DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
PHP

PHP

Made by DeepSource
Use Analyzer

Audit required: Use of an insecure cipher PHP-A1007

Security
Critical
 a02 cwe-327 sans top 25 owasp top 10 cwe-331

Cipher algorithm used to encrypt data is not strong. Using weak cipher algorithm such as RC2, RC4, DES, MD5, etc. for encrypting sensitive data can be vulnerable to several attacks.

In past it has led to the following vulnerabilities:

It is recommended to use robust and secure cipher such as AES to encrypt data.

Bad practice

// sensitive: vulnerable to several attacks (refer: https://en.wikipedia.org/wiki/RC4#Security)
$encryptedData = openssl_encrypt($data, "rc4", $key, $options = OPENSSL_RAW_DATA, $iv);

Recommended

$encryptedData = openssl_encrypt($data, "aes256", $key, $options = OPENSSL_RAW_DATA, $iv);

References