Xor Encryption PHP for Activationlink E-Mail

Question

i have a Problem with my Xor Encryption Activiationlink. The Xor Encryption Activiationlink Code works, they encryption the last ID from User. But if im testing by the Mail, it produced curious Encryption "30303030"

Example ID: 3445 if the encryption so we have this 54515c50

But if i click on the Activationlink in the E-Mail i have "30303030" and not 54515c50.

I don't know how to creat this Encryption "30303030". I testing with another id and i have again the "30303030" Encryption

I don't have any idea to solve this.

Here my Code:

<?php

// XOR "Encryption"
function x0rcrypt($text, $key) {
    if (strlen($schluessel) == 0) {
        return;
    }
    $result = '';
    $i = 0;
    while ($i < strlen($text)) {
        for ($j=0; $j < strlen($key); $j++) {
            if ($i >= strlen($text)) {
                break;
            }
            // Text XOR Key
            $result .= $text{$i} ^ $key{$j};
            $i++;
        }
    }
    return($result);
}

// Hex to Bin
    function hex2bin($string) {
    return pack('H*', $string);
}

// Encryption, return Hex
    function x0rencrypt($text, $key) {
    return bin2hex(x0rcrypt($text, $key));
}

// decode, enter Hex
    function x0rdecrypt($text, $schluessel) {
    return x0rcrypt(hex2bin($text), $schluessel);
}

// Example Code:
$text = 'Blah Blubb';
$key = 'geheimesganzlangesultrakompliziertesPasswort';

// Encryption
#$text_encrypted = x0rencrypt($text, $key);
// Decode
#$text_decrypted = x0rdecrypt($text_encrypted, $key);


?>

An here my Activationlink for the Mail:

 $activlink="<a href=\"http://" . $_SERVER['SERVER_NAME'] ."/release/".rex_getUrl('82','0', array('mode'=>x0rencrypt($db->last_insert_id, $key)), '&amp;'). "\">Activation your Account</a>";

One problem I see with how you are doing this is that there is only one key and it is stored right in the code, so if anyone gets a hold of this key, they will be able to create many users very fast without having to verify them. Instead, I would just add another table to your DB with a **randomly generated** verification key (and make the user id unique) and then hash it using [password_hash](http://www.php.net/password_hash) for good measure. — Mike, Aug 09 '13 at 21:18
Also, please do not add your signature to the end of your question — Mike, Aug 09 '13 at 21:19
Hey Mike, can you give me example Code? Only to understand your answer. — Dave-88, Aug 09 '13 at 21:24
For example, make another table with columns `user_id`, `verification_code`. When a user signs up, [generate the random string](http://stackoverflow.com/questions/4356289/) and store it in the database along with the user id. Then in the email, put that string. When the user clicks on the link, verify that an entry containing that random string exists in the DB. — Mike, Aug 09 '13 at 21:33
You have shown us the encryption routine, which you have tested. So the problem probably exists in another part of your code. Note that your "encryption" is just four `0` characters in ASCII. — Maarten Bodewes, Aug 10 '13 at 11:23

Xor Encryption PHP for Activationlink E-Mail

0 Answers0