How To Encrypt and Decrypt a String In PHP

Encrypting and decrypting strings is a common requirement in PHP applications, especially when dealing with sensitive data like passwords or personal information. Encryption is the process of converting plaintext data into a secure format, while decryption is the process of converting the encrypted data back to its original form. In this tutorial, you will learn how to encrypt and decrypt a PHP string using various methods.

Using PHP openssl_encrypt() and openssl_decrypt() Functions

PHP provides the openssl_encrypt() and openssl_decrypt() functions to handle encryption and decryption. These functions use the OpenSSL library, which is a widely-used and secure cryptography library.

Encryption with openssl_encrypt(): Here’s an example of how to encrypt a string using openssl_encrypt():

$data = "Sensitive information";
$encryptionMethod = "AES-256-CBC";
$secretKey = "MySecretKey"; // Replace with your secret key
$iv = random_bytes(16); // Generate a random IV (Initialization Vector)

$encryptedData = openssl_encrypt($data, $encryptionMethod, $secretKey, 0, $iv, $tag);

In this example:

  • $data is the plaintext string that you want to encrypt.
  • $encryptionMethod specifies the encryption algorithm and mode, commonly using AES-256-CBC.
  • Replace $secretKey with your secret key and ensure it remains secure.
  • Keep $iv secure as it is a random initialization vector.

Decryption with openssl_decrypt(): To decrypt the encrypted data, use openssl_decrypt()

$decryptedData = openssl_decrypt($encryptedData, $encryptionMethod, $secretKey, 0, $iv, $tag);

echo $decryptedData;

In this example, $encryptedData is the encrypted string. The $encryptionMethod and $secretKey must match the values used for encryption. $iv is the same initialization vector used during encryption.

Note: Keep the secret key and initialization vector secure. They are critical for both encryption and decryption. Be cautious when storing or transmitting the secret key and IV.

Using password_hash() and password_verify()

For securely storing and verifying user passwords, PHP provides the password_hash() and password_verify() functions, which use bcrypt, a strong password hashing algorithm. Here’s an example of how to hash a string using password_hash():

$password = "SecurePassword";

// Hash the password using bcrypt
$hashedPassword = password_hash($password, PASSWORD_BCRYPT);

echo $hashedPassword;

Verifying a password using password_verify():

$enteredPassword = "SecurePassword"; // The user's entered password

// Verify the entered password against the hashed password
if (password_verify($enteredPassword, $hashedPassword)) {
    echo "Password is correct.";
} else {
    echo "Password is incorrect.";

In this example, password_verify() compares the entered password with the stored hashed password.

Using the Libsodium Library to Encrypt & Decrypt a String

If you prefer a more comprehensive cryptographic library, you can use Libsodium, a modern, easy-to-use software library for encryption, decryption, signatures, password hashing, and more. Libsodium is not included in the PHP core, so you’ll need to install it separately.

Here’s an example of how to use Libsodium for encryption and decryption:

// Load the Libsodium library
if (extension_loaded('sodium')) {

    $message = "Secret message";

    // Encrypt the message
    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
    $key = sodium_crypto_secretbox_keygen();
    $ciphertext = sodium_crypto_secretbox($message, $nonce, $key);

    // Decrypt the message
    $decryptedMessage = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);

    echo $decryptedMessage;
} else {
    echo "Libsodium is not installed.";

Leave a Reply

Your email address will not be published. Required fields are marked *

We use cookies to ensure that we give you the best experience on our website. Privacy Policy