0

I am using following technique to encrypt/decrypt password:

$key = 'abcd';
$password = 'password';

$encrypted_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $password, MCRYPT_MODE_CBC, md5(md5($key))));

$decrypted_password = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted_password), MCRYPT_MODE_CBC, md5(md5($key))), "\0");

Above code is working for me on same page

But When I pass this encrypted password in URL to another webpage something like:

example.com/authenticate.php?pass=CuESFcvXHnQkZaY79WUL3U2aY9TROkjZFETk9Ur+iFY=

Then it is not decrypting it back in original form using same key and I am getting some garbage data as result.

I think it something like url encoding/decoding problem ?

Is there is any way to solve this?

Thanks

Community
  • 1
  • 1
Owais Iqbal
  • 571
  • 3
  • 12
  • Why are you passing passwords in the URL to begin with? Can't you use sessions or opaque tokens? – deceze Jul 12 '12 at 14:22
  • This seems like an overkill. Any reason why you are not hashing the password instead? You should not even need a reversible algorithm for passwords. In fact, you should avoid trying to come up with your own password encrypting/hashing scheme... – Mahn Jul 12 '12 at 14:23
  • because my mobile project is seperate and my web application is seperate project so thats why i am using this thing to log in the website from my mobile site.. and any other alternative solution to log in web project from mobile site.. – Owais Iqbal Jul 12 '12 at 14:25
  • But you do the password handling sever side, it should not matter where you access the site. – Mahn Jul 12 '12 at 14:27
  • The *appropriate* way would be an Oauth or OpenID-like token-based login system, if simple cookies/sessions don't cut it. Of course, that's a lot more complex too... – deceze Jul 12 '12 at 14:27

2 Answers2

6

+ in the URL represents a space. If you want to pass arbitrary data in the URL, especially data that may contain special characters, urlencode it before putting it in the URL.

deceze
  • 510,633
  • 85
  • 743
  • 889
1

Your guessing is right:

you should urlencode the pass parameter before attaching it to the querystring.

urlencode($encrypted_password);

then urldecode before decrypting

urldecode($encrypted_password);

Happy coding!

mattimatti
  • 967
  • 8
  • 15