encrypt / decrpt all form fields?

peaAYCHpee

I'm not working on the actual code yet, i'm just not sure if what i want to do is possible, but here goes.
I'm creating a form with user registration input fields.
Name email, password, mobile number, etc etc.

Currently it's standard practice to use 'type=password' for only the password field to make the password field show up as dots and be encrypted.

So i need to know if type=password just hides the display of the text type or is it a part of the encryption of the password itself?
Lines of code where the mysql command encrypts the data are coming to mind, but i'm not familiar enough yet to know for certain.

Later on in the site development it will pull the encrypted name, or email, or whatever and decrypt it for display on html pages or whatever else i'll use it for.

The idea is very tight security in case the database is compromised.
my understanding is that if a database with user registration information is compromised, the password field will be secure, but the other data, being plain text, will be vulnerable to malicious eyes.

Last question, is there an easier way to achieve this goal? i've googled and haven't found anything. it doesn't seem to be anything that anyones ever done before, or if it has, i'm not googling properly to find it.

NogDog

type='password' does not do any encryption of the post data, it only affects the display in the browser.

If you want to protect the form data while being transferred from browser to server, you should get an SSL certificate and enforce a https connection to the form-handler on the server.

If you want to encrypt any data in the database, MySQL provided a number of encryption functions you can use. Passwords are typically "hashed" rather than encrypted, with the idea that hashes are intended to be "one-way encryption" (not supposed to be decrypted, though anything can ultimately be decrypted with enough processing power and time). If you do encrypt any fields, then you need to consider where/how you store the encryption/decryption key(s).

peaAYCHpee

i do run the server with a self signed certificate right now, so the data is aes256 bit encrypted.
So i could actually just make another ssl key and encrypt/decrypt with those keys, the same way i do for the port 443 traffic itself?

dagon

self signed certificates generally create security alerts in browsers, which tends to scare people of, therefore they are not worth their cost.

peaAYCHpee

dagon;10956948 wrote:
self signed certificates generally create security alerts in browsers, which tends to scare people of, therefore they are not worth their cost.

That i know as well, but thank you for that insight anyway.
i'm only creating this website for training and building purposes.
once it's complete to my satisfaction, i'll move on with ca certs

bradgrafelman

Also note that the "key" NogDog referred to above used in encrypting/decrypting the data on the server-side of things (e.g. in the database) has nothing to do with SSL or certificates.

peaAYCHpee

yeah, i'm figuring that out. I'm kinda biting off more than i can chew i think, because i am pretty new to php and servers. I'm running my own apache server on an ubuntu box. I mean, i have a good grasp on how to do the basics with php and ssl certs and things. But i remain determined to accomplish this. soon i'll finish my registration page and i'm eager to put it up for critique.
thanks for the reply 🙂