0

I'm trying to find out if there is a way to obfuscate the PHP output (html stuff).

basically, I have a few hidden inputs and they have some PHP outputs in them...

Example:

<input type="hidden" name="myinput" value="<?php echo $variable; ?>" />

is there any way to obfuscate its value in the users browser but still readable server side so I can pass the input value between pages?

any suggestion and help would be appreciated.

EDIT: I did it like this:

$string = "my string to be be encrypted goes here";
$secret_key = "This is my secret key";

// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);

echo "Original string : " . $string . "<br />\n";
echo "Encrypted string : " . $encrypted_string . "<br />\n";
echo "Decrypted string : " . $decrypted_string . "<br />\n";
rooz
  • 361
  • 1
  • 8
  • 22
  • 2
    Why not encrypt the value on on1 page and decrypt on the other page? – Daan Apr 06 '16 at 07:53
  • @Daan, i did look into that and the only thing I came across was `md5()` which would make it impossible to `decrypt` it once its been `encrypted`! any suggestions? – rooz Apr 06 '16 at 07:55
  • 2
    `md5()` is a hashing function. Hashing isn't encryption. – Daan Apr 06 '16 at 07:59
  • You can use base64 encoding with any other cipher (md5 is one way algorithm). But why not using php sessions if both scripts are on the same machine? – DevilaN Apr 06 '16 at 08:01
  • @Daan, got ya... I think I've sorted it now with your suggestion. sweet. – rooz Apr 06 '16 at 08:02
  • @rooz Check [this question](https://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php) for info on doing actual encryption in PHP – jDo Apr 06 '16 at 08:04
  • @jDo, cheers. I edited my question. – rooz Apr 06 '16 at 08:07
  • @RyanVincent, I don't think i need a class. check out the code posted in my question. – rooz Apr 06 '16 at 08:10
  • Was just a comment that it works and is very effective. Wasn't saying you need a class :) – Ryan Vincent Apr 06 '16 at 08:12
  • @RyanVincent, okay mate. Thank you. – rooz Apr 06 '16 at 08:13
  • If you aren't wanting people to know the actual value, or tamper with it, why not store it in the session? – gabe3886 Apr 06 '16 at 08:19
  • @gabe3886, I am storing what i can in the `$_SESSION[''];`. However, what I'm trying to do is out of the scope of sessions thus using hidden inputs. anyway, with a bit of decryption and encryption, it works like a charm. – rooz Apr 06 '16 at 08:22
  • I have the impression that you are asking how to use a shoe to drive a nail because that's out of the scope of hammers... You cannot use sessions to e.g. share values between different computers or browsers, but regular forms can't either. – Álvaro González May 03 '16 at 07:41

1 Answers1

1

Instead of returning the values as part of the form field; do not send them data at all! Save the data to a database table and link to the current user. Link the data with the user via any number of methods (User id, cookie, session, etc). when the form is submitted retrieve the secret and execute your business logic.

Side note: If you want the data to be secure you want to encrypt it, not hash, not encode; encrypt.

David J Eddy
  • 1,999
  • 1
  • 19
  • 37