5

I have a regular request, for example:

http://myserver.com/index.php?var1=85842.23&var2=212.235&name=Teddie&valid=1

I would like those $_GET parameters be encrypted to something like (not real, just an example:)):

http://myserver.com/index.php?eParam=ks883d48223v2czozoz227272j2nn2dn2d2du3dh4hn4f4f4f4h3383xh8383s38s3j83sj8s3j92h2s89hs387h2s87hs287h2s87h2ui2c3iuhc287z9m2389f

Of course, I need a built in key on each side, that will be able to decrypt that info. Is there any function that may render that possible ? I am not concerned about the client side, as it will be a running application, not a webpage or anything that would be easily reverse-engineered.

Thanks !

Ted
  • 3,805
  • 14
  • 56
  • 98

2 Answers2

9

Just use SSL (i.e. HTTPS instead of plain HTTP). Then everything except the DNS look up for the domain and that a connection is made to the ip address that domain resolves to will be encrypted.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Through POST that would have been great but I think I have to go GET here. – Ted Aug 03 '11 at 22:47
  • 4
    It doesn't matter if it is POST or GET (well it does, but not in the context of this question). The HTTP request is encrypted, so the query string will not be transmitted in the clear. – Quentin Aug 03 '11 at 22:48
  • This answer might work in your situation, but ignores the fact that you might also want to protect the data from being written into plaintext log files. – sqlHippo Aug 03 '11 at 22:40
  • Don't log query strings if you can't trust the server. – Quentin Aug 03 '11 at 22:49
  • @Quentin: I agree, but he may not have control of that. I'd opt for SSL+POST, too. – sqlHippo Aug 03 '11 at 23:20
1

Actually you can do that... You can have an encrypt/decrypt function including a time expiry for the given parameter. I have a script that does that for my network systems. And you have to build that on your own, I can't go public with my security scripts... But here's the idea:

  1. Find or build an encryption/decryption function
  2. Add date & time checks for the function so that the encrypted string will expire
  3. Use that function to encrypt the outgoing string
  4. After encryption, if you're using PHP, urlencode() the encrypted string to make sure that all the special characters survives after the other end receives it.
  5. At the other end, perform a urldecode(), then decrypt it, then pass the value.
Ryan Jay Tamoria
  • 11
  • 1