Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:31:13 +03:00
parent 8c6dea5d96
commit 0ceb67ee56
7 changed files with 100 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/core/Security/EncryptionHelper.php
View File

@@ -64,14 +64,25 @@ class EncryptionHelper
}
// ─── تشفير/فك تشفير Binary (صور، ملفات) ───────────────
// تُستخدم الـ GCM مع IV عشوائي (كما في encryptData)
public function encryptBinary(string $data): string
{
return openssl_encrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
$iv = random_bytes(self::IV_LEN_GCM);
$tag = '';
$encrypted = openssl_encrypt($data, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag, "", self::TAG_LEN);
return base64_encode($iv . $tag . $encrypted);
}
public function decryptBinary(string $data): string|false
{
return openssl_decrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
$raw = base64_decode($data, true);
if ($raw === false || strlen($raw) < self::IV_LEN_GCM + self::TAG_LEN) return false;
$iv = substr($raw, 0, self::IV_LEN_GCM);
$tag = substr($raw, self::IV_LEN_GCM, self::TAG_LEN);
$cipher = substr($raw, self::IV_LEN_GCM + self::TAG_LEN);
return openssl_decrypt($cipher, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag);
}
// --------- دوال الـ Padding للـ CBC ----------