPT_SECRET : "some_secret_encryption_string";
    $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length("aes-256-cbc"));
    return base64_encode($iv . openssl_encrypt($text, 'aes-256-cbc', $secret, 0, $iv));
}
    $js = "
        function encString() {
          $('#nuSearchField').val(encryptString($('#nuSearchField'))).change();
        }
        encString();
        nuHasNotBeenEdited(); 
    ";
nuJavascriptCallback($js);

This is my Custom Code:

Code: Select all

function nuOnSearchAction() {
   nuRunPHPHidden('EncStr', 1);
   result = false;
}

[kev1n]

I think your PHP code should look something like this:

Code: Select all

function encryptString($text)
{
    $secret = defined("ENCRYPT_SECRET") ? ENCRYPT_SECRET : "some_secret_encryption_string";
    $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length("aes-256-cbc"));
    return base64_encode($iv . openssl_encrypt($text, 'aes-256-cbc', $secret, 0, $iv));
}

$e = $encryptString($('#nuSearchField'));
$js = ' nuForm(nuGetProperty("form_id"),"" , "", $e, "0"); ';

nuJavascriptCallback($js);

[icoso]

Well that's new and doesn't follow anything that you've posted about this in any previous posts.

I changed my procedure to what you posted and it doesn't work!
============================================================================
I get :
Procedure EncStr
nucommon.php(1291) : eval()'d code syntax error, unexpected '(', expecting variable (T_Variable) or '{' or '$'

Traced from line 62: .../nuAPI.php nuRunPHPHidden
line 421: .../nucummon.php nuEval
============================================================================
I checked GitHub and downloaded the latest nucommon.php and nucommon.js both newer than my version, and that didn't help.

Why can't I get questions answered???? Why is this so difficult to try to get a straight answer? I ask a lot of questions so that I can get a clear picture of how things work.

I got the code from your example of the easy encryption posts and the zip file that yo uploaded to create that encrypted table example. I tried to follow what it did.

Do I replace the "form_id" with the actual form if of the search form? How do I get that?

Again, what is nuJavascriptCallback($js); going to do?

Is it going to change what I entered on the search screen and then run the actual search? Or is there something else Im going to have to chase and spend hours on trying to figure out what it does to go to accomplish that.

[kev1n]

Use https://phpcodechecker.com/ to check the PHP syntax.

replace $encryptString with encryptString

[icoso]

Use https://phpcodechecker.com/ to check the PHP syntax.

replace $encryptString with encryptString

Im really not trying to be obnoxious here, but this was your code example that Im using, It gets the same error: "PHP Syntax Check: Parse error: syntax error, unexpected '(', expecting variable (T_VARIABLE) or '{' or '$' in your code "

This is the line the error is coming from:

$e = encryptString($('#nuSearchField')); I removed the $ from in front of encryptString

If I replace $('#nuSearchField') with "Anyone" then it passes the code checker. Why? What is wrong with using that as the variable $('#nuSearchField') in encryptString()? Isnt that how one refers to #nuSearchField' as a string in a PHP function?

OR should it be something like what you suggested previously:

$('#nuSearchField').val(encryptString($('#nuSearchField'))).change();

As a test: I am using the table and code that you suggest in this post: https://forums.nubuilder.cloud/viewtopic.php?f=20&t=10482 about easy encryption, in which I asked some questions and never got answered. I have one record in the encrypt_data table using your cde and the password that I used was the word "Anyone". So When I open the search form it automatically displays the one record that currently exists in the table. And when I click on it it opens the edit form and there is the Password, and its "Anyone". To test the code above for the search, I replaced $('#nuSearchField') with "Anyone" so now that line in the code looks like: $e = encryptString("Anyone");

So based on what exists in the table. Clicking search should ignore what I've entered in the search criteria, right? and just use the string "Anyone" to encrypt and search for that encryption string, Right?

Well it doesn't return anything... Now what?

I checked the field in the table and the encrypted text for "Anyone" as its saved in the table is: "LacwieBNXglgYVl1Hk5UDEtkZ3pJUTliWnZVL0p2a2JuSStERkE9PQ=="
When I run this function using $e = encryptString("Anyone") the result of $e is "BTx8/nwC23pn0RiRf9gCyE1TZnpqZTZ3ZUI4VzYyMEc3SFo4MkE9PQ==" and it changes EVERY TIME I click search.

So this tells me that the function encryptString(); will never work and produce the same results as what is in the database. This search will never work.

MORE INFO:since using this: encryptString($('#nuSearchField')); causes an error, I tried it as: encryptString('#nuSearchField#'); That doesn't work either, it sends "#nuSearchField#" as the actual text.

According to the PHP in the After Save referencing a variable on the screen (an object) should be done like: encryptString("#enc_password#") . I then tried encryptString("#nuSearchField#"); That doesn't work either, it sends "#nuSearchField#" as the actual text. Im beginning to think I can't access the value of whats in the Search field....

Is there a possibility that JSON is not loaded at this point and that is why: $e = encryptString($('#nuSearchField')); This fails syntax?

[apmuthu]

Are you using the latest nuBuilder v4.5 git master? The BeforeSave function code was updated to allow changes to the form data before saving to the database. In a similar manner, the search value can be encrypted / encoded before being sent for processing. The session variable that makes the search value persist across pages (and ajax requests) would need to be changed in the client side itself before a transmission to the server - php or ajax.

[icoso]

Are you using the latest nuBuilder v4.5 git master? The BeforeSave function code was updated to allow changes to the form data before saving to the database. In a similar manner, the search value can be encrypted / encoded before being sent for processing. The session variable that makes the search value persist across pages (and ajax requests) would need to be changed in the client side itself before a transmission to the server - php or ajax.

Yes, I have updated nucommon.js, nucommon.php, nuform.js & nudata.php as per kev1n in the posts hes contributed. I just installed this system brand new and started using it on 2/5/2021. I have used the BeforeSave to encryt the data on the edit form and save it to the database. Thats NOT where Im hung up. I have explained pretty thoroughly in all my posts the problem with the search screen. I guess you guys call it the browse screen (before going into the edit screen.) The code kev1n suggested produces an error. I haven't heard back from him. I cant seem to pass data back tot he search field either before it actually runs the search. It always reverts back to what I entered on the screen rather than what I generated in the code.

Still at a complete loss and very frustrated by this system.

[icoso]

Still hoping someone can help me with this issue and it not take several days....

[miasoft]

Still hoping someone can help me with this issue and it not take several days....

My basic concept is that:
1) after user login (nuStart) create MEMORY table like:
id_memory = main_id
ssn_memory=main_ssn (decryted of course)
and fill in these two fields from maintbl.
2) join memory table with main table by id
3) run search by ssn_memory, but add-edit-delete fields by maintbl, correct memory table by embeds in BS for maintbl
4) delete memory table on logout

OR we needs use MySQL v8.xx with full transparent encryption functions