0

wit regards to Best way to use PHP to encrypt and decrypt passwords?

i encountered problems passing encrypted strings to another page.

in my case, i would like to send out a registration link to the user such as

www.xyz.com/reg.php?x=xxxxxxxxxxx

in which xxxxxxx contains email address and user's full name information in an encrypted serialized array as string.

however when user clicks the link, the decrypted strings is different from the original string before encryption.

sometimes the information if partially decrypted and the rest is garbage.

anyone can explain why is this happening ?

thanks in advance.

Community
  • 1
  • 1
Melvin
  • 377
  • 2
  • 7
  • 19
  • Instead of all of the information, you should pass a token along that maps back to the information in your database. – Corbin May 18 '12 at 08:06

3 Answers3

2

You are using URL unsafe characters, like + (from base64). you need to urlencode() / urldecode() your parameter.

jimpic
  • 5,360
  • 2
  • 28
  • 37
1

Personal information should not be passed in the url at all, there are hash function and other methods that are more secured. This scenario you described is wrong try seeking for security standards on how is the correct way on passing url parameters.

Also there are a lot of vulnerabilities connected with passing url parameters, like parameter pollution.

badc0re
  • 3,333
  • 6
  • 30
  • 46
  • right now i want to send a link which auto populates email address and recipient's name textboxes on the user's side .. after that, the user just click register and send. My first idea was that i insert those email address and full name into database and assign a token which maps .. just as you said. However, i was trying the lazy method and I wasn't aware that passing email address (even though encrypted) is not the correct practise.. anyway.. thanks for your advice – Melvin May 18 '12 at 08:13
  • but you said: "n which xxxxxxx contains email address and user's full name information in an encrypted serialized array as string." – badc0re May 18 '12 at 08:14
  • i did.. once i serialized the array , i encrypt it.. however as jimpic said, i didnt use urlencode and may have unsafe characters in the encrypted string.. which causes problems. this may explain why maybe 1 out of 20 encrypted strings can be decrypted and the rest fails. – Melvin May 18 '12 at 08:18
0

i think you create a field in database like act_key .. when you generate URL like (www.xyz.com/reg.php?x=xxxxxxxxxxx) here you can generate a random string with numeric and also store this in act_key field ... okay

when user click on activation link first you check and match this act_key .. if its match or find then you get email id or other details ... and process next stap

Cake PHP
  • 163
  • 5
  • 12