Worth mentioning: if you anyhow delete or change your APP_KEY you will never be able to restore any encrypted data, since the same key is used to decrypt it. So be careful.
Great insight, Alex. This is critical. I understand changing the APP_KEY doesn't impact your password encryption and that it only affects those fields you have encrypted separately. APP_KEY rotation would be a great tutorial! Thanks, Laravel Daily. Really good stuff.
to avoid this or maybe forgot to backup on anywhere, simply we can store it under env example, i think its good enough for any developer who will take it
Thank you, Informative as always! a quick note here, passwords are "hashed" and not "encrypted" you cannot recover the plain password from its hash ( hashing is a one way operation ) and it does not make use of any keys ( so passwords will NOT be lost if you changed/lost your APP_KEY ) where as encryption is a two way operation ( encrypt and decrypt using the same key ), hence any encrypted piece of data will be lost if you changed/lost your APP_KEY.
For older versions, I used get/setXAttribute accessors and mutators and the encrypt and decrypt helpers. For the accessor/get, I would return $value ? decrypt($value) : ''; so that an empty value would not break the decryption process. For the mutator/set, I would use $this->attributes['field_name'] = $value ? encrypt($value) : ''; so that an empty value would not break the decryption process. Also note that this is single equals, as it is assigning and seeing if the assigned value is non-falsy/not empty.
So I am working on a project in which some columns were encrypted in PHP with an encryption key, I am trying to move the web to Laravel, but I keep getting a payload is invalid error when I try to fetch data from this column using Laravel, I am not sure if I am doing something wrong
For GDPR security concerns, I did encrypt the e-mail field and I am using the username field for authentication purposes. So now in case of database leakage my database won't provide e-mails to hackers.
Good security measure. Of course, usernames are less convenient for the customers, they need to remember some additional username, but hey, you have to sacrifice something.
@@alexaverkiyev9099 Just by solely looking at my users table, you cannot determine whose data you are looking at, and this is the magic. You can only know personal information within the Laravel app. And GDPR does consider personal emails, and firstname.lastname companycom type of e-mails personal data. So in case of a data leakage incident, you would have to report it to the GDPR regulator authority within 72 hours.
congratulations for the video... but in my case I would like to have an encrypted field but it would be possible later to perform a search on it... any package that can do this? thanks
depending on sensitivity of the data you may want to spin up a separate decrypting service unavailable from the world, preferably on another physical machine and with quite strict rate limiting so your main service can't leak the key, of course if you're using symmetric encryption you need to do both things externally, with asymmetrical you can keep the encryption in main API
Great pull request and informative video about this ...can you make a video of how to make your application secure against various attack , may be talk on devops and application level which best practices can be used
I'm not an expert on this from devops level. Laravel in itself is secure enough with default features, but there may be a few "catches" to know, maybe will shoot a video about them
@ due to the construction of blade, you can easily inject Javascript to the view and run it, just using {{}} tags in your input. Out of the box, you need to sanitize the input if you plan to use laravel seriously.
I have an existing legacy database and I need to build a laravel project using this database but I have in the user table the passwords are encrypted with other type rather than bcrypt, so I want to know if there is a way to change checking password with bcrypt type to another type for Login?
I think another side to this is: if you decide you need to use encryption on a particular field in your database then you should very carefully consider if you need to store that field at all.
Nice and simple. Just to clarify, a hidden field will ONLY be displayed when you specifically call it on the model. So a response json doesn't display it but a manual built API resource will?
Hello, I have a question for encryption. Is there a better way to search on encrypted database value (I have datatables as a framework installed)? I‘m currently getting all the data and search in the collection. That is quite memory and time expensive. Maybe someone or LaravelDaily have a better solution for this problem. :-)
As I mentioned in this video, if the field is encrypted, there's NO way to search it. The only way is to do it like you do, to get all the data and use collection.
any suggestions for adding encryption to existing applications after data is already in the DB? I'm thinking that a migration file just decrypts all of the current records for that field would be the way to go.
I am wondering about the encryption of api responses data and decryption of data in client application. Can anyone help me about this and why api responses are not in readable format. For example if we explore api in the network tab (eg. In facebook), most of the api responses are not in readable form.
Not sure what is the problem here. Every time on visit you put variable of product id into session. And then when you need that variable you get it from the session. Not worth the video.
In theory you should be able to encrypt the email, it's just that you'd have to change the querying (or the form request) to include the encryption of the email before comparison.
If you use traits for multi tenancy, maybe your user model doesn't use that trait? But generally, multi tenancy for users is specifically hard case and may need custom solution. Hard to answer in a short comment, without code example
when generate new app key it doesnt work... laravel should think about it too when generating the new app key we should still be able to fetch the data...without any error ... #The_MAC_is_invalid. exception should be not come...
I think laravel should consider encrypted email in their auth, because for some countries there are some laws that requires personal information to be encrypted i.e email,phone no,username, name, etc. Now i don't know on what level does laravel encrypt the data is it on the php side or the database side? Because on my experience I am able to make an authentication with an encrypted email using mysql aes_encrypt and aes_decrypt function.
You can suggest that idea via official Laravel Github. But I don't think it would be supported, as it's a huge job to change the auth to support this, with also performance issues.
Worth mentioning: if you anyhow delete or change your APP_KEY you will never be able to restore any encrypted data, since the same key is used to decrypt it. So be careful.
Great insight, Alex. This is critical. I understand changing the APP_KEY doesn't impact your password encryption and that it only affects those fields you have encrypted separately. APP_KEY rotation would be a great tutorial! Thanks, Laravel Daily. Really good stuff.
to avoid this or maybe forgot to backup on anywhere, simply we can store it under env example, i think its good enough for any developer who will take it
Thank you, Informative as always!
a quick note here, passwords are "hashed" and not "encrypted"
you cannot recover the plain password from its hash ( hashing is a one way operation ) and it does not make use of any keys ( so passwords will NOT be lost if you changed/lost your APP_KEY )
where as encryption is a two way operation ( encrypt and decrypt using the same key ), hence any encrypted piece of data will be lost if you changed/lost your APP_KEY.
I really learn everyday new things from you. Thank you for sharing your knowledge. Let us buy the membership.
To be able to log in and store an encrypted email address, you can add an email_hashed column, for example.
upd. And rewrite login routine )
Safer to use one-way hashing with bcrypt for passwords. Useful demo for other fields.
For older versions, I used get/setXAttribute accessors and mutators and the encrypt and decrypt helpers.
For the accessor/get, I would
return $value ? decrypt($value) : '';
so that an empty value would not break the decryption process.
For the mutator/set, I would use
$this->attributes['field_name'] = $value ? encrypt($value) : '';
so that an empty value would not break the decryption process. Also note that this is single equals, as it is assigning and seeing if the assigned value is non-falsy/not empty.
So I am working on a project in which some columns were encrypted in PHP with an encryption key, I am trying to move the web to Laravel, but I keep getting a payload is invalid error when I try to fetch data from this column using Laravel, I am not sure if I am doing something wrong
For GDPR security concerns, I did encrypt the e-mail field and I am using the username field for authentication purposes. So now in case of database leakage my database won't provide e-mails to hackers.
Good security measure. Of course, usernames are less convenient for the customers, they need to remember some additional username, but hey, you have to sacrifice something.
database leakage has nothing to do with GDPR
@@alexaverkiyev9099 Just by solely looking at my users table, you cannot determine whose data you are looking at, and this is the magic. You can only know personal information within the Laravel app. And GDPR does consider personal emails, and firstname.lastname companycom type of e-mails personal data. So in case of a data leakage incident, you would have to report it to the GDPR regulator authority within 72 hours.
Great vid. Hopefully you can create one on how to search encrypted fields.
thanks sir, i really need this for my project... either im in a deadline, big thanks sir...
Ačiū! labai naudinga informacija
Great Video! Learned a lot, thank you very much.
congratulations for the video... but in my case I would like to have an encrypted field but it would be possible later to perform a search on it... any package that can do this? thanks
Not really. Generally, you choose to either encrypt, or search. Not both.
Fantastic! Fantastic! Fantastic! Thank you so much for that information...I love Laravel
depending on sensitivity of the data you may want to spin up a separate decrypting service unavailable from the world, preferably on another physical machine and with quite strict rate limiting so your main service can't leak the key, of course if you're using symmetric encryption you need to do both things externally, with asymmetrical you can keep the encryption in main API
This is amazing, it was really simple. Thanks
Great pull request and informative video about this ...can you make a video of how to make your application secure against various attack , may be talk on devops and application level which best practices can be used
I'm not an expert on this from devops level.
Laravel in itself is secure enough with default features, but there may be a few "catches" to know, maybe will shoot a video about them
@@LaravelDaily absolutelly is not. When out of the box, remember to always strip {{}} {} tags from user input before adding anything to database.
@@xyzzyx348 could you explain better? I did not understand that.
@ due to the construction of blade, you can easily inject Javascript to the view and run it, just using {{}} tags in your input. Out of the box, you need to sanitize the input if you plan to use laravel seriously.
I have an existing legacy database and I need to build a laravel project using this database but I have in the user table the passwords are encrypted with other type rather than bcrypt, so I want to know if there is a way to change checking password with bcrypt type to another type for Login?
I think another side to this is: if you decide you need to use encryption on a particular field in your database then you should very carefully consider if you need to store that field at all.
also, ho to handle form validation with exists (or unique)?
Thanks teacher for sharing😘😘
Hello, How to encrypt data with Livewire ? i try to encrypt ID in blade, but wire:click not working, how i can solve this ?
Nice and simple.
Just to clarify, a hidden field will ONLY be displayed when you specifically call it on the model.
So a response json doesn't display it but a manual built API resource will?
Yes, I think so
I'd be interested to see how you'd encrypt url parameters. The laravel inbox Crypt class makes the string too long which is inconvenient for urls
i have used Crypt facade and get/set muttators to do this, is this same or its more secure to use casting?
It's the same.
Hi Dear, I need a tutorial on livewire security and public property security and please mention preventing IDOR protection also
What IDE did you use? Plsss???!
Hello,
I have a question for encryption. Is there a better way to search on encrypted database value (I have datatables as a framework installed)? I‘m currently getting all the data and search in the collection. That is quite memory and time expensive. Maybe someone or LaravelDaily have a better solution for this problem. :-)
As I mentioned in this video, if the field is encrypted, there's NO way to search it. The only way is to do it like you do, to get all the data and use collection.
Great, thanks!
My "2 cents" question:
and what happen if the APP_KEY is lost or accidentally deleted? Or .env recompiled?
You're screwed then.
Nice feature
Hi Sir may I ask, how to configure SQL Server Always Encrypted in Laravel? what is the configuration on this. APPRECIATE THE ANSWER. THANK YOU!
I don't work with SQL Server, sorry
Thanks but how we can decrypt data inside selectRaw ?
thank you for this lesson 💕👍
any suggestions for adding encryption to existing applications after data is already in the DB? I'm thinking that a migration file just decrypts all of the current records for that field would be the way to go.
Yes I would do it with migration, too
I am wondering about the encryption of api responses data and decryption of data in client application. Can anyone help me about this and why api responses are not in readable format. For example if we explore api in the network tab (eg. In facebook), most of the api responses are not in readable form.
Question: does this work with incrementing values like ID? just what if.
No, DB type should be TEXT
Hello, i have a question.
I want to encrypt my source code for my laravel project any recommendations?
Don't do it
Can make short video show how get recently viwed product to show for gust by session please for e-commerce.
Not sure what is the problem here. Every time on visit you put variable of product id into session. And then when you need that variable you get it from the session. Not worth the video.
@@LaravelDaily how right way because i try it but not work.
Push()->session()
What is that syntax push()->session()? I've never seen it.
Please read the official docs: laravel.com/docs/8.x/session
In theory you should be able to encrypt the email, it's just that you'd have to change the querying (or the form request) to include the encryption of the email before comparison.
In theory. In practice, it doesn't work this way. It works with hashing passwords, but not encryption
Great tutorial.
But what if, lost app key? Is it recoverable?
Nope.
no
Thanks.
Is searchable in controller level, if i type select query in controller is it gonna work ?!
No
not sure about this. issue come when you accidentally regenerate the app key
Hi sir, want to ask about multitenan on traits,
why multitenan not working on User Model ? but another model its work.
can u help me
If you use traits for multi tenancy, maybe your user model doesn't use that trait? But generally, multi tenancy for users is specifically hard case and may need custom solution. Hard to answer in a short comment, without code example
@@LaravelDaily thank for this answer, btw u have discord channel for discussion?
No I don't have that much time available to participate also on Discord.
@@LaravelDaily i think a discord community will help a lot
@@LaravelDaily Ohh thank u
Is it true that the password encryption is done in a different method? And is it passible to change the encryption algorithm or this mutator?
I think they all use bcrypt() by default. But it's configurable in config/app.php from what I remember. Read the docs: laravel.com/docs/8.x/encryption
password encryption is different - there's no encryption of the password, it is its hash.
You can not decrypt password, only bruteforce it.
is there any way to search encrypted field?
No
Great 👍
You are awesome
when generate new app key it doesnt work... laravel should think about it too when generating the new app key we should still be able to fetch the data...without any error ... #The_MAC_is_invalid. exception should be not come...
Pls, make video encrypted email and password login.
What about searching those fields?
It's not possible
But if hackers got access to server they can decrypt it?
If they get access to all the files, then yes
I think laravel should consider encrypted email in their auth, because for some countries there are some laws that requires personal information to be encrypted i.e email,phone no,username, name, etc. Now i don't know on what level does laravel encrypt the data is it on the php side or the database side? Because on my experience I am able to make an authentication with an encrypted email using mysql aes_encrypt and aes_decrypt function.
You can suggest that idea via official Laravel Github. But I don't think it would be supported, as it's a huge job to change the auth to support this, with also performance issues.
Whatever happened to your teachable courses? Those haven’t been updated in a while.
I've released a new course about GraphQL just yesterday!
The older courses - I'm planning to update them when Laravel 9 comes out in January 2022.