Removing these extra characters

Question

I'm working on an application and I'm stuck here.

I'm making a product delete page, where the id is passed in the URL so that I can search the database and select the particular record. Since passing the id naked is not a good idea, so therefore I'm encrypting the id in a hash and then passing. But since the hash have some spaces in between, when I try to use it in my application..extra space characters are added in the hash to fill in the spaces.

Here's my encrypt function :-

function getHash($recordid)
{
    global $db;
    $key_value="12466X@@";
    $plain_text=$recordid;
    $encrypted_text = mcrypt_ecb(MCRYPT_DES, $key_value, $plain_text, MCRYPT_ENCRYPT); 
    return $encrypted_text;
}

Here's what I get output for $plain_text = 1 when I do not pass in the URL and simply print it.

ÑÛo‡Ó‰-7

But, if I pass it via URL, it gets converted to this :-

%D1%DBo%87%D3%89-7

Therefore surely I wouldn't get the correct results when I decrypt it. Is there any way I can get the original value after decrypting it (1 in this example), or could I entirely use a different decrypt, encrypt function so that I get rid of this problem?

Thank you.

Sorry, but shouldn't this action require authorization? Security by obscurity is rarely a good approach. — raina77ow, Feb 19 '14 at 17:52
This would surely require authorization. The user needs to be logged in and I have a function which checks that whether the product with the particular id is mapped in the user's account. But I also want to add another security layer by decrypting the id. — Ankur, Feb 19 '14 at 17:53
You may use urlencode($encrypted_text) so it will converto to forwardable encode without breaking actual value, then urldecode($encrypted_text) to get back your hash on page :) [Test it here](http://meyerweb.com/eric/tools/dencoder/) — Ankit Pise, Feb 19 '14 at 17:55
I think you're confused, a hash is one way. Encryption involves decryption. Your function name implies a hash will happen, but you encrypt the record id? Maybe you could clarify your code a bit, in fact, [take a look at this](http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms). — Alex L, Feb 19 '14 at 17:56

score 0 · Answer 1 · answered Feb 19 '14 at 17:53

0

Since these are all 8-bit characters, when they get encoded, they're converted to their %XX Hex representation. The web server does the reverse for you when it's in the Query part of the URL, so you should be ok. Still, it's safer to base64-encode the crypted string before making an URL of it, and base64-decode it when you get it back, so you need to deal with ascii characters only.

answered Feb 19 '14 at 17:53

Guntram Blohm

9,667
2
24
31

Could you possible give an example ? Or any links? – Ankur Feb 19 '14 at 17:54
See http://php.net/manual/en/function.base64-encode.php and http://php.net/manual/en/function.base64-decode.php. The result of base64_encode is always a "nice-looking" ascii string. – Guntram Blohm Feb 19 '14 at 17:57

Removing these extra characters

1 Answers1