Encrypting and decrypting strings is a common requirement in PHP applications, especially when dealing with sensitive data like passwords or personal information. Encryption is the process of converting plaintext data into a secure format, while decryption is the process of converting the encrypted data back to its original form. In this tutorial, you will learn how to encrypt and decrypt a PHP string using various methods.
Using PHP openssl_encrypt() and openssl_decrypt() Functions
PHP provides the openssl_encrypt() and openssl_decrypt() functions to handle encryption and decryption. These functions use the OpenSSL library, which is a widely-used and secure cryptography library.
Encryption with openssl_encrypt(): Here’s an example of how to encrypt a string using openssl_encrypt():
$data = "Sensitive information";
$encryptionMethod = "AES-256-CBC";
$secretKey = "MySecretKey"; // Replace with your secret key
$iv = random_bytes(16); // Generate a random IV (Initialization Vector)
$encryptedData = openssl_encrypt($data, $encryptionMethod, $secretKey, 0, $iv, $tag);In this example:
$datais the plaintext string that you want to encrypt.$encryptionMethodspecifies the encryption algorithm and mode, commonly using AES-256-CBC.- Replace
$secretKeywith your secret key and ensure it remains secure. - Keep
$ivsecure as it is a random initialization vector.
Decryption with openssl_decrypt(): To decrypt the encrypted data, use openssl_decrypt()
$decryptedData = openssl_decrypt($encryptedData, $encryptionMethod, $secretKey, 0, $iv, $tag);
echo $decryptedData;In this example, $encryptedData is the encrypted string. The $encryptionMethod and $secretKey must match the values used for encryption. $iv is the same initialization vector used during encryption.
Note: Keep the secret key and initialization vector secure. They are critical for both encryption and decryption. Be cautious when storing or transmitting the secret key and IV.
Using password_hash() and password_verify()
For securely storing and verifying user passwords, PHP provides the password_hash() and password_verify() functions, which use bcrypt, a strong password hashing algorithm. Here’s an example of how to hash a string using password_hash():
$password = "SecurePassword";
// Hash the password using bcrypt
$hashedPassword = password_hash($password, PASSWORD_BCRYPT);
echo $hashedPassword;Verifying a password using password_verify():
$enteredPassword = "SecurePassword"; // The user's entered password
// Verify the entered password against the hashed password
if (password_verify($enteredPassword, $hashedPassword)) {
echo "Password is correct.";
} else {
echo "Password is incorrect.";
}In this example, password_verify() compares the entered password with the stored hashed password.
Using the Libsodium Library to Encrypt & Decrypt a String
If you prefer a more comprehensive cryptographic library, you can use Libsodium, a modern, easy-to-use software library for encryption, decryption, signatures, password hashing, and more. Libsodium is not included in the PHP core, so you’ll need to install it separately.
Here’s an example of how to use Libsodium for encryption and decryption:
// Load the Libsodium library
if (extension_loaded('sodium')) {
sodium_crypto_secretbox_keygen();
$message = "Secret message";
// Encrypt the message
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$key = sodium_crypto_secretbox_keygen();
$ciphertext = sodium_crypto_secretbox($message, $nonce, $key);
// Decrypt the message
$decryptedMessage = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
echo $decryptedMessage;
} else {
echo "Libsodium is not installed.";
}