passing encrypted data in url

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
hessodreamy
Forum Commoner
Posts: 58
Joined: Wed Apr 20, 2005 8:11 am

passing encrypted data in url

Post by hessodreamy »

I know it sounds simple but I'm trying to pass encrypted data in a url, which i can later decrypt . I've been sniffing around the various encryption functions but it seems to me that the output would be a string that wouldn't legally fit into a url. Can anyone suggest a function to use?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

urlencode and urldecode should do the trick :wink:
hessodreamy
Forum Commoner
Posts: 58
Joined: Wed Apr 20, 2005 8:11 am

Post by hessodreamy »

Doh! pretty obvious, really. :D
Cheers!
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Be careful, though. URLs get truncated after a certain length (please don't make them 2kb long).
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Be careful - URL encoding is not encryption.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

Here is what you can do:

Code: Select all

<?php
// ---
// Code for First Page
// ---


//  Variable to be encrypted and sent:
$text = "Hello";

// Encryption
// You can replace 8660281B6051D071D94B5B230549F9DC851566DC 
// with any key you want just make sure to change it on the second page's key
$gpg = new gnupg();
$gpg -> addencryptkey("8660281B6051D071D94B5B230549F9DC851566DC");
$encypted_text = $gpg -> encrypt("$text");

// Encode for sending.
$send_string = 'encryptedtext=' . urlencode($encrypted_text) . '';

// Now just make it so it sends the codes
?>

Code: Select all

<?php
// ---
// Code for Second Page
// ---


//  Variable to be decrypted from send:
$recieved_text= $_GET['variable'];


//Decode URL
$recieved_text = urldecode($recieved_text);


//Decryption
// Make sure the  8660281B6051D071D94B5B230549F9DC851566DC 
// matched the key on the first page // Leave test the same, or you can change it to anything.
$gpg = new gnupg();
$gpg -> adddecryptkey("8660281B6051D071D94B5B230549F9DC851566DC","test");
$text = $gpg -> decrypt($recieved_text);


// Decoded variable
$text = $text;

?>

Hope this works.
User avatar
quocbao
Forum Commoner
Posts: 59
Joined: Sat Feb 04, 2006 2:03 am
Location: HCM,Vietnam
Contact:

Post by quocbao »

Try my class : secureURL

This class will auto encrypt all params in your urls :D .
hessodreamy
Forum Commoner
Posts: 58
Joined: Wed Apr 20, 2005 8:11 am

Post by hessodreamy »

I'm currently using a class (and have used other methods) based on the mcrypt function.
It all works very well but seems... messy.
The encrypted output is all kinds of crazy characters. As I'm putting the encrypted data in the url I'm using urlencode. So the query string is pretty long and looks messy.
I understand that encryption using only alphanumeric characters is less secure, but is there a method which gives alphanumerics?
I mean, I've seen lots of encoded stuff passed in urls in my time, but nothing that looked as messy as what I had.

background...
Apart from generally striving to understand encryption methods, the problem I'm currently working on is simply encrypting an email address to be used in a link from an email. I get it into my head that some people will object to their personal info being passed, so i'm just trying to obfucate that. In short, in this case maximum security isn't a massive priority, though I would like to understand things in case it was a priority.
hessodreamy
Forum Commoner
Posts: 58
Joined: Wed Apr 20, 2005 8:11 am

Post by hessodreamy »

oh, by the way, I've tried all the different algorithms supported by mcrypt, and they all seem messy.
Post Reply