Encryption operation mode and the padding scheme should be chosen appropriately to guarantee data confidentiality, integrity and authenticity:

the GCM (Galois Counter Mode) mode which works internally with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality. Other similar modes are CCM, CWC, EAX, IAPM and OCB.

the CBC (Cipher Block Chaining) mode by itself provides only data confidentiality, it's recommended to use it along with Message Authentication Code or similar to achieve data authenticity (integrity) too and thus to prevent padding oracle attacks.

the ECB (Electronic Codebook) mode doesn't provide serious message confidentiality: under a given key any given plaintext block always gets encrypted to the same ciphertext block. This mode should not be used.

Noncompliant Code Example

$c01 = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c02 = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c03 = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c04 = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c05 = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c06 = mcrypt_encrypt(MCRYPT_RC2, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality
$c07 = mcrypt_encrypt(MCRYPT_RC4, $key, $plaintext, "ecb"); // Noncompliant: ECB doesn't provide serious message confidentiality

function encrypt1($data, $key) {
 $crypted='';
  openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant: RSA without OAEP padding scheme is not recommanded
  return $crypted;
}

$c1 = openssl_encrypt($plaintext, "BF-ECB", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: ECB doesn't provide serious message confidentiality
$c2 = openssl_encrypt($plaintext, "RC2-ECB", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: ECB doesn't provide serious message confidentiality
$c3 = openssl_encrypt($plaintext, "bf-ecb", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: ECB doesn't provide serious message confidentiality
$c4= openssl_encrypt($plaintext, "des-ecb", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: ECB doesn't provide serious message confidentiality
$c5 = openssl_encrypt($plaintext, "rc2-ecb", $key, $options=OPENSSL_RAW_DATA, $iv); // Noncompliant: ECB doesn't provide serious message confidentiality

Compliant Solution

$c6 = openssl_encrypt($plaintext, "aes-256-gcm", $key, $options=OPENSSL_RAW_DATA, $iv); // Compliant


function encrypt2($data, $key) {
  $crypted='';
  openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);  // Compliant
  return $crypted;
}

See