I'm trying to find out if there is a way to obfuscate the PHP output (html stuff).
basically, I have a few hidden inputs and they have some PHP outputs in them...
Example:
<input type="hidden" name="myinput" value="<?php echo $variable; ?>" />
is there any way to obfuscate its value in the users browser but still readable server side so I can pass the input value between pages?
any suggestion and help would be appreciated.
EDIT:
I did it like this:
$string = "my string to be be encrypted goes here";
$secret_key = "This is my secret key";
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv);
// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
echo "Original string : " . $string . "<br />\n";
echo "Encrypted string : " . $encrypted_string . "<br />\n";
echo "Decrypted string : " . $decrypted_string . "<br />\n";
Instead of returning the values as part of the form field; do not send them data at all! Save the data to a database table and link to the current user. Link the data with the user via any number of methods (User id, cookie, session, etc). when the form is submitted retrieve the secret and execute your business logic.
Side note: If you want the data to be secure you want to encrypt it, not hash, not encode; encrypt.
Related
I have these code for encrypt and decrypt.
It works good for text (for example: "This is a text"), which is withnout diacritics (that means without : ěščřžýáíéúů).
But I need encrypt and decrypt text with this special letters (with : ěščřžýáíéúů).
Can somebody help me, please?
Thank so much for every answer and help.
Have a nice day. M.
define ("ENCRYPTION_KEY", "QaY7e4d1c");
$string= "This is a text"; // -> this work alright
//$string= "áýžřčšě"; I NEED THIS TEXT ENCRYPT AND DECRTYPT
echo $encrypted = encrypt($string, ENCRYPTION_KEY);
echo "<br />";
echo $decrypted = decrypt($encrypted, ENCRYPTION_KEY);
function encrypt ($pure_string,$encryption_key)
{
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH,MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size,MCRYPT_RAND);
$encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH,$encryption_key,utf8_encode($pure_string),MCRYPT_MODE_ECB,$iv);
return $encrypted_string;
}
function decrypt ($encrypted_string,$encryption_key)
{
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH,MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size,MCRYPT_RAND);
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH,$encryption_key,$encrypted_string,MCRYPT_MODE_ECB ,$iv);
return $decrypted_string;
}
You're calling utf8_encode in your encryption function, but not calling utf8_decode when you decrypt, so your functions as they stand don't complement each other.
I'd recommend removing the call to utf8_encode entirely. mcrypt_encrypt doesn't care what encoding your string uses, so whatever you pass in will be what you get back out. Your script works fine for me if I remove it:
$encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $encryption_key, $pure_string, MCRYPT_MODE_ECB, $iv);
I'd also suggest reading this: https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong
Until now i have been using hidden fields in forms to pass data to the actions php. However i realise this is a massive security risk to the application and would like to be educated of the best method to currently passing form data from hidden fields in php?
<input type="hidden" value="sensitive_info">
Alex
I think sessions are probably what you're looking for.
See http://www.w3schools.com/php/php_sessions.asp for a nice easy guide to using them.
You need session_start(); at the very top of your php script, and then you can store information like so:
$_SESSION["stuff"] = "sensitive info";
Then simply access it on the next page with:
$stuff = $_SESSION["stuff"];
Simple :)
P.S. Make sure session_start(); is at the top of every php script that uses the session variables.
If you're unable to use sessions for some reason, you can always encrypt the ID. This is probably not ultra secure, but will prevent all but the most determined from mucking with things.
<?php
define("KEY", "Something much more random than this");
function encrypt($key, $plaintext)
{
$iv_size = openssl_cipher_iv_length('AES-256-CBC');
$iv = openssl_random_pseudo_bytes($iv_size);
$ciphertext = openssl_encrypt($plaintext, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
return base64_encode($iv . $ciphertext);
}
function decrypt($key, $ciphertext)
{
$iv_size = openssl_cipher_iv_length('AES-256-CBC');
$ciphertext = base64_decode($ciphertext);
$iv = substr($ciphertext, 0, $iv_size);
return openssl_decrypt(substr($ciphertext, $iv_size), 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
}
$encrypted_id = encrypt(KEY, $database_id);
?>
<input name="foo" type="hidden" value="<?php echo $encrypted_id?>"/>
I just want to pass some query string variables with URL like below. But in this way anyone can see the passing variables. I can use base64_encode() and base64_decode() methods but these are also not secure. Because anyone can reverse it. Please help me if anyone have the best solution.
header('Location: http://www.example.com?id='.$id);
or
header('Location: http://www.example.com?name='.$name);
I think this is the best and secure solution for this..
<?php
/*
* PHP mcrypt - Basic encryption and decryption of a string
*/
$string = "Some text to be encrypted";
$secret_key = "This is my secret key";
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv);
// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
echo "Original string : " . $string . "<br />\n";
echo "Encrypted string : " . $encrypted_string . "<br />\n";
echo "Decrypted string : " . $decrypted_string . "<br />\n";
?>
Output will be like below:
Original string : Some text to be encrypted
Encrypted string : –LÁ`b]!üƒN{Iç&|«kÿÅLèëÉ°Xp
Decrypted string : Some text to be encrypted
I've found a pair of encryption and decryption functions that look like they obey all the rules of data security that I'm desperate to fully understand but probably won't be able to without a doctorate in this stuff.
They work great when I'm encrypting and decrypting something on the same page with the same IV.
But when I try saving the results to an SQL database and then pulling them back out again and decrypting, it doesn't work.
$key = "secretsecret";
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_DEV_RANDOM);
function encrypt($key, $text, $iv) {
return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $text, MCRYPT_MODE_CBC, $iv)));
}
function decrypt($key, $text, $iv) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text), MCRYPT_MODE_CBC,$iv));
}
$text = "the text to encrypt";
echo "Plain Text: " . $text . "<br><br>";
$encrypted = encrypt($key, $text, $iv);
echo "Encrypted Text: " . $encrypted . "<br><br>";
echo "Decrypted Text: ". decrypt($key, $encrypted, $iv) . "<br><br>"; //this works fine
//save encrypted text to SQL
mysql_query("UPDATE table SET test='".addslashes($encrypted)."' WHERE id='1'");
Then if on another page view I pull the text back out and try to:
echo "Decrypted Text: ". decrypt($key, $textFromSQL, $iv) . "<br><br>";
I get gibberish. What do I need to do to get the text decrypted properly with a different IV?
You need to use the same Initialization Vector (IV) in the decryption as you do in the enryption. This means you need to store the IV in the database.
The IV doesn't need to be secret, unlike the key.
Something like this:
mysql_query("UPDATE table SET test='".addslashes($encrypted)."', IV='".addslashes($IV)."' WHERE id='1'");
Then when you decrypt the data use the stored IV.
I am using php decrypion to check that: an email address replying to a request is the same email address which was sent the request.
This is the code but at the bottom it simpy fails.
The url is simply:
blah.com/page?keyemail=fSHEk8KC17siklGHsj0HJA==
The code below also shows some tests i did to make sure the encrypt/decrypt were working ok... I echo'd down the code to see what was going on
$key="XiTo74UI09wwe4YeUmuvbL0E";
$iv = mcrypt_create_iv (mcrypt_get_block_size (MCRYPT_TripleDES, MCRYPT_MODE_CBC), MCRYPT_DEV_RANDOM);
// Encrypting
function encrypt($string, $key) {
$enc = "";
global $iv;
$enc=mcrypt_cbc (MCRYPT_TripleDES, $key, $string, MCRYPT_ENCRYPT, $iv);
return base64_encode($enc);
}
// Decrypting
function decrypt($string, $key) {
$dec = "";
$string = trim(base64_decode($string));
global $iv;
$dec = mcrypt_cbc (MCRYPT_TripleDES, $key, $string, MCRYPT_DECRYPT, $iv);
return $dec;
}
// test example
$email = 'me#me.com';
echo "email is $email<br /><br />";
$email_key = encrypt($email, $key);
echo "key is $email_key<br /><br />";
$email_key2 = decrypt($email_key, $key);
echo "decrypted is $email_key2<br /><br />";
// END test example, all is ok
// this is the code that fails
$to_de = $_GET[keyemail];
echo "keyemail again is $to_de<br /><br />";
$email_key3 = decrypt($to_de, $key);
echo $email_key3;
What is being returned when I echo $email_key3 is encoded somehow - it should be me#me.com
I'm probably missing something obvious but it's lost me!
You can't generate a new IV on each page - you must either store the IV from the encryption step in a file or database - or append it to the encrypted string. Generating a new IV on the next page will not allow you to decrypt the string.
Also, if possible I would pass a hash of an the email (plus a salt) - not an encrypted form.
I've noticed that the encryption method you're using is adding a random salt. That means that encrypting the same string with the same key does not result in the same output.
Try using a non randomized KDF.
Try the answer of this topic: https://stackoverflow.com/a/1289114/1745542