-1

I have two questions does its possible to encrypt get parameter same like the passwords are? If NO whats the best method to do it i have simple parameter articleID=1, i want to encrypt the number which user is not able to see it or hack it so should look something like this articleID=jt8asd9HG43u52Jh1jk94X

Edited by Stefan_1

4
Contributors
6
Replies
32
Views
1 Year
Discussion Span
Last Post by Stefan_1
0

If you are using SSL (such as via https instead of plain old http) then this should not be necessary as it will be encrypted before it leaves your system. That said, you could configure your client-side web page to do that - probably using javascript.

0

So should i buy an SSL certificate to do this or should i make it with code ? also there isn't php way of doing this ?

1

SSL will do a number of things for you, including encrypting any plain text data moving between client and server.

If you simply want to obscure (or have a referential pointer to) data, you can do this very easily - but it's not security (most call it security through obscurity; aka doomed to fail).

As far as the GET/POST parameters are concerned, they will always be plain text to the client. If they need to be encrypted at run time, they have to be parsed on the page in their encrypted state, and your receiving script will have to know how to decrypt the data. Making a caesar ciper (http://practicalcryptography.com/ciphers/caesar-cipher/) is not all that complicated, but it's also easy to crack. If you want true encryption, you will have to read up on PHP's encryption/decryption methods and how to implement them. For what you are using them for, however, seems a bit overkill - but to each their own...

0

I have this code but it tells me that cant find that ID when im getting the item ID

function link_encrypt($link) {
    $hash_format = "$2y$10$";
    $salt_lenght = 22;

    $salt = generate_salt($salt_lenght);
    $format_and_salt = $hash_format . $salt_lenght;
    $hash = crypt($link, "e5h8g7ghe58g7e5hg8e57he58h7j10jxd");
    return $hash;
}

function generate_salt($lenght) {
    $unique_random_string = md5(uniqid(mt_rand(), true));
    $base64_string = base64_encode($unique_random_string);
    $modified_base64_string = str_replace('+', '.', $base64_string);
    $salt = substr($modified_base64_string, 0, $lenght);
    return $salt;
}

function link_check($link, $existing_hash) {
    $hash = crypt($link, $existing_hash);
    if($hash === $existing_hash) {
        return true;
    } else {
        return false;
    }
}


articles.php
$get_article_id = link_encrypt($_GET['articleID']);

Edited by Stefan_1

0

ryantroop is correct (as far as my limited knowledge goes) when he mentions that SSL is the way to go. Regardless of whether you use POST or GET, data is transmitted in plain text unless encrypted with an SSL.

The code you have above is very pointless, because the client web browser has already passed this information across to the PHP server in plaintext. All you are doing here is encrypting the data and checking it against a hash.

This is what you would do if you were storing passwords, however, because you are likely to need the unencrypted value of articleID it is a exercise that doesn't offer any extra security.

As far as the PHP code you pasted goes, I imagine it is failing because your link_check function has flaws in it. In order to validate a hash against a given variable, you need to hash and salt it in the same way. However, you are hashing the link with the hash already generated: $hash = crypt($link, $existing_hash); whereas you need to hash it against an existing salt: $hash = crypt($link, $existing_salt); before comparing it against the original hashed value.

I should also point out that that value returned by generate_salt() isn't actually used in the link_encrypt() function.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.