8

I have a Laravel5 web application of Business directory.

When I Encrypting a value like 

$cryptval = Crypt::encrypt(1);

result  =  eyJpdiI6IndhaFZFNlhIRDlURzdXanJVMEhBM0E9PSIsInZhbHVlIjoidWF3VzRFZDhyRHltUlwveDdyV0VVWnc9PSIsIm1hYyI6IjE5YjA2YWIyN2Q0MTBlYjdhNDJiNDE5ZjY2OGQ2MDA2NzQ3ZTA4ODc4NzY0ZTIwMjBiMzQxN2RjNmM5ZDg3ZjYifQ==

its giving a long string about 250 length.

Is there any way to limit the length of this string in laravel?

My Client needs to add the URL with encrypted value in a mail function. eg:

www.example.com/varify/eyJpdiI6IndhaFZFNlhIRDlURzdXanJVMEhBM0E9PSIsInZhbHVlIjoidWF3VzRFZDhyRHltUlwveDdyV0VVWnc9PSIsIm1hYyI6IjE5YjA2YWIyN2Q0MTBlYjdhNDJiNDE5ZjY2OGQ2MDA2NzQ3ZTA4ODc4NzY0ZTIwMjBiMzQxN2RjNmM5ZDg3ZjYifQ==

But the mail function only allow some length of URL :(

Vikash Pathak
  • 3,444
  • 1
  • 18
  • 32
Jishad P
  • 703
  • 2
  • 9
  • 24
  • The ```encrypt``` method only accepts a ```$value``` parameter, so there's no way the explicitly control the length of the hash. Why do you need it to be shorter? – Amo Oct 19 '15 at 09:38
  • what for do you need crypting ? – fico7489 Oct 19 '15 at 09:38
  • Is encryption really what you need here? Perhaps you should be using some kind of token system instead? (hint: encrypted strings are not something you normally put into a URL) – Simba Oct 19 '15 at 12:07
  • Possible duplicate of [Hiding true database object ID in url's](http://stackoverflow.com/questions/32795998/hiding-true-database-object-id-in-urls) – Scott Arciszewski Oct 19 '15 at 17:06

3 Answers3

1

One solution is to store the hashed values in a table, and then reference the hash by the auto-incrementing ID of the hash value.

| id | hash             | timestamp | random_key |
| 1  | some-hash        | 125346164 | 21415      |
| 2  | some-other-hash  | 123513515 | 25151      |

So now, instead of using:

www.example.com/verify/some-hash

You can use:

www.example.com/verify/1

The id should really be obfuscated, and not used just as an integer - which is where the timestamp and random_key can help. 

$id = 1;
$timestamp = 125346164;
$randomKey = 21415;

$key = base64_encode($timestamp . $randomKey . $id);

echo 'http://www.domain.com/verify/' . $key;

// http://www.domain.com/verify/MTI1MzQ2MTY0MjE0MTUx

All that being said, my recommendation would be to try to work around the limitation put in place by the e-mail delivery platform as URL's can support an address length of around 2000 characters. The example you gave only had a length of 32 and falls well within the lengths acceptable by any modern browser.

Edit: Just generate a uuid using a package like this rather than trying to create your own random id. This will produce a string such as d3d29d70-1d25-11e3-8591-034165a3a613.

Community
  • 1
  • 1
Amo
  • 2,884
  • 5
  • 24
  • 46
  • 1
    This would make it extremely easy for someone to guess thus making the hash redundant. – Ian Brindley Oct 19 '15 at 10:45
  • Agreed it's not perfect in the example's format. It needs obfuscating further to be useful which could be done by appending a timestamp to the ```id```. Will update the example. – Amo Oct 19 '15 at 10:52
  • Base64-encoding a number as obfuscation would be to a programmer like ... I don't know. Write cleartext? Everyone knows about base64-encoding, the resulting character set and the == gives it away big-time. – sisve Oct 19 '15 at 10:54
  • The question I'm answering isn't really about obfuscating, it's about shortening a string. My answer achieves that. We've no context as to the importance of the hash (the OP's original example is simply hashing a value of ```1```). Laravel's encrypt is also doing a base64_encode on the encrypted value. I simply added some obfuscation as Ian's point of guessing the ```id``` is perfectly valid. – Amo Oct 19 '15 at 10:56
  • Totally agree with you @Amo, it does seem like the OP may be a little out of his/her depth with all being considered... OP, Google it :) – Ian Brindley Oct 19 '15 at 11:00
  • 1
    Don't use a hash (they're brute forceable), don't encrypt. Use a separate unique value. https://paragonie.com/blog/2015/09/comprehensive-guide-url-parameter-encryption-in-php – Scott Arciszewski Oct 20 '15 at 15:58
  • Again, the question was about shortening a string, not about security. Perhaps my answer should reflect something simpler (albeit not much shorter) such as a UUID. – Amo Oct 20 '15 at 16:51
  • "the question was about shortening a string, not about security". Yes, and the only way to shorten the ciphertext is to remove the security to the point that you might as well not encrypt in the first place. If you want a short, unique, pseudorandom identifier, just add a column to your table. – Scott Arciszewski Oct 20 '15 at 18:28
1

I just faced the same problem. I simply added a column 'hash' in my database table. Then I filled it with a md5(encrypt($model->id))

The md5 value is much shorter, and because it also uses Laravel's crypt, it can't be guessed.

vesperknight
  • 720
  • 9
  • 17
  • This doesn't make any sense, yeah it's shorter but you can't decrypt it you're just hashing it and there are functions for hashing you don't need to encrypt it then hash it, this is just plain redundant if not wrong. – Steve Moretz Jul 25 '23 at 09:52
1

I think dont need to store nothing in database, that is a hard work, In my case a use base64_encode in blase and use base64_decode in controller to show the real value to method and continue the process.

Albertino Carvalho
  • 170
  • 2
  • 3