Page 1 of 1

Encryption/Decryption

Posted: Tue Jul 24, 2007 10:03 am
by mikeeeeeeey
Hey guys,

I've been programming now for a long time by sticking god-knows-what into the URL which in some ways has helped (slimming down site sizes) but in other ways has not (prone to SQL injection, have to filter it all, etc etc etc).

How easy it is to encrypt and decrypt variables for use within the URL?

I've tried googling it but I can't really find anything that useful, or that's easy on the noggin.

Can anyone shed any light? It would be much appreciated.

Thanks guys!

Posted: Tue Jul 24, 2007 10:18 am
by Chalks
anything that you can decrypt, THEY can decrypt.

I would look into using hashes like sha1, sha256 and the like (stay away from md5). An hash is taking a string, turning it into something unrecognizable and being unable to turn it back. How is that useful? Here's an example:


register new user Kryptonite. password = superman
hash of superman = asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099 (or whatever)
stored in database user: Kryptonite, password: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099

new user Kryptonite logs in with password = supreman (misspelled!)
hash of supreman = fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (or whatever it is)
retrieve password for Kryptonite: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099
does NOT match: fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (hash of superman)

invalid password!

Posted: Tue Jul 24, 2007 10:20 am
by mikeeeeeeey
ahh si si.

like using the PASSWORD type in SQL?

sweeet! rather sexy indeed.

Posted: Tue Jul 24, 2007 10:21 am
by Begby
Encrypting variables for POST/GET is not going to be a good way to filter data, you will still be prone to SQL injection for any content that the end user submits.

For instance, if you have a text field where the user can enter whatever, you will need to encrypt it client side before it gets sent. That blows any secrets you might have about your encryption. Then when you decrypt it you will still need to filter it before you use it in any sql since you will have happily encrypted then decrypted any SQL injection attempt that the person may have typed. So no matter what you do you are still going to need to filter/check POST arguments.

For plain URL type arguments, like id=1, if you encrypt that into id=ggkda, you will still need to check the input to make sure that it is valid before/after you decrypt it because if they change that data it will still cause errors on the server side. There are ways to encode the entire set of URL parameters into one string I believe, then you would generate all the links server side and code a router to turn it back into parameters. I don't know if that buys you much security though.

Posted: Tue Jul 24, 2007 10:26 am
by mikeeeeeeey
nice one guys, thanks for both your help.

Posted: Tue Jul 24, 2007 10:29 am
by Begby
Chalks wrote: An hash is taking a string, turning it into something unrecognizable and being unable to turn it back.
That is incorrect, a hash is a one way algorithm. It is statistically impossible to reverse a hash and get the original message. Since you cannot decrypt a hash, this isn't what you want to use for encrypting your GET parameters.

However, a hash as pointed out, is the way you want to store passwords in a DB. If someone gets ahold of the data they still won't have the passwords as long as you practice proper encryption practices. They will actually need to get to your source as well in order to login as someone else.

Posted: Tue Jul 24, 2007 10:32 am
by Chalks
Begby wrote:
Chalks wrote: An hash is taking a string, turning it into something unrecognizable and being unable to turn it back.
That is incorrect, a hash is a one way algorithm.
Isn't that what I said "being UNABLE to turn it back"?

Begby wrote:It is statistically impossible to reverse a hash and get the original message. Since you cannot decrypt a hash, this isn't what you want to use for encrypting your GET parameters.
unless you're checking the parameters against something that was already stored... like a password (see my above example).







edit: You're welcome Mikeeeeeeey. :D

Posted: Tue Jul 24, 2007 10:41 am
by Begby
Isn't that what I said "being UNABLE to turn it back"?

HAHA, damn I need to get my eyes checked.

yes you did say that.

Posted: Tue Jul 24, 2007 10:45 am
by Chalks
;)