I hope this will be a relatively quick question.
If i send a byte array via the URL and retrieve it from a $_GET request in PHP server side scripts will the url be capable of transmitting the byte array? Is a URL capable of being long enough for this purpose? or do i need another way to transmit the byte array?
example of what im attempting: http://www.website.com/scrypt.php?image="bytearray"
better yet is there a best practices for transmitting this data from say an Android app to php?
As long as it doesn't exceed the limit for a URL or contain reserved characters that would be interpreted by the CGI...you're all set. Go for it.
Related
I have access to a server that runs a PHP script to parse data sent from an app to which I have no access. The data is sent through HTTP GET, and it is not sensitive data. The problem is sometimes a user inserts "illegal" characters like "#", and that totally breaks the PHP get parsing. For example: if the server receives "input.php?name=John#Doe&email=test#gmail.com", all that is parsed is name="John". The rest is lost.
My plan is to "filter out" bad characters from the input data BEFORE the GET array is parsed. I tried using $_SERVER['QUERY_STRING'] and $_SERVER['REQUEST_URI'], but got nowhere.
My question is: is it possible to use PHP to filter characters from the "raw" string data received by the server?
Thanks
I'm currently working with data I'd like to temporarily store in my database as encrypted data. I'm not worried about the database getting hacked into, I just want to ensure the people that had entered the data that it is not reachable by any other than themselves. (and me of course)
The data is not meant to be stored permanently in the database since I'm exporting it to a third party application using their API, but since they have a rate limit I need to store the data in our database until the limit is over and I can upload it. (Assuming the rate limit occurs)
The process:
The request I receive from the form is in an array, so to begin with I serialize() the array to get a long string which I will unserialize() later.
Then I want to use a method that lets me convert the string into numbers and back again without losing information.
The reason I want to turn the data into numbers is because I use the HashIds library, which only encodes numbers. To my knowledge it's an extra layer of security I'm happy to add.
Read more on HashIds here: http://hashids.org/
What I have tried:
I tried converting the string into hex numbers, and then the hex numbers into decimals. Unfortunately the number was too large, and i haven't had any luck using biginteger with it.
base64_encode() which is not going to turn the data into numbers, but then base_converting them is. But I couldn't figure out the base converting in php since apparently it's rather odd.
Conclusion:
How can I convert the data I'm receiving from a form request into a short encoded string which can be converted back into the data without too much hassle? I don't quite know all the options PHP offers yet.
UPDATE:
To conclude this thread, I ended up using OpenSSL to encrypt my serialized array. Only problem I ran into was if the request contained a file I wouldn't be able to serialize it and save the object to the database. I do still need a way around this, since the third party application expects the file to be a multipart/formdata object i can't just save the filepath to the database and upload that. But I guess I will have to figure out that one later.
That link http://hashids.org/ provides a pretty clear example. Lets assume that your integer is 15.
$hashids = new Hashids\Hashids('some random string for a salt. Make sure you use the same salt if you want to be able to decode');
$encoded = $hashids->encode(15);
print_r(['hashedId' => $encoded]);
$decoded = $hashids->decode($hashed);
print_r(['decoded' => $decoded]);
So the value of $decoded should equal 15
Update
Sorry - the hashids bit of your question threw me and as such, I misunderstood what you were asking. I will update my answer:
You should really be using https://secure.php.net/openssl_encrypt and https://secure.php.net/manual/en/function.openssl-decrypt.php
Is it safe to query string coming through GET, as long as
it itself isn't sensitive data
I filter_input the GET string
I mysqli_real_escape_string the string
not relevant but I trim it too
I don't want any security issues.
There's very little difference between GET and POST as regards security. The main differences are:
GET parameters will be visible in the location bar of the browser, unless you send a redirect
The maximum size of GET parameters is very small, around 512 characters in PHP. POST parameters can be much larger.
As long as you aren't sending any sensitive data through a GET request there is nothing to worry about.
Im currently using base64_encode for some $_GET params that i don't want regular user to mess with.
I was wondering that base64 is not looking too strong or is it ?
I also don't want to make some sort of mega encoding it's not so much of important information, but i would not like that user with average knowledge would mess with params in get.
Should i keep using base64 ? Currently it produces MQ== if value is 1 so it's quite easy to take it out from URL and decode and then insert your own.
Base-64 encoding doesn’t protect the data in any way. It’s a simply base conversion like using hexadecimal instead of decimal for integers.
If you just want to verify data integrity, you can use a salted hash (with a secret salt) that you store along with the data. See for example the hashed message authentication code (HMAC).
base64_encode() is not a security measure! It was designed to make sending of binary blobs possible through mediums that typically transfer ASCII only.
Use a session, or properly encrypt your variables.
I would recommend just using a session, and storing it out of the default /tmp for good measure with...
ini_set('session.save_path', '/sessions');
If you want some real encryption/decryption take a look at the Mcrypt features of PHP. http://www.php.net/manual/en/mcrypt.examples.php
But then you may want to use POST instead of GET because of the URL specifications which are limited in character usage and URL length.
Depends on what you want do do with it.
If you just want to obfuscate it (especially when you're generating those URLs in Javascript or so), you could apply ROT13 to the URL and swap a few additional characters to make decoding it a little bit more difficult.
However, if the security of your application depends on it, you could apply a static-key symmetric encrytion on the data server-side and decode it when you receive a request or so. I think that there are frameworks or so for that.
I'm not much of a PHP expert. I'm encoding a URL with base64_encode.
I get quite a long encoded string with a lot of weird characters exactly as I want it to be.
Is there a way to trim this long line of characters to let's say 10 or 15 chars, so I can decode it later again?
I know there is trim() but that does not exactly what I want. I want a long encoded string to be rather short and later I want to decode it again.
Any ideas?
It's not possible to "shorten" any string without losing some data.
If you want to physically shorten an encoded string (with the end result being only part of that string), apply substr() but not on the encoded version: You need to decode it first, then re-encode the shortened version.
Another option is to compress a string. This may shorten it somewhat: Look into gzcompress(). Your mileage may vary, though: the compression rate will depend on what kind of data you have. With small input strings, the result can even be larger than the original.
If you want to reuse a variable in a multi-page process, and don't want to transport it through a link or a form, consider generating a short random key, and storing the data in the user's session:
$_SESSION[$randomKey] = "lllloooooooooooong data here";
You could pass on the random key, and always access the "long" data using $_SESSION[$randomKey]. You need to have a session initialized for this.