I was trying to use the Paypal PHP SDK and I noticed a warning that says I should encrypt my API username and password for use in production environments. I do agree on this statement, but I'm wondering how I should go about doing that. I currently have no clue.
Here's what the warning says, just for the record:
Do not embed plaintext credentials in your application code. Doing so is insecure and against best practices. Your API credentials must be handled securely. Please consider encrypting them for use in any production environment, and ensure that only authorized individuals may view or modify them.
Thanks in advance.
First, set an encryption key:
$key = 'yourpasswordhere';
$string = ' confidential information here '; // note the spaces
Encrypt it on DB entry or from another file and only store the encrypted string in the file itself:
$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
var_dump($encrypted); // "ey7zu5zBqJB0rGtIn5UB1xG03efyCp+KSNR4/GAv14w="
Decrypt it later:
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
var_dump($decrypted); // " confidential information here "