45

I have a PHP script that does basic encryption of a string through the method below:

<?php
$key = 'secretkey';
$string = $_GET['str'];

if ($_GET['method'] == "decrypt")
{
    $output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
}

if ($_GET['method'] == "encrypt")
{
    $output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
}

echo $output;
?>

An example of a URL to encrypt a string would look like this:

Encrypt.php?method=encrypt&str=the quick fox

Which would return this as the encrypted string:

LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

Now to decrypt the string all you have to do is change the "method" query to "decrypt", like so:

Encrypt.php?method=decrypt&str=LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

The only problem is that when that encrypted string is decrypted it returns this:

¬ƒ§rYV}̳5Äš·nßì(ñïX8Þ;b

I have narrowed down the problem to the plus sign that is in the encrypted string. PHP's GET method seems to translate a plus sign into a blank space. I have searched this bug and found out that it has already been filed here. I have tried different methods listed on that page and others with no success. The closest I got is by using this:

$fixedstring = str_replace(" ", "+", $string);

and then using $fixedstring in the encryption methods, the problem is, upon decryption, all blank spaces are converted to plus signs. Any ideas?

I know using POST would make more sense but I am using GET for specific reasons. I will spare the details.

user
  • 16,429
  • 28
  • 80
  • 97

6 Answers6

54

If you'll read the entirety of that bug report you'll see a reference to RFC 2396. Which states that + is reserved. PHP is correct in translating an unencoded + sign to a space.

You could use urlencode() the ciphertext when returning it to the user. Thus, when the user submits the ciphertext for decryption, you can urldecode() it. PHP will do this automatically for you if it comes in via the GET string as well.

Bottom line: The + must be submitted to PHP as the encoded value: %2B

hobodave
  • 28,925
  • 4
  • 72
  • 77
  • I know that's a simple answer but I'm sending via GET for a certain reason. – user Apr 20 '10 at 00:53
  • 3
    This is the correct answer to your problem. If you want to use a literal plus sign anywhere in a URL, regardless of the server-side language used, it MUST be encoded, such as by replacing it with "%2B". This is because plus signs in URLs are used as a stand in for space characters, and any server-side scripts will interpret them correctly as space characters. – thomasrutter Apr 20 '10 at 02:51
  • ah whoops I see this answer has been edited. Oh well, it's correct now. +1 – thomasrutter Apr 20 '10 at 02:52
  • WRONG. RFC 2396 was made obsolete by RFC 3986 in 2005, which states that query strings in uri's are composed of pchars, and pchars include all unreserved characters as well as the "sub delimiters" of which the "+" character is included. https://www.rfc-editor.org/rfc/rfc3986.txt see section 2.2 reserved characters section 3.3 path section 3.4 query – Noishe Oct 01 '18 at 17:58
15

I realize that this is an old question, but I was looking for a solution to a similar problem with + signs in a GET string. I stumble upon this page and thought I would share the solution I came up with.

<?php
$key = 'secretkey';
$string = $_GET['str'];

if ($_GET['method'] == "decrypt")
{
    $string = urlencode($string);
    $string = str_replace("+", "%2B",$string);
    $string = urldecode($string);
    $output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
}

if ($_GET['method'] == "encrypt")
{
    $output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
}

echo $output;
?>
Andrew
  • 395
  • 6
  • 18
  • 1
    Thanks! Seeing the code laid out helped me. I needed to preserve the plus character in the query variable for use in a script that passed the query variable in a header for an API request. Simply encoding, replacing + with %2B, and then decoding the variable does just that. – Raam Dev Feb 09 '14 at 21:54
10

none of the above answers worked for me, I fixed the "+" sign problem using 

rawurldecode()

and

 rawurlencode()
Alex Angelico
  • 3,710
  • 8
  • 31
  • 49
5

You should be using urlencode() before putting the encrypted string on the query string, which will "escape" any special characters (including +) and then call urldecode() before decrypting it, to revert them back to their original form.

Chad Birch
  • 73,098
  • 23
  • 151
  • 149
3

We ran into the same problem trying to pass a URL to a PHP script with a string variable containing the "+" symbol. We were able to make it work with;

encodeURIComponent([string])

EG:

var modelString = "SEACAT+PROFILER";
modelString = encodeURIComponent(modelString);
//"SEACAT%2BPROFILER"

The %2B passes the correct value to the PHP GET as @hobodave said, and we get back the right data set.

Hope this helps someone else who ran into something like this, and needed a slightly different take on the examples above.

delliottg
  • 3,950
  • 3
  • 38
  • 52
1

In my case the problem was that $_GET parameters were not decoding correctly when being used for a MYSQL query. So if you just need to pass the $_GET content to a mysql query then simply encode it (no need to decode anything) like this:

<a href='processor.php?name=".urlencode($str)."'>".$str."</a></td>
Robert Sinclair
  • 4,550
  • 2
  • 44
  • 46