Generate encrypted string that can be used directly in URLs

Question

Sometimes in my forms I found my self using hidden inputs that contains some values that no need for client to know about it. (In effect even if he know is not a big problem, however I don't prefer that ... and that's way I don't need a very secure and complicated encryption stuff)

Based on some answers here (especially this), I build this next Class

class Crypto
{

    const ENCRYPT_METHODE = "AES-256-CBC";
    const SECRET_HASH     = "25c6c7ff35b9979b151f2136cd13b0ff";

    private static function GetIV()
    {

        if (empty($_SESSION['crypto']['iv'])) {
            $iv_size                  = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
            $_SESSION['crypto']['iv'] = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        }
        return $_SESSION['crypto']['iv'];
    }

    public static function Encrypt($value)
    {
        return openssl_encrypt($value,
            self::ENCRYPT_METHODE,
            self::SECRET_HASH,
            0,
            self::GetIV());
    }

    public static function Decrypt($value)
    {
        return openssl_decrypt($value,
            self::ENCRYPT_METHODE,
            self::SECRET_HASH,
            0,
            self::GetIV());
    }
}

... until now Crypto work's good with hidden input, but sometimes it generate strings that needs to be encoded before put it in a url

So, how to improve this class to do what I need ?
or is there an other better way to encrypt<=>decrypt strings?

EDIT
Instead of trying to generate a valid URL string value (directly with openssl_decrypt), it looks that adding urlencode / urldecode to methods will work just fine, and that's how Crypto methods will looks like:

class Crypto{

     // ...

    public static function Encrypt($value){
        $encrypted = openssl_encrypt($value,
                               self::ENCRYPT_METHODE,
                               self::SECRET_HASH,
                               0,
                               self::GetIV());

        return urlencode($encrypted);
    }

    public static function Decrypt($value){
        $value = urldecode($value);
        return openssl_decrypt($value,
                               self::ENCRYPT_METHODE,
                               self::SECRET_HASH,
                               0,
                               self::GetIV());
    }
}

I think like that it will work fine everywhere, Thanks to this answer

@thebluefox that's how http://website.com/noof.php?xvalue=enctyptedString !! — Az.Youness, Feb 16 '17 at 10:49
I'm trying to see how you're using the methods in your class in your HTML. I know what a URL looks like. — Tom, Feb 16 '17 at 10:50
If you just want to hide the value from "generic" users that don't have that much knowledge, simply use `base64_encode()`. If you need stronger encrryption, you are on a very good way. Watch out for deprecated functions and outdated versions of openssl. When trying tutorials about encryption/openssl, find them from 2016/2017, older stuff may use bad practice. — Daniel W., Feb 16 '17 at 12:14
DanFromGermany thanks, `base64_encode` it looks enough to do what I need, and I find another way to make it work for URLs: http://php.net/manual/en/function.base64-encode.php#103849 — Az.Youness, Feb 16 '17 at 14:05

score 3 · Accepted Answer · answered Feb 16 '17 at 10:44

3

You could use url_encode() to make sure every chars could be passed to an url and urldecode() to get the chars back.

answered Feb 16 '17 at 10:44

Ad5001

748
5
19

That what I use know but is this will effect the encrypted Value, so it will not be encrypted correctly ? – Az.Youness Feb 16 '17 at 10:47
do you know other simple ways to encrypt/decrypt strings ? – Az.Youness Feb 16 '17 at 10:51
For urls? No. For a string? I haven't searched yet. – Ad5001 Feb 16 '17 at 10:52
Perfect :) then you can validate this answer and mark the topic as solved ;) – Ad5001 Feb 16 '17 at 12:17

Generate encrypted string that can be used directly in URLs

1 Answers1