Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Is it possible to md5 encrypt in php and decrypt in javascript?

Posted on 2011-10-31
19
Medium Priority
?
3,208 Views
Last Modified: 2012-05-12
I am creating a site where there is a currency amount that I dont want the users to be able to se in the source code. So my thinking is to encrypt it with md5 with php so I know they cant see it since they cant see php code. Then on the page where its ok they see it I can decrypt it with javascript.

The reason for doing it this way is that the variable is taken from a php variable then placed in a javascript function. If I could place the md5 in the function then I know they cant see it. Then when they go to the next page where the js function process that request I decrypt it from that md5 hash and they the function can do what it needs with it.

Can I do this and how?
0
Comment
Question by:cbielich
  • 6
  • 5
  • 2
  • +3
19 Comments
 
LVL 1

Author Comment

by:cbielich
ID: 37059847
if md5 is not the most secure way to do this, I am open to other ways. I just need to make sure that on the initial page they cant see the actual variable, pass it through javascript encrypted and then before the javascript function process it I decrypt it. Hope that makes sense :)
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 37059865
You can't do that.  MD5 is not encryption in that sense.  It is a one-way cryptographic hash function that is intended to identify a file but not be decrypted.  http://en.wikipedia.org/wiki/MD5

This page http://javascript.about.com/library/blencrypt.htm describes a javascript encryption function.
0
 
LVL 1

Author Comment

by:cbielich
ID: 37059873
Why is it I can do that in php then?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37059879
You can not decrypt MD5 in any language.
0
 
LVL 1

Author Comment

by:cbielich
ID: 37059897
never mind, your right. I md5 passwords then save that to a db. Then the next time they login I take that password they type in and md5 it and match it to the record in the db.

Is there anyway I can do this is js so I can hide the amount?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37059943
That's how I use MD5 also.  The simplest way for your problem is to use a little AJAX to get the value from a PHP page After the page is loaded.  That way it is not in the source code that a normal user could see.  However, I have to tell you that anything you put on the screen or send to the browser, I can capture so you can't do anything that will totally obscure it.
0
 
LVL 1

Author Comment

by:cbielich
ID: 37059948
yeah but as long as I make it as hard as possible would be better than nothing :) Can I get some example AJAX code for this :)
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 37059950
In general the mentality you should adopt security-wise should be that anything you wish to hide from the user should never arrive on their page, in any way (encrypted or not).

You should do all of your processing / authenticating on the PHP side, and send the user only the data that they are allowed to see -  in plain text without obfuscating it.

If you need to dynamically fetch data from the server to display on the user's screen to make the interface more pleasant, you can use AJAX queries for that.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37059962
Look here: http://www.w3schools.com/ajax/ajax_xmlhttprequest_create.asp  There are a couple of steps to this and for your needs, you must create a global variable that can contain the value that is received.  Note also that sometimes in javascript, I have had to multiply a value by 1 so that javascript would know to treat it as a number.  I say that because anything you 'GET' from the server will originally be text and that can throw things off sometimes.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37059967
@Frosty555 has a good idea there.  You could use the AJAX to send a value to the server and just get back the results.  ??
0
 
LVL 34

Expert Comment

by:Slick812
ID: 37060676
greetings cbielich, , In your question you say = "currency amount that I dont want the users to be able to se in the source code", , Even if you have an encryption method, the code (javascript) will be available to everyone that goes to that page, , ajax usually does not offer any way to "Hide" information because of the same reasons, the browser will have the code for all to see. I would think you need a user "Log In System" where one needs to have a user name and pass word to Log In and then you can give them the "Plain Text" non encrypted information that others not logged in can not see.
0
 
LVL 1

Author Comment

by:cbielich
ID: 37060859
This is the way my code is working so you can get a better idea.

index.php

I call a javascript function which passed a variable from php so...

$variablefromphp = 'test';

thisfunction(id,$variablefromphp);

this.js

Then in this.js file I retrieve that function and variable

thisfunction(id,test);

the users will never see this.js so I am not worried there. But trying to figure out how to pass the 'test' variable into the function from the index.php side.
0
 
LVL 5

Expert Comment

by:liveaspankaj
ID: 37061299
it is not advisable to pass md5 to the script
if you still want to do it

you can do this. in your index.php file you can write:

echo "<script>var test = '" . $variablefromphp ."';</script>";


and then in the thisfunction do not pass test. just use:

 thisfunction(id);




0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37062453
It might be good to take a step back from the technical details and tell us the business reasons that would determine whether you wanted to hide or expose some information.  For example, why do you not want the user to see the currency amount?  What triggers the privilege to see the currency amount?  If we know those things we may be able to suggest a good design pattern.  Thanks, ~Ray
0
 
LVL 34

Expert Comment

by:Slick812
ID: 37064172
I maybe can see some of what you say you want or need, and I was thinking of more secure encryption, which you do not need for this (as far as I can tell) you seem to just want to scramble the currency amount or $variablefromphp so it is not in an easy to understand form of text. I did this simple encryption, but had problems with javascript using the full byte range (0 - 255) as PHP written javascript variable, so I had to add a text base encode, I was goin to use the HEX, but since I already have my own base 64 in PHP and javascript, I just used that instead.

below is code for a test page I did, that "Hides" a string in javascript, and the javascript function  Reveal(hidden, randAry1) to change it back to a string
<?php

function Base64_enc($Plain){
$chr64 = 'JcgH/vWyPfT3dAreEhMVsbRwKlIZp1tkQmiUaoGz95nO7Lq0SuCY82jBF6DxN4+X';
$chop = strlen($Plain)%3;
if($chop>0)$chop=3-$chop;
for($i=0;$i<$chop;++$i)$Plain.=chr(0);
$out1='';
for($i=0;$i<strlen($Plain);$i+=3){$wd=ord($Plain{$i})+(ord($Plain{$i+1})<<8)+(ord($Plain{$i+2})<<16);
	for($v=0;$v<4;++$v){$mod1=$wd%64;
		$out1 .=$chr64{$mod1};
		$wd=($wd-$mod1)/64;}}
for($i=0;$i<$chop;++$i)$out1[strlen($out1)-($i+1)]='=';
return $out1;
}

function ezHide($Plain, $randAry1) {
$len = strlen($Plain);
$Encrypted = '';
$inc = 7;
for ($i = 0; $i < $len; ++$i){// 0 to 4
	$en = ord($Plain{$i});
	$en ^= $randAry1[$i & 3];
	$en = ($en + $randAry1[$inc & 3]) % 256;
	++$inc;
	$en ^= $randAry1[$inc & 3];
	++$inc;
	$Encrypted .= chr($en);
	}
$Encrypted = Base64_enc($Encrypted);
return $Encrypted;
}


$currency_amount = '56.89'; //Not sure waht you may actually have as your currency amount? ?
// I will do This as a String for currency amount
// For best results I will use Random Nymbers generated in PHP
$randAry = array(mt_rand(0,255), mt_rand(0,255), mt_rand(0,255), mt_rand(0,255));

$hidden = ezHide($currency_amount, $randAry);
//$hidden = str_replace('"', '\"', $hidden);
?>
<html><head><title>Javasvcript Hide, Reveal</title>
<script type="text/javascript">
var amt = "<?php echo $hidden; ?>";
var randAry = [<?php echo $randAry[0]; ?>, <?php echo $randAry[1]; ?>, <?php echo $randAry[2]; ?>, <?php echo $randAry[3]; ?>];

function Base64_dec(EnStr){var i, len = EnStr.length, chr64 = "JcgH/vWyPfT3dAreEhMVsbRwKlIZp1tkQmiUaoGz95nO7Lq0SuCY82jBF6DxN4+X";
if(len%4 !=0){alert('ERROR: incorrect length for Base64');return "";}
var out1="",chop=0,n1,n2,wd,re;
for(i=1;i<3;++i)if(EnStr.charAt(EnStr.length-i)=='=')++chop;
EnStr=EnStr.replace(/=/g,"R");
for (i=0; i<len; i+=4){wd = chr64.indexOf(EnStr.charAt(i));
	if(wd<0)break;
	wd+= chr64.indexOf(EnStr.charAt(i+1))*64;
	if(wd<0)break;
	wd+= chr64.indexOf(EnStr.charAt(i+2))*4096;
	if(wd<0)break;
	wd+= chr64.indexOf(EnStr.charAt(i+3))*262144;
	if(wd<0)break;
	n1=wd&255;
	n2=(wd>>8)&255;
	wd=wd>>16;
	out1+=String.fromCharCode(n1)+String.fromCharCode(n2)+String.fromCharCode(wd);
	}
if(wd<0){alert('ERROR: Incorrect characters for Base64');return "";}
if(chop>0)out1=out1.substr(0,out1.length-chop);
return out1;
}


function Reveal(hidden, randAry1) {
hidden = Base64_dec(hidden);
var inc = (7 + (hidden.length * 2)) - 1;
var en = 0, outStr = "";
for(var i=0; i < hidden.length; ++i) {
	en = hidden.charCodeAt(i);
	en ^= randAry1[inc & 3];
	--inc;
	en = ((en + 256) - randAry1[inc & 3]) % 256;
	--inc;
	en ^= randAry1[i & 3];
	outStr += String.fromCharCode(en);
	}
return outStr;
}

// below is the code that does the javascript decrypt
amt = Reveal(amt, randAry);
</script></head>

<body bgcolor="#e3f7ff"><h2>Javasvcript Hide, Reveal</h2>
<p>
your currency amount is $<script type="text/javascript">document.write(amt);</script>
</p>
</body></html>

Open in new window

0
 
LVL 1

Author Comment

by:cbielich
ID: 37064358
Its a Penny Auction site, on the homepage are the auctions. Each auction is capped at a price which is "hidden" from the users so they do not know when the cap amount will be reached. In order for my .js file to process the front end javascript that file needs to know what the "cap amount" being "Currency" is.

So the homepage displays the javascript through php which is where I can pass that variable from php to js so that my other js file can process that variable.

Make sense?
0
 
LVL 5

Expert Comment

by:liveaspankaj
ID: 37064482
ok

did you try what i mentioned?
0
 
LVL 31

Expert Comment

by:Frosty555
ID: 37064505
In that case, you probably want to have the javascript side query your server via AJAX and get the current list price of the auction items - the PHP should return either the current amount, or the "cap" and a flag indicating that the max amount has been reached.

Clicking the "bid" button will issue another AJAX query to a PHP page on the server. That PHP should return either a "success" flag, and the new auction price, or a "failure" flag with a reason (e.g. the price is at the capped amount), and the current auction price.

To try and optimize things, you may want to have the Javascript make a single query to the server to obtain all prices for all auction items on the screen at the time.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37069020
@Frosty555: IMHO That is exactly the right design pattern.  There will never be any exposure of server-side data that does not belong in the hands of the clients and so there will never be any need for encryption or encoding of the data.  Easy!
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question