Send post data in url and secure it

Question

I want To send some information in an url, but how can i encrypt this on an safe way?

This is my url for example: http://www.domain.com/process/?var=1&variable=2

If an user knows the url he can change the variabeles, and that's not the intention.

I must encrypt it, and decrypt it on the server i think. But what is an good and safe way to do this?

Edit with more info

What I want to archive is that my phone App (IOS in this case) communicates with my web app (which is the main) by using an API. The URL could look like this http://www.website.com/api/my_secret_key/get/users, it will respond with json Also values needed to be set by the app, for example: http://www.website.com/api/my_secret_key/set/user/score/100

However with above URL adjusting values is easy BUT unwanted. How can this be done using a safe method.

If what you're sending is in anyway sensitive then passing it into the URL is an absolute last resort. Is `POST`ing the data out of the question? — Ankh, Jun 03 '15 at 07:44
You could use `cURL` to send a `POST` request - http://curl.haxx.se/ — Juxhin, Jun 03 '15 at 07:51
possible duplicate of [How to Encrypt the URL](http://stackoverflow.com/questions/9542610/how-to-encrypt-the-url) — mazhar islam, Jun 03 '15 at 08:01
@juxhin Please see my edited post, When using Curl using that type of url for setting is safe and endusers can not adjust the POST value ? — da1lbi3, Jun 03 '15 at 08:28
Is `my_secret_key` user-specific (in which case it should be a secret and shouldn't go in the URL), or a magic key you supply to your app (in which case your security mode is based around trusting the client, which doesn't work at all)? — bobince, Jun 03 '15 at 09:03
This was already answered here: http://stackoverflow.com/a/30166085/2224584 The use-case here is for cookies, but you can use it to obfuscate URLs too. — Scott Arciszewski, Jun 03 '15 at 16:39

score -2 · Answer 1 · edited Jun 03 '15 at 20:15

Warning: Insecure cryptography code follows. A better answer and solution already exists on StackOverflow.

class encryption{
        private $config;

        public function __construct( $options=array() ){
            $this->config=array_merge(
                array(
                    'cipher'    =>  MCRYPT_RIJNDAEL_256,
                    'mode'      =>  MCRYPT_MODE_ECB,
                    'key'       =>  FALSE,
                    'iv'        =>  FALSE,
                    'size'      =>  FALSE,
                    'base64'    =>  TRUE,
                    'salt'      =>  FALSE
                ),
                $options
            );
        }
        private function getivs( $config=object ){
            $config->size=mcrypt_get_iv_size( $config->cipher, $config->mode );
            $config->iv=mcrypt_create_iv( $config->size, MCRYPT_RAND );
        }
        public function encrypt( $data=NULL ){
            $config=(object)$this->config;
            $this->getivs( $config );
            $data=trim( $data );
            $module = mcrypt_module_open( $config->cipher, '', $config->mode, '' );
            mcrypt_generic_init( $module, $config->key, $config->iv );

            $output = $config->base64 ? base64_encode( mcrypt_generic( $module, $data ) ) : mcrypt_generic( $module, $data );

            mcrypt_generic_deinit( $module );
            mcrypt_module_close( $module );
            return $output;
        }
        public function decrypt( $data=NULL ){
            $config=(object)$this->config;
            $this->getivs( $config );
            mb_detect_order( 'auto' );
            $encoding=mb_detect_encoding( $data );
            if( !$data or is_null( $data ) or empty( $data ) or !$encoding or $data=='' or base64_decode( $data )=='' ) return FALSE;

            $module = mcrypt_module_open( $config->cipher, '', $config->mode, '' );
            mcrypt_generic_init( $module, $config->key, $config->iv );

            $output = $config->base64 ? rtrim( mdecrypt_generic( $module, base64_decode( $data ) ),"\0" ) : rtrim( mdecrypt_generic( $module, $data ),"\0" );

            mcrypt_generic_deinit( $module );
            mcrypt_module_close( $module );
            return urldecode( $output );
        }
}//end class




/* Prepare data for transmission */
$enc=new encryption(array('key'=>'s0m3v3ryr4nd0mt3xt'));
$payload=enc->encrypt('var1=value1&var2=value2&var3=value3');

$url='http://www.domain.com/process/?payload='.$payload;


/* to decrypt */
$payload=$_GET['payload'];
$decrypted=$enc->decrypt( $payload );

/* process querystring - explode, split whatever.. */

Don't understand why so much `code` related to `iv` where the mode in the constructor is `MCRYPT_MODE_ECB`. — mazhar islam, Jun 03 '15 at 08:21
Not sure why this was marked down - he asked for encryption / decryption of querystring parameters and that's what it does. — Professor Abronsius, Jun 03 '15 at 08:51
I didn't downvote your answer, but I think the OP needs one party (Phone App) encrypt the url and another party (Server) will decrypt it. OP edited the answer. — mazhar islam, Jun 03 '15 at 08:56
the info about phone app wasn't in the question when I answered and I've yet to develop psychic abilities - but no bother.... — Professor Abronsius, Jun 03 '15 at 08:57
This also suffers from pretty much all the problems mentioned in “If you're typing the letters A-E-S into your code, you're doing it wrong”. Avoid. (The thing with `mb_detect_encoding` is a brand new piece of bizarre, though. Congratulations!) — bobince, Jun 03 '15 at 09:00
Please, please PLEASE do not encourage [unauthenticated encryption](https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly). — Scott Arciszewski, Jun 03 '15 at 16:38
The code contained in this SO answer is also a picture perfect example of [why you shouldn't use libmcrypt](https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong). — Scott Arciszewski, Jun 03 '15 at 16:51
well - I have learned a lot from these comments and must therefore thank the other contributors — Professor Abronsius, Jun 04 '15 at 08:36

Send post data in url and secure it

1 Answers1