[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 244
  • Last Modified:

What am I doing wrong with these hash marks?

When I use this:

$voter_email="bruce@brucegust.com";
$key = "qP9wXOx+Dk0iVCmUQDEkLCf5";
$str= $voter_email.''.$key;
$digest = sha1($str, true);
$the_digest =  base64_encode($digest);
$road_digest=htmlentities($the_digest);

The subsequent string is Cd7cT2coaEI1R++ddSx/XX4sBHs=

Problem is, when I embed that into a URL, and grab it using a "GET," I lose the "++".

What am I doing wrong?

In other words, the URL will look like http://www.myserver.php?chk=Cd7cT2coaEI1R++ddSx/XX4sBHs=


But when I go to grab it using a $_GET['chk'], it gives me Cd7cT2coaEI1RddSx/XX4sBHs=


What am I doing wrong?
0
brucegust
Asked:
brucegust
  • 5
  • 4
  • 2
  • +1
4 Solutions
 
sonawanekiranCommented:
Use php functions urlencode and urldecode functions

http://php.net/manual/en/function.urlencode.php
0
 
brucegustAuthor Commented:
I'm trying to figure it out, but I'm coming up short. How do I use what it is you're suggesting?

I just tried the urlencode and wound up with a big mess.
0
 
Dave BaldwinFixer of ProblemsCommented:
That should have worked.  Show us your 'big mess'.  As shown in the PHP docs, you only encode the query string, not the entire URL.  The '+' signs should have been replaced with '%2B'.  More info here: http://en.wikipedia.org/wiki/Percent-encoding
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Ray PaseurCommented:
Plus signs in a URL should be decoded into blanks in the $_GET array element.  But that aside, it looks like your $key variable contains plus signs.  Double encoding has munged the data, perhaps?

I believe that base64_encode() may be all the encoding you need for binary-safe transport.  The additional call to htmlentities() may be superfluous.

See if this code snippet provides any useful ideas for your transport of encrypted data.
<?php // RAY_encrypt_decrypt.php
error_reporting(E_ALL);

// MAN PAGE: http://us.php.net/manual/en/ref.mcrypt.php

class Encryption
{
    protected $key;
    protected $eot;
    protected $ivs;
    protected $iv;

    public function __construct($key='quay', $eot='___EOT')
    {
        // SET KEY, DELIMITER, INITIALIZATION VECTOR - MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
        $this->eot = $eot;
        $this->ivs = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB);
        $this->iv  = mcrypt_create_iv($this->ivs);
    }

    public function encrypt($text)
    {
        // APPEND END OF TEXT DELIMITER
        $text .= $this->eot;

        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);

        // REMOVE END OF TEXT DELIMITER
        $data = explode($this->eot, $data);
        return $data[0];
    }
}

// INSTANTIATE THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = '';
$decoded = '';

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

HTH, ~Ray
0
 
Dave BaldwinFixer of ProblemsCommented:
base64_encode() won't be adequate because it includes the '+' and '/' characters which must be URLencoded.  http://en.wikipedia.org/wiki/Base64  And 'htmlentities()' could possibly put '&' in the query string which are supposed to designate the start of a name/value pair so you don't really want that.

I was wondering why you don't just take the hex output of sha() because it is perfectly safe consisting of 0-9 and a-f and doesn't need anymore encoding.
0
 
Ray PaseurCommented:
I do not find any problem with using base64_encode() to create a URL string.  Please see:
http://www.laprbass.com/RAY_encrypt_decrypt_GET.php?clearstring=&cryptstring=XEnjL5CT6s%2BYgJgtiFsHqPg6wFS6JQ9gQT94nGoqfic%3D

This is just the same encrypt/decrypt script posted above, but with the POST method changed to the GET method so that the data is passed in the URL.  I tried a few different strings and did not encounter any character encoding issues.  The data seems to survive the round trip unscathed.
0
 
Dave BaldwinFixer of ProblemsCommented:
But the string is URLencoded, Ray, that was the point.
0
 
Ray PaseurCommented:
Dave: Yes, I think the browser or the server or something else handled the encoding for me.  It's not part of my script; that's 100% of the instructions in the earlier code snippet.
0
 
Dave BaldwinFixer of ProblemsCommented:
Normally, an HTML form submission in the browser will do that for you.  But that means it can still be part of the problem if the author is constructing his own query string for something like curl() or another PHP function that accesses a file by HTTP.
0
 
Ray PaseurCommented:
Yes, I think that makes sense.  If it goes into the URL, it should be URLencoded().  But I don't think htmlentities() would be in play here.  Maybe when echoing output to the client browser...
0
 
Dave BaldwinFixer of ProblemsCommented:
You're right, htmlentities()  could cause problems if it added a '&' to the query string because that is a separator for name/value pairs.
0
 
brucegustAuthor Commented:
Thanks, guys!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now