Geek asks and answers

PHP: An example of a form that will encrypt a query string (GET) (data hiding, not security)

I intend to use GET for my form, but would like to encrypt the values ​​in the query string so that users cannot change it. (not for security, but for hiding data)

I came across several websites that explained encryption, but it is not clear to me how to implement it as soon as the user clicks the submit button. Example: http://myscriptlibrary.wordpress.com/2010/04/14/how-to-encrypt-query-string-in-php/

Is there an example that could show this?

Thank.

+5
source share
4 answers

, . GET , , .

- base64_decode/encode , , - :

$link = "http://www.example.com/?item=".urlencode(base64_encode("user-data"));

$link http://www.example.com/?item=rklgEwkelnf%3D%3D, (base64ed) - :

foreach($_GET as $loc=>$item)
    $_GET[$loc] = base64_decode(urldecode($item));

$_GET, .

+11

, , ...

. GET - , :

$parameter = "abc"; //The parameter which you'll pass as a GET parameter
$salt = "cV0puOlx";
$hashed = md5($salt.$parameter);//A hash that you'll pass as well
header("Location: http://www.yourdomain.com?param=$parameter&hash=$hash");

, , , :

$parameter  = $_GET['param'];
$hash = $_GET['hash'];
$salt = "cV0puOlx";
$hashed = md5($salt.$parameter);
//now you check:
if ($hash === $hashed){
   //everything fine - continue processing
}
else{
  // ERROR - the user tried to tamper with your parameter
  // show error-message and bail-out
}
+7

. -base64_decode, , !

, $hashed.

+4

1-

2- , base64 MIME.

3- , (: , , GET ..)

4- base64 var.

5-

I implemented a class that does this work. (security and data hiding) Use the openssl method with aes-256 cbc mode to protect the crypt (do not forget the initialization vector)

class Encryption{

    /**
    * 
    * Retourne la chaîne de caracère encodéé en MIME base64
    * ----------------------------------------------------
    * @param string
    * @return string
    *
    **/
    public static function safe_b64encode($string='') {
        $data = base64_encode($string);
        $data = str_replace(['+','/','='],['-','_',''],$data);
        return $data;
    }

    /**
    * 
    * Retourne la chaîne de caracère MIME base64 décodée
    * -------------------------------------------------
    * @param string
    * @return string
    *
    **/
    public static function safe_b64decode($string='') {
        $data = str_replace(['-','_'],['+','/'],$string);
        $mod4 = strlen($data) % 4;
        if ($mod4) {
            $data .= substr('====', $mod4);
        }
        return base64_decode($data);
    }

    /**
    *
    * Crypte une chaîne de caractères avec un algorithme de cryptage aes-256 mode cbc
    * Le crypatage s'effectue avec une clé définie dans le fichier core.php
    * ------------------------------------------------------------------------------------------
    * @param string
    * @return string
    *
    **/
    public static function encode($value=false){ 
        if(!$value) return false;
        $iv_size = openssl_cipher_iv_length('aes-256-cbc');
        $iv = openssl_random_pseudo_bytes($iv_size);
        $crypttext = openssl_encrypt($value, 'aes-256-cbc', 'your security cipherSeed', OPENSSL_RAW_DATA, $iv);
        return self::safe_b64encode($iv.$crypttext); 
    }

    /**
    *
    * Decrypte une chaîne de caractères
    * ---------------------------------
    * @param string
    * @return string
    *
    **/
    public static function decode($value=false){
        if(!$value) return false;
        $crypttext = self::safe_b64decode($value);
        $iv_size = openssl_cipher_iv_length('aes-256-cbc');
        $iv = substr($crypttext, 0, $iv_size);
        $crypttext = substr($crypttext, $iv_size);
        if(!$crypttext) return false;
        $decrypttext = openssl_decrypt($crypttext, 'aes-256-cbc', 'your security cipherSeed', OPENSSL_RAW_DATA, $iv);
        return rtrim($decrypttext);
    }
}

Example:

$pass_get = 'hello';
$base64_crypt = Encryption::encode($pass_get); // get base64 of crypt data

// Later, let's move on to $ _GET for example

<a href="https://toto.com?v=<?php echo $base64_crypt;?>" >Other page</a>

// On another page, restore your var

$my_get_crypt_var = $_GET['v'];
Encryption::decode($my_get_crypt_var); // return 'hello' or false in case the string to be decrypted is invalid.
+1
source

More articles:


All Articles