Encrypt a query string parameter from PHP to IIS

Question

I am calling an iFrame from my PHP application with a query string:

<iframe src="https://www.example.com?account=12345"></iframe>

I need to encrypt the account parameter so that anyone viewing the source can not edit it and see private data. Something Like:

<iframe src="https://www.example.com?account=%5gbf&$yhbgvb7943"></iframe>

The www.example.com is on an IIS server (the devs are willing to work with me to decrypt their end).

What is the best way to perform this? I was thinking using open_ssl. Or would that be overkill?

Thanks

See this, simple way to encrypt and decrypt string, https://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt-passwords — Labradorcode, Nov 15 '19 at 13:40
As always you need to have a security model that describes what attacks you are trying to prevent. Simply putting an encrypted string in your source code may not help, as an attacker may be able to simply copy the encrypted string and use it for their purposes. — President James K. Polk, Nov 15 '19 at 16:58

score 0 · Accepted Answer · answered Nov 15 '19 at 13:51

openssl is an industry standard and definitely recommended over rolling your own. PHP implements methods for calling it. Quick example:

$your_data = "foobar";
$your_key = "secret password";

$cipher = "aes-256-cbc";
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipher));

echo "plain: $your_data" . PHP_EOL;

$encrypted = openssl_encrypt($your_data, $cipher, $your_key, 0, $iv);
echo "encrypted: $encrypted" . PHP_EOL;

$decrypted = openssl_decrypt($encrypted, $cipher, $your_key, 0, $iv);
echo "decrypted: $decrypted" . PHP_EOL;

plain: foobar
encrypted: Rm7hAkVmqbUSS+GJLkck2Q==
decrypted: foobar

nb: Be sure to pass the IV along with the data to the other party, and check that it's urlEncoded.

Encrypt a query string parameter from PHP to IIS

1 Answers1