easy encryption

[pbweb1969]

does nuBuilder have a way built in to encrypt a field (for example a password), and unencrypt. as obviosly keeping passwords (or other sensitive info) unencrpted in a database is a security no no

Im a bit of a n00b regards php, but i have read its got something to do with hashes.

or is there any readily available code that will do this?

thanks a lot to anyone that can help

[Janusz]

Hi,
User passwords by default are hashed with md5 and are stored only as hashed - so admin for example will never see directly original user passwords.

[pbweb1969]

Hi,
User passwords by default are hashed with md5 and are stored only as hashed - so admin for example will never see directly original user passwords.

no by username and passwords, i mean if i create a table and used a fieldname "password", when i check the table its not encrpted the password field, I also require a "notes" field with medical data to be encrpted for gdpr purposes.

[kev1n]

[See next post]

[kev1n]

Please find attached a sample.

[Attachment removed. Please see next posts]

It uses the PHP AS (After Save) event to encrypt a password field with AES 256 encryption (using a secrect password) and decrypts it when the form is loaded.
That means that the password is stored encrypted in the database.

AS_event.png

db_encrypted_pw.png

Import the SQL File into your existing nuBuilder Database (using phpMyAdmin).
The dump contains a form, its objects and a table (encrypt_data). It will not overwrite/modify/delete any other data.

How to import the file:
1. Log into phpMyAdmin (in nuBuilder, go to the tab Builders and click on the "Database" button.
4. In phpMyAdmin, Click "Import" in the top menu
5. Under File to Import, click "Browse" and select the sql file (from the attachment)
6. Click "Go" at the bottom right to import the database file.
7. When the database has been imported successfully, you should see a message at the top of the page similar to: "Import has been successfully finished".

[pbweb1969]

thanks a lot for your help (and sooo quick)

ive imported the sql file, it has updated a table and form,
it was still saving unecrypted, so i looked at the aftersave customcode which was blank

so i typed it out from the example

Function encrypstring ($text)
{
$secret = defined(“encrypt_secret”) ? encrypt_secret : “something”;
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length(“aes-256-cbc”));
Return base64_encode($iv . Openssl_encrypt($text, ‘aes-256-cbc’ , $secret, 0, $iv));
}
$qry = “update ‘encrypt_data’ set ‘enc_password’ = ? Where encrypt_data_id = ?”;
Nurunquery($qry, [encryptstring(“#enc_password#”) , “#RECORD_ID#”]);


its coming up with the following error

After Save of Form encrypt_dataBE

/home/carecomp/public_html/nubuilder/nucommon.php(1258) : eval()'d code
syntax error, unexpected '‘encrypt_data’' (T_STRING)

Traced from...

(line:52) /home/carecomp/public_html/nubuilder/nuapi.php - nuUpdateDatabase

(line:403) /home/carecomp/public_html/nubuilder/nudata.php - nuEval

it may be a typo?

shouldnt there also be a script the the browse part of the form used to unencrypt the data and put it in the form field? (when browsing data?)

again many thanks for your help

[kev1n]

Sorry, I must have uploaded a faulty file. Please execute this query to remove the form & objects and then use the new db dump from the attachment.

Code: Select all

SET @form_id = '5f33e61a6136434';
SET @form_id_like = concat(@form_id,'%');

DELETE FROM zzzzsys_event WHERE sev_zzzzsys_object_id in 
(SELECT zzzzsys_object_id FROM zzzzsys_object where sob_all_zzzzsys_form_id = @form_id);

DELETE FROM zzzzsys_php WHERE 
zzzzsys_php_id like @form_id_like
OR sph_zzzzsys_form_id = @form_id
OR LEFT(zzzzsys_php_id,length(zzzzsys_php_id)-3)  
in (SELECT zzzzsys_object_id FROM `zzzzsys_object` WHERE sob_all_zzzzsys_form_id = @form_id);

DELETE FROM zzzzsys_browse WHERE sbr_zzzzsys_form_id = @form_id ;
DELETE FROM zzzzsys_select WHERE zzzzsys_select_id  like @form_id ;
DELETE FROM zzzzsys_select_clause WHERE ssc_zzzzsys_select_id like @form_id_like ;
DELETE FROM zzzzsys_tab WHERE syt_zzzzsys_form_id  = @form_id;
DELETE FROM zzzzsys_object WHERE sob_all_zzzzsys_form_id = @form_id OR sob_run_zzzzsys_form_id = @form_id;
DELETE FROM zzzzsys_form WHERE zzzzsys_form_id = @form_id ;

DROP TABLE encrypt_data;

[gerese]

Works fine , good to know

[kev1n]

Works fine , good to know

The problem with this approach is, that the key is also stored in the database. If someone was able to get access to the database and see encrypted passwords, they would also be able to browse the database and retrieve the key to decrypt them.

[pbweb1969]

fantastic!
Thanks a lot

will be making a regular monthly donation to this brilliant project