Show/Hide Toolbars

Navigation: Using PHPRunner > Security

PHPrunner32x32     PHPRunner manual


Scroll Prev Next More


Encryption feature allows you to encrypt important data in the database such as credit card number or Social Security number. You need to select encryption method, enter encryption key and choose fields to be encrypted.

yellowbulbNote: Encryption feature is available only in the Enterprise Edition of PHPRunner. See Editions Comparison.


You can select database-based or code-based encryption method. Note that database-based encryption method is available only for MySQL, Oracle, PostgreSQL and MS SQL Server databases. Database-based method is recommended since some features will not work in case of code-based method: encrypted fields are not involved in the sorting and grouping, search suggest and search with all search operators other than Equal will not work etc. So make sure you encrypt really important data.

Database-based encryption

To use database-based encryption method in PostgreSQL module pgcrypto must be installed; in Oracle a user must be given the rights to the package SYS.DBMS_CRYPTO and Oracle version shall be 10 or higher; MySQL should be configured to support SSL.

Code-based encryption

To use PHP encryption, mcrypt extension needs to be enabled in php.ini (in PHP 5.3 and higher it is included in the distribution by default).

When using PHP encryption encrypted fields are not involved in sorting and grouping, search suggest and search with all search operators other than Equal will not work.

Encryption key

The encryption key length more than 10 characters is recommended. Use Generate button to generate a random key. You can encrypt only text fields. Since the encrypted value is much longer than source value (at least 2-3 times), you should choose fields with maximum length such as TEXT in MySQL or MEMO in MS Access.

yellowbulbNote: PHPRunner does not encrypt existing data. Encryption will be applied only to the add/edit operations.

yellowbulbNote: Once encrypted data are stored in the database you should not change the encryption type or key, also you can not cancel the encryption otherwise data will remain encrypted.

Example of how encrypted data are stored in the database and displayed in the application


Functions used for database-based encryption




MS SQL Server:

Encryption: EncryptByPassPhrase(), EncryptByKey()

Decryption: DecryptByPassPhrase(), DecryptByKey()


Encryption: DES_ENCRYPT(), AES_ENCRYPT()    



Encryption: pgp_sym_encrypt()

Decryption: pgp_sym_decrypt()

Functions used for code-based encryption:

PHPRunner uses DES or AES-128 encryption algorithm.

Encrypt existing values in the database

Before starting this procedure make a backup of the database. You may perform the encryption of existing values only once. Double encryption will cause problems and it is not possible to determine definitely whether the data was encrypted or not before the procedure.

To encrypt existing values in the database add following code to the List page: Before process event of your table:


Then run you List page that contains encrypted fields with ciphcoding=1 parameter, eg:


Once the data has been encrypted, it is necessary to delete the file ciphcoding.php in the output directory, remove the code from the List page: Before process event and re-upload application. We recommend to perform this procedure on the development machine or server without public access.

Decrypt custom query results

MySQL, AES encryption

$key variable should contain encryption key specified in PHPRunner on encryption screen.

//define encryption key

$sql = "SELECT cast(AES_DECRYPT(unhex(customer_name), '".$key."') as char) AS custname FROM customers_table WHERE id = 'CUST123'";    

$rs = CustomQuery($sql);

$data = db_fetch_array($rs);


echo $data["custname"];