php – Custom security for accessing the server's APIs to the mobile app

I am not the best in security, but I need a custom way to securely store personally identifiable information such as name, address, and so on. – Can I have comments on this custom code, from my point of view, it looks good, but security is not my strong point i do not trust me.

The data is transmitted from my application via HTTPS in the header, with a custom authorization code consisting of the unique ID of the user, the ID fcm, the name of the package and the date on which they obtained the authorization code.

This is sent to the server at each request and decrypted to make sure we have the right user – the server will not provide any details unless the date of the epoch matches (this one is stored in the database when creating authentication).

Here is the function encrypt / decrypt

encrypt function ($ string, $ public_key = "public key", $ action = "e") {
$ secret_key = "secret key";
$ encrypt_method = "AES-256-CBC";
$ key = hash (# sha256, $ public_key);
$ secret = substr (hash (# sha256, $ secret_iv), 0, 16);

if ($ action == & eq;)
$ output = base64_encode (openssl_encrypt ($ string, $ encrypt_method, $ key, 0, $ secret));
} else if ($ action == & dquo;)
$ output = openssl_decrypt (base64_decode ($ string), $ encrypt_method, $ key, 0, $ secret);
if (empty ($ output)) {
deny access ();
return $ output;

the data stored in the database uses the same function but with different keys, so that the data is encrypted twice.