-1

I have a something that I want to encrypt and pass it via get in the URL, the value that I want to encrypt is something like '019230132_15/10/2012'(a number with a underline followed by a date in brazilian format), when I encrypt this value I get something like 'cMZns2q7U2vgD9t+zufUeKextc/WyuFB4WyVMQ=', but passing this via GET on the url is giving me problems cause the browser think that the '/' in the middle of the value is a directory separator, my encription algorithm is something like:

base64_encode(
    mcrypt_encrypt(
        MCRYPT_RIJNDAEL_256,
        md5(self::ENCRYPT_SALT),
        $value,
        MCRYPT_MODE_CBC,
        md5(md5(self::ENCRYPT_SALT))
    )
);

I don't even wanna know why this is happening, I just want some way that I can encrypt and decrypt a value, it doesn't have to be the seccurest way that has ever existed, because the information that i am giving does not worth the trouble of hacking it.

EDIT1:Using the PHP function urlencode is not working, I get a error 404 because the url_encode transforms '/' into '%2F', I think it is worth mention that I use mod_rewrite on my Apache

EDIT2: Managed to make urlencode work using it twice like urlencode(urlencode($value)), and decoding twice as well to get the original value

Murilo
  • 580
  • 5
  • 21
  • 1
    1) AES 256 needs a **256 bit key**. `md5(self::ENCRYPT_SALT)` only provides you with 128 bits - you just crippled your security. 2) IVs should be completely random and not be re-used. `md5(md5(self::ENCRYPT_SALT))` is neither random or unique. (unless you are varying the key per encryption - in which case see point 1 again) - I don't care if you don't care, I don't want anyone else seeing this and thinking what you did is correct. – Leigh Nov 30 '12 at 19:21
  • @Leigh I acctually got this algorithm here in StackOverFlow, you can see it in here http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt – Murilo Nov 30 '12 at 19:30
  • 1
    @Leigh has a good point, and looks like his assumption of people seeing and using insecure code is true as above comment proves. =o\ – kittycat Nov 30 '12 at 19:31
  • Well I also need to correct myself `md5($value, true)` with the final parameter set to `true` would only be giving 128 bits. What md5 does do though, is limits the your key to a hex charset, which is still bad. – Leigh Nov 30 '12 at 19:32

1 Answers1

2

If you are creating the value in PHP (ie, passing the link from PHP to the browser in something like an a tag), use PHP's urlencode first.

However, if you are using JavaScript, use javascript's escape functions, particularly encodeURIComponent

cegfault
  • 6,442
  • 3
  • 27
  • 49
  • Actually managed to work, using the function again like urlencode(urlencode($value)) and decoding twice as well to get the original value – Murilo Dec 04 '12 at 13:58