How to show encrypted password in URL

Question

I encrypted password, and now trying to show in URL, but in URL i am always getting actual password which is real: kimd

I guess i am not passing $encrypted_string in url, please check my php script and let me know that How can i pass $encrypted_string in URL ?

and whenever i call my form getting everything, details like: actual password, encrypted password and decrypted password

For an example:

Original upass : kimd

Encrypted upass : 5¾VªÜly.TÀîÈ¥MÜQüÑî¤‡Løø‹y\ñU

Decrypted upass : kimd

legals.php:-

<?php
.......................
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $upass, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
................................
?>

I just want to show encrypted password in URL not actual password, i have two fields in legals table, namely :- uname and upass

where i am doing mistake ? please let me know ..

first mistake is you are sending password through URL, whether it is encrypted or not!! — Shaunak Shukla, Aug 13 '14 at 05:58
Do you want to use jQuery Ajax or not? If yes, then I can suggest you!! — Shaunak Shukla, Aug 13 '14 at 06:01
ok.. you have to call one jquery function, on onchange event of password, which get password and send to php page for encryption using jQuery Ajax. You will get encrypted response and keep it in tag as value, then fire submit event!! That's it! — Shaunak Shukla, Aug 13 '14 at 06:05
@ShaunakShukla can you share code, so this will be good for me, because i am native android developer and not so familiar with php ajax webservices, but can do modifications and alteration in scripts — Sun, Aug 13 '14 at 06:08
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/59247/discussion-between-shaunak-shukla-and-sun). — Shaunak Shukla, Aug 13 '14 at 06:16

Vivek Pratap Singh · Answer 1 · 2014-08-13T06:11:47.330

1

Firstly, Its not good practice to send Password through GET parameters. Its Should always be send through POST parameters

 <form method="POST" id="contact_form" action="legals.php">

and you can retrieve them as:

$uname = $_POST['uname'];
$upass = $_POST['upass'];

But still if you want to encrypt in URL only use base64_encode() or md5() in your .php file.

edited Aug 13 '14 at 06:11

answered Aug 13 '14 at 06:00

Vivek Pratap Singh

9,326
5
21
34

i tried with md5() as well but did not get solution, can you show me where i have to make changes as per your idea ? – Sun Aug 13 '14 at 06:02
Can you share your HTML code of snippet ?And why are using GET parameters ? Why not POST ? – Vivek Pratap Singh Aug 13 '14 at 06:02
i posted my HTML script, please check above, and i have to use only GET parameters that's the requirement, i don't know why ? – Sun Aug 13 '14 at 06:12
cool. Accordingly, I have updated my answer. Try this in your HTML. and retrieve in ur PHP as mentioned in my answr and everthing will be perfect.:) – Vivek Pratap Singh Aug 13 '14 at 06:12
bro problem is still there, getting actual password, i guess i am not passing $encrypted_string in url, please check my php script and let me know that How can i pass $encrypted_string in URL – Sun Aug 13 '14 at 06:15

score 0 · Answer 2 · answered Aug 13 '14 at 06:39

I'm by no means a guru, but from the code you have posted, it appears your query "SELECT * FROM legals WHERE upass = '$upass'" is pulling the non-encrypted password from your database. Although you have echoed encrypted and decrypted strings, I don't see where you are using the encrypted string in any other way.

score 0 · Answer 3 · answered Aug 13 '14 at 07:01

Here is your answer, assuming you can get $ukey and $secret_key!

<?php 
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $ukey, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
?>

<div align="center">
       <form method="get" id="contact_form" action="legal.php">
                 <p>Enter First Name</p>
                 <input type="text" name="fname" value="" />
                 <p>Enter Last Name</p>
                 <input type="text" name="lname" value="" />
                 <input type="hidden" name="uname" value="kim" /> <!-- uname could be dynamic here -->
                 <input type="hidden" name="upass" value="<?php echo $encrypted_string; ?>" /><br/>
                 <input type="submit" id="submit_btn" value="Submit" />
       </form>
</div>

On legal.php page:

$uname = isset($_GET['uname'])?$_GET['uname']:'';
$upass = isset($_GET['upass'])?$_GET['upass']:'';
$con = mysqli_connect(" "," "," "," ");

$result = mysqli_query($con,"SELECT * FROM `legals` WHERE `upass` = '$upass'");
$row = mysqli_fetch_array($result);

   // else {echo "Username/Key Error";}
mysqli_close($con);

How to show encrypted password in URL

3 Answers3