...

View Full Version : encrypting and decrypting url string



phpcodelearner
02-19-2010, 09:43 PM
hi
all i want to do is encryed part of my url.

i want to do this becasue i have a private messaging system that i have made i made a page to view there message in detailed view. So i decside to pass throught a url paramiter but the problem with this is that the url is is this
eg
http://localhost/mywigan/user/private_messages/details.php?id=5

so a user can edit the id number and change it to view other peoples private messages (not very private now)

so i did some reaserch and found about the function
mcrypt
and this is what i did




<?php
$key = 'This encrypting key';
$encrypted_data = mcrypt_ecb (MCRYPT_3DES, $key, $row_messages['id'], MCRYPT_ENCRYPT); //encrypt using triple DES
$id = urlencode(base64_encode($encrypted_data));


?>



and the link to veiw the message in detail i did



<td><a href="details.php?id=<?php echo $id = urlencode(base64_encode($encrypted_data)); ?>">detail</a>></td>




and yes this encryp the end so now i get

somthing like this
http://localhost/mywigan/user/private_messages/details.php?id=LWkimdP836s%3D

now i need to decode the encryption and i don't know how to do this i have tryed this



$id = $_REQUEST["id"];
$url_id = base64_decode(urldecode($id));
$decrypted_data = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, $url_id, MCRYPT_MODE_CBC, $iv);



but i get these errors



Notice: Undefined variable: key in C:\wamp\www\mywigan\user\private_messages\details.php on line 112

Notice: Undefined variable: iv in C:\wamp\www\mywigan\user\private_messages\details.php on line 112

Warning: mcrypt_decrypt() [function.mcrypt-decrypt]: The IV parameter must be as long as the blocksize in C:\wamp\www\mywigan\user\private_messages\details.php on line 112

Catchable fatal error: mcrypt_decrypt() [function.mcrypt-decrypt]: Mcrypt initialisation failed in C:\wamp\www\mywigan\user\private_messages\details.php on line 112



how can i decode the encrytion

or this there a better way to make my details page or a better my at pass a paramiter through?

thank for your time and help!

MattF
02-19-2010, 09:58 PM
Check the logged in user id against the id from $_GET. If they don't match, the user is trying to view messages belonging to someone else. i.e:



if ($user_id != intval($_GET['id']))
{
exit('Invalid request.');
}


$user_id is an example. Replace that with what is relevant to your specific code.

MattF
02-19-2010, 10:04 PM
In fact, there's no point passing the user id via get at all. Just use the user id of the logged in user in your script.

phpcodelearner
02-19-2010, 10:53 PM
thanks mate

i did this in the end




<?php

$user_id = $_SESSION['MM_Username'];
if ($user_id != $row_message['to'])
{
exit('you can not view other peoples PRIVATE MESSAGES!');
}


?>



one last question if i wanted to decrypt that id how would i do it.

if you don't know does no matter my problem is sloved

thanks alot mate :thumbsup:

MattF
02-19-2010, 11:31 PM
one last question if i wanted to decrypt that id how would i do it.

$iv and $key aren't set, as your log messages point out.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum