Cryptography, sorta

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
AfroNinja
Forum Newbie
Posts: 5
Joined: Wed Oct 02, 2002 4:18 pm
Contact:

Cryptography, sorta

Post by AfroNinja »

I am currently working on a form to allow users to walk through a wizard and construct a custom URL along the lines of

http://your.domain.name/path/mailform.p ... ]&flg=[xxx]

This wizard is designed to be used by faculty and staff at an educational institution, and will be replacing all "mailto" tags on our website (for SPAM control). As such, it will be a resource frequently used by faculty and staff, hence the need for semi-simplicity.

The process by which this URL is to be constructed is (roughly) as follows:

1. The user visits a "construction wizard" page and enters their email addres without the @domain.name at the end.

2. The user selects a few options about what he wants to be available to anyone who uses this means to send him or her an email.

3. The user's preferences are parsed such that each option becomes a 1 or 0 option in a longer binary number (roughly 8 bits worth of preferences so far).

4. The email name is automagically converted into a series of letters and numbers that are not recognizable as the email address from which it originated.

5. A URL (as seen above, roughly) is then presented to the user, who can copy and paste it into their personal web page in place of the mailto tag.

6. When a user clicks on this link, they are presented with a form that is constructed based on preferences listed in the URL and the automagically encrypted email name. They can then use this form to send an email.

This is where I run into problems. I want to use a means of constructing this "encrypted" email name without using MD5 or Crypt. Both of them are fine, but don't meet my needs for this. I want something that is case-insensitive and can be relatively easily placed in a URL without being obvious and giving too much away.

What do you think?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

you might consider storing the real email adress and options server-side and redirect the mail-querries over this server.
Create a unique id for each user (or use the login name) and keep this along with the email-adress and options in a database.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

I would suggest storing the emails in a DB, and assigning each email a unique key.

That way, the person could have a url like

http://www.example.com/email.php?opt=01101001&id=454

Where ID 454 is equal to example@example.com.

That would also mean you could eliminate the options being passed, giving the person something like this

http://www.example.com/email.php?id=454

Which is arguably even easier to use. Almost like an phone extension (you could use that if you wanted to give the faculty something easy to remember, your phone extension is your ID, thought that might not work...). A person could come to a main page, type in the person's email code (454), and be taken to the correct email form. No URL's to remember, just a number.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

I swear, volka's post wasn't there when I answered, heh
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I was faster because I didn't write that much explanations.
I think the 1 or 2 minutes were worth their time ;)
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

I can't keep my answers short...if I keep my answers long, it makes it look like I am smarter than I really am.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

I'll keep this in mind for my next job application 8O

:wink:
User avatar
AfroNinja
Forum Newbie
Posts: 5
Joined: Wed Oct 02, 2002 4:18 pm
Contact:

Post by AfroNinja »

I had considered this, but I'm in a situation where storing stuff server-side isn't really the easiest solution to implement. What I'm after is a way to store the name in the actual URL. There are some limitations under which I am operating that make this the most feasable solution, as the server on which this is to reside is tightly-controlled. I have worked out a few simple subsitution cyphers, but I was in search of something more ... I don't know ... elegant.
User avatar
AfroNinja
Forum Newbie
Posts: 5
Joined: Wed Oct 02, 2002 4:18 pm
Contact:

Post by AfroNinja »

Okay .. I figgured it out. If you're interested in seeing it, here it is ... The functions either take the email address without the @domain.name part, or the coded output, depending on desired result.

This is not super-duper secure, and could be reverse-engineered pretty easily, but it's purdy and accomplishes the aim of hiding the email address from casual viewers and SPAMbots.

Code: Select all

<?php
if (!$crypto_is_defined)
{
$crypto_is_defined = 1;
// functions to encode and decode email addresses
// strings need to be validated before being passed to these routines

/*
-----------| USAGE |-----------
to encode a name:	 $input = nencode("name");
	 								 (returns "5616d6e6")
to decode a name:	 $output = ndecode("5616d6e6");
	 								 (returns "name")
*/

function nencode($namein)
{
$nametmp = strtolower($namein);														// convert to lower case
$nametmp = strrev($nametmp);															// reverse order of characters

for ($counter=0; $counter<strlen($nametmp); $counter += 2)
		{
		$str1 .= substr($nametmp,$counter,1);						 			// first half of string
		$str2 .= substr($nametmp,$counter+1,1);								// second half of string
		}

$nametmp = $str1.$str2;																		// concatenate into one string

$str1="";	 																								// clear temporary variables
$str2="";
$str3="";

for ($counter=0; $counter<strlen($nametmp); $counter++)
		{
		$str1=ord(substr($nametmp,$counter,1));						 		// decimal ASCII value of letter
		$str2=dechex($str1);																	// decimal value to hex
		$str3 .= strrev($str2);																// reverse hex digits
		}
		
return $str3;

}

function ndecode($nametmp)
{

for ($counter=0; $counter<strlen($nametmp); $counter += 2)
		{
		$str1=strrev(substr($nametmp,$counter,2));			 			// extract hex value and reverse
		$str2=hexdec($str1);																	// convert hex into decimal value
		$str3 .= chr($str2);																	// Add ASCII character to output string
		}

$nametmp = $str3;

$bias = 0.0000000001;																			// bias to make sure rounding is up
$cutoff = round((strlen($nametmp)+$bias)/2);							// determine 1/2 way point, rounding up
$str1 = substr($nametmp,0,$cutoff);												// first substring
$str2 = substr($nametmp,$cutoff,(strlen($str1)));					// second substring
$str3 = "";																								// clear variable to hold final string

for ($counter=0; $counter<$cutoff; $counter++)
		{
		$str3 .= substr($str1,$counter,1) . substr($str2,$counter,1);
						 																							// add alternating characters from each
																													// to final string, reconstructing
																													// pre-encrypted string
		}

return strrev($str3);		
}
}
?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

security by obscurity ;)
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Instead of forcing the round() function to round up, just use the ceil() function

http://www.php.net/ceil
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

What's the difference they basically do the same stuff!
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

No, ceil() rounds up, while round() rounds to the nearest integer, which could be up or down.
User avatar
AfroNinja
Forum Newbie
Posts: 5
Joined: Wed Oct 02, 2002 4:18 pm
Contact:

Post by AfroNinja »

I've only be programming in PHP for a total of two weeks, and I'm still getting the hang of it. I was concerned about the need to round up, so I added the bias to the total before rounding, making sure that on any computer, it would round up. This was based on a post I read here --

:arrow: http://www.php.net/manual/en/function.round.php

The important thing, however, is that it works.
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

Just a tip, when you do the mail form, in the hidden input that you are storing the email address in, make sure to leave it ENCRYPTED. If you have the email address in plain source view there is a large chance it will get spidered.

You can then just unencrypt the email right before the mail() function is called.
Post Reply