Reversing AES_ENCRYPT Difficulties - php

I am consistently receiving null whenever I try to reverse the cipher text that I store in a MySQL database through PHP.
The PHP code used to insert the data:
public function insertChildren($employeeID, $empData, $key, $childName, $childBirth, $childGender, $childSSN, $isStep, $isFoster, $isStudent, $isHandicap, $address) {
$conn = $this->connect('insurance');
$insertChildren = $conn->prepare('INSERT INTO dependent_children (emp_id, ssn, name, dob, gender, handicap, student, foster, step, address) VALUES (:emp_id, AES_ENCRYPT(:ssn, AES_ENCRYPT(:key, UNHEX(sha1(:empData)))), :name, :dob, :gender, :handicap, :student, :foster, :step, :address)');
$insertChildren->bindParam(":emp_id", $employeeID, PDO::PARAM_INT);
$insertChildren->bindParam(":name", $childName, PDO::PARAM_STR);
$insertChildren->bindParam(':dob', $childBirth, PDO::PARAM_STR);
$insertChildren->bindParam(':empData', $empData, PDO::PARAM_STR);
$insertChildren->bindParam(':gender', $childGender, PDO::PARAM_STR);
$insertChildren->bindParam(':key', $key);
$insertChildren->bindParam(':ssn', $childSSN, PDO::PARAM_LOB);
$insertChildren->bindParam(':handicap', $isHandicap, PDO::PARAM_STR);
$insertChildren->bindParam(':student', $isStudent, PDO::PARAM_STR);
$insertChildren->bindParam(':foster', $isFoster, PDO::PARAM_STR);
$insertChildren->bindParam(':step', $isStep, PDO::PARAM_STR);
$insertChildren->bindParam(':address', $address, PDO::PARAM_STR);
$insertChildren->execute();
}
The SQL query that I thought would reverse it:
SELECT CAST(AES_DECRYPT(ssn, AES_DECRYPT('/ same random hexadecimal key bound in the php statement / ', unhex(sha1('1234')))) AS CHAR(50)) from dependent_children
Please note 1234 is the value that should be bound to the empData field in the PHP. I thought the latter query would correctly decrypt the first, but such is the case. Instead, I receive null. I am sure it is something simple, but I have not been able to locate the error source. Thanks so much!

Related

Someone kindly help me here: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens

public function register($uname,$age,$sex,$image,$dpart,$joind,$job,$uposition,$phone,$umail,$upass,
$unumber,$address,$nssf,$bank,$passp,$home,$village,$nation,$permit)
{
try
{
$new_password = password_hash($upass, PASSWORD_DEFAULT);
$stmt = $this->conn->prepare("INSERT INTO users(user_name,birth,gender,image,job_title,curr_position,telephone,department,joining_date,user_email,user_pass,box_number,residence,nssf_number,bank_account,passport_number,home_district,village,nationality,work_permit)
VALUES(:uname,:age,:sex,:image,:dpart,:joind,:job,:uposition,:phone,:umail,:upass,:unumber,:nssf,:bank,:passp,:home,:village,:nation,:permit)");
$stmt->bindparam(":uname",$uname);
$stmt->bindparam(":age",$age);
$stmt->bindparam(":sex",$sex);
$stmt->bindparam(":image",$image);
$stmt->bindparam(":dpart",$dpart);
$stmt->bindparam(":joind",$joind);
$stmt->bindparam(":job",$job);
$stmt->bindparam(":uposition",$uposition);
$stmt->bindparam(":phone",$phone);
$stmt->bindparam(":umail",$umail);
$stmt->bindparam(":upass",$new_password);
$stmt->bindparam(":unumber",$unumber);
$stmt->bindparam(":address",$address);
$stmt->bindparam(":nssf",$nssf);
$stmt->bindparam(":bank",$bank);
$stmt->bindparam(":passp",$passp);
$stmt->bindparam(":home",$home);
$stmt->bindparam(":village",$village);
$stmt->bindparam(":nation",$nation);
$stmt->bindparam(":permit",$permit);
$stmt->execute();
return $stmt;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}

I'm posting this as a community wiki answer, since there shouldn't be any rep from this, nor do I want rep from it; given an answer that can't determine which one is missing.
It's the one for $stmt->bindparam(":address",$address); that is missing in the VALUES().
Also make sure that all variables do contain value.
PHP's error reporting will be of help:
http://php.net/manual/en/function.error-reporting.php
Side note: Using a code editor that automatically finds matching words when double-clicked and using the same naming convention would have helped you greatly.
One (free) of which that has option, is Notepad++.

Your sql statement is inconsistent: the table columns and the values
to insert don't correspond. For example, in a curr_position field
you are trying to insert a value of :joind, etc.
Also, in terms of number, the columns and the values to insert don't
coincide: 19 values to insert in 20 fields.
Recommendations:
My recommendation would be to always use column names for the marker names. Then you know exactly to which markers you are inserting the corresponding values.
NB: Markers: "...VALUES (:marker1, :marker2, ...);".
You should also define the type of input parameteres that you are binding. Example:
$stmt->bindparam(":age", $age, PDO::PARAM_INT);
Try to maintain some consistency between the function parameters and the field names, if it's possible and... makes sense.
My code proposal would look like this:
<?php
public function register(
$userName
, $birth
, $gender
, $image
, $jobTitle
, $currPosition
, $telephone
, $department
, $joiningDate
, $userEmail
, $userPass
, $boxNumber
, $residence
, $nssfNumber
, $bankAccount
, $passportNumber
, $homeDistrict
, $village
, $nationality
, $workPermit
) {
try {
$newUserPassword = password_hash($userPass, PASSWORD_DEFAULT);
$stmt = $this->conn->prepare('INSERT INTO users (
user_name,
birth,
gender,
image,
job_title,
curr_position,
telephone,
department,
joining_date,
user_email,
user_pass,
box_number,
residence,
nssf_number,
bank_account,
passport_number,
home_district,
village,
nationality,
work_permit
) VALUES (
:user_name,
:birth,
:gender,
:image,
:job_title,
:curr_position,
:telephone,
:department,
:joining_date,
:user_email,
:user_pass,
:box_number,
:residence,
:nssf_number,
:bank_account,
:passport_number,
:home_district,
:village,
:nationality,
:work_permit
)');
$stmt->bindparam(":user_name", $userName, PDO::PARAM_STR);
$stmt->bindparam(":birth", $birth, PDO::PARAM_INT);
$stmt->bindparam(":gender", $gender, PDO::PARAM_STR);
$stmt->bindparam(":image", $image, PDO::PARAM_STR);
$stmt->bindparam(":job_title", $jobTitle, PDO::PARAM_STR);
$stmt->bindparam(":curr_position", $currPosition, PDO::PARAM_STR);
$stmt->bindparam(":telephone", $telephone, PDO::PARAM_STR);
$stmt->bindparam(":department", $department, PDO::PARAM_STR);
$stmt->bindparam(":joining_date", $joiningDate, PDO::PARAM_STR);
$stmt->bindparam(":user_email", $userEmail, PDO::PARAM_STR);
$stmt->bindparam(":user_pass", $newUserPassword, PDO::PARAM_STR);
$stmt->bindparam(":box_number", $boxNumber, PDO::PARAM_INT);
$stmt->bindparam(":residence", $residence, PDO::PARAM_STR);
$stmt->bindparam(":nssf_number", $nssfNumber, PDO::PARAM_INT);
$stmt->bindparam(":bank_account", $bankAccount, PDO::PARAM_STR);
$stmt->bindparam(":passport_number", $passportNumber, PDO::PARAM_STR);
$stmt->bindparam(":home_district", $homeDistrict, PDO::PARAM_STR);
$stmt->bindparam(":village", $village, PDO::PARAM_STR);
$stmt->bindparam(":nationality", $nationality, PDO::PARAM_STR);
$stmt->bindparam(":work_permit", $workPermit, PDO::PARAM_STR);
$stmt->execute();
return $stmt;
} catch (PDOException $e) {
echo $e->getMessage();
}
}
Good luck!

Thank you all for your efforts and input i figured out the problem actually was this one:
$stmt->bindParam("userPass", $newUserPassword, PDO::PARAM_STR);
which had to be changed to this:
$stmt->bindParam("userPass", $userPass, PDO::PARAM_STR);
I was trying to use a parameter that i had not defined all because i di this:
$newUserPassword = password_hash($userPass, PASSWORD_DEFAULT);
So I thought of replacing it in the bindParameters....Hope it helps other!

Cant write data to database

I have spent hours of troubleshooting trying to find the error but I, for the life of me, can not find it.
I am trying to insert data into my mysql database and it will not work.
I get no error, and dont know how I would modify my code to get one.
This is my PHP code:
// write new users data into database
$query_new_user_insert = $this->db_connection->prepare('INSERT INTO users (user_name, user_first, user_last, user_icon, user_password_hash, user_email, user_activation_hash, user_registration_ip, user_registration_datetime) VALUES(:user_name, :user_first, :user_last, :user_icon, :user_password_hash, :user_email, :user_activation_hash, :user_registration_ip, now())');
$query_new_user_insert->bindValue(':user_name', $user_name, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_first', $user_first, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_last', $user_last, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_icon', $user_icon, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_password_hash', $user_password_hash, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_email', $user_email, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_activation_hash', $user_activation_hash, PDO::PARAM_STR);
$query_new_user_insert->bindValue(':user_registration_ip', $_SERVER['REMOTE_ADDR'], PDO::PARAM_STR);
$query_new_user_insert->execute();
When I executed the above code, getting this error:
array (size=3)
0 => string '00000' (length=5)
1 => null
2 => null
What's the error mean and how can I fix it?
I'm not sure what else you would need for code so if there is another portion you want, let me know.

I have figured out the problem. My sql database didn't have default values for the rows that weren't being submitted.

Add the following line of code
define("HASH_COST_FACTOR", "10");
To support the code
$hash_cost_factor = (defined('HASH_COST_FACTOR') ? HASH_COST_FACTOR : null);

filtered/sanitised form textarea causes MySQL insert to fail

I'm using the below prepared statement to submit data from a form via post
the user data has been filtered and sanitised. using PHP filter functions However the insert into MySQL fails on inserting the "Address" value which comes from a text area form input. I've tried various versions of the data and it seems that any input with newlines "\n\t\r" fails as well as their HTML encoded equivalents. I didn't think these were problamatic for MySQL? Am I missing the obvious?
Thanks
PS follows:
//DB_Connection
$SP1 = 'call account_register(:Title, :Name, :Surname, :Email, :Mobile, :Password, :Status, :LoginIP, :Token, :TokenExpiry, :Company, :BuildingNumber, :Address, :Street, :City, :County, :PostCode, :ReturnStatus)';
$Statement = $DBConnection->prepare($SP1);
#Bind parameters
$Statement->bindParam(':Title', $_UserData['Title'], PDO::PARAM_STR);
$Statement->bindParam(':Name', $_UserData['Name'], PDO::PARAM_STR);
$Statement->bindParam(':Surname', $_UserData['Surname'], PDO::PARAM_STR);
$Statement->bindParam(':Email', $_UserData['Email'], PDO::PARAM_STR);
$Statement->bindParam(':Mobile', $_UserData['Mobile'], PDO::PARAM_STR);
$Statement->bindParam(':Password', $_UserData['Password'], PDO::PARAM_LOB);
$Statement->bindParam(':Status', $_UserData['UserStatus'], PDO::PARAM_INT);
$Statement->bindParam(':LoginIP', $_UserData['LoginIP'], PDO::PARAM_STR);
$Statement->bindParam(':Token', $_UserData['ActivationToken'], PDO::PARAM_LOB);
$Statement->bindParam(':TokenExpiry', $_UserData['TokenExpiry'], PDO::PARAM_STR);
$Statement->bindParam(':Company', $_UserData['Company'], PDO::PARAM_STR);
$Statement->bindParam(':BuildingNumber', $_UserData['BuildingNumber'], PDO::PARAM_STR);
//$Statement->bindParam(':Address', $_UserData['Address'], PDO::PARAM_STR);
//$Address = 'line 1
line 2'; //This is the value of $_USERData after using FILTER_SANITIZE_SPECIAL_CHARS insert fails
//$Address = 'Line 1'; //after changing the value of the $_UserData to this the insert is successful
//$Address = 'line 1
line 2'; //After extracting from the $_UserData This fails
$Address = 'Line 1
line 2
line 3'; //This fails. I thought newlines were ok?
$Statement->bindParam(':Address', $Address, PDO::PARAM_STR);
$Statement->bindParam(':Street', $_UserData['Street'], PDO::PARAM_STR);
$Statement->bindParam(':City', $_UserData['City'], PDO::PARAM_STR);
$Statement->bindParam(':County', $_UserData['County'], PDO::PARAM_STR);
$Statement->bindParam(':PostCode', $_UserData['PostCode'], PDO::PARAM_STR);
$ReturnStatus = null; //Return variable for SP must be defined
$Statement->bindParam(':ReturnStatus', $ReturnStatus, PDO::PARAM_INT | PDO::PARAM_INPUT_OUTPUT, 1);
$Statement->execute();

Well finally got to the bottom of the problem. retyping the line calling the SP solved it.
I do copy and paste a lot so maybe some miscellaneous unprintable chars got in that line. That's the only thing I can think as my retype is exactly the same...

Is there a function with PDO mixing integer and string together?

Does anyone knows is there a function/statement that mix integer and string together at the end of bindParam PDO::PARAM_ ..here is an example:
$stmt = $dbc->prepare("INSERT INTO names (user_name, user_pass) VALUES (?, ?))";
$stmt->bindParam(1, $name, PDO::PARAM_STR);
$stmt->bindParam(2, $pass, PDO:: ????);
As you see its for the password. And as you know some people use a mixed password with numbers and alphabetics.

PDO prepared statement and bindValues from an array

I have the following block of code in a PDO statement:
$stmt = $db->prepare("INSERT INTO first_page_data (title, first_name, surname, phone, email, add1, add2, add3, add4, add5) VALUES(?,?,?,?,?,?,?,?,?,?)");
$stmt->bindValue(1, $_POST['title'], PDO::PARAM_STR);
$stmt->bindValue(2, $_POST['first_name'], PDO::PARAM_STR);
$stmt->bindValue(3, $_POST['surname'], PDO::PARAM_STR);
$stmt->bindValue(4, $_POST['phone'], PDO::PARAM_INT);
$stmt->bindValue(5, $_POST['email'], PDO::PARAM_STR);
$stmt->bindValue(6, $_POST['add1'], PDO::PARAM_STR);
$stmt->bindValue(7, $_POST['add2'], PDO::PARAM_STR);
$stmt->bindValue(8, $_POST['add3'], PDO::PARAM_STR);
$stmt->bindValue(9, $_POST['add4'], PDO::PARAM_STR);
$stmt->bindValue(10, $_POST['add5'], PDO::PARAM_STR);
$stmt->execute();
$_SESSION['buyer_email'] = $_POST['email'];
Can these parameters (title, first_name, etc) be put into the bindValues using an array and a for each loop? I can get the prepare statement working by just having an array containing the titles but cant seem to get the variable names inside the $_POST values. It would save quite a few lines of code, but I cant quite get there!
The following is the array im using in the prepared statement that I want to use in the bind value loop:
$first = array('title','first_name','surname','phone','email','add1','add2','add3','add4','add5');

Just simply loop over $first and call bindValue for each one.
foreach($first as $key=>$val){
$stmt->bindValue($key+1, $_POST[$val], PDO::PARAM_STR);
}

Or you can use it like this:
$stmt = $db->prepare("INSERT INTO first_page_data (title, first_name, surname, phone, email, add1, add2, add3, add4, add5) VALUES(?,?,?,?,?,?,?,?,?,?)");
$stmt->execute($array);
The array would be like:
$array = array($_POST['title'],$_POST['first_name']);
or if you have the correct order already just
$array = $_POST;

Categories