Solved

What am I doing wrong with these hash marks?

Posted on 2012-04-04
12
231 Views
Last Modified: 2012-04-20
When I use this:

$voter_email="bruce@brucegust.com";
$key = "qP9wXOx+Dk0iVCmUQDEkLCf5";
$str= $voter_email.''.$key;
$digest = sha1($str, true);
$the_digest =  base64_encode($digest);
$road_digest=htmlentities($the_digest);

The subsequent string is Cd7cT2coaEI1R++ddSx/XX4sBHs=

Problem is, when I embed that into a URL, and grab it using a "GET," I lose the "++".

What am I doing wrong?

In other words, the URL will look like http://www.myserver.php?chk=Cd7cT2coaEI1R++ddSx/XX4sBHs=


But when I go to grab it using a $_GET['chk'], it gives me Cd7cT2coaEI1RddSx/XX4sBHs=


What am I doing wrong?
0
Comment
Question by:brucegust
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 17

Assisted Solution

by:sonawanekiran
sonawanekiran earned 125 total points
Comment Utility
Use php functions urlencode and urldecode functions

http://php.net/manual/en/function.urlencode.php
0
 

Author Comment

by:brucegust
Comment Utility
I'm trying to figure it out, but I'm coming up short. How do I use what it is you're suggesting?

I just tried the urlencode and wound up with a big mess.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
Comment Utility
That should have worked.  Show us your 'big mess'.  As shown in the PHP docs, you only encode the query string, not the entire URL.  The '+' signs should have been replaced with '%2B'.  More info here: http://en.wikipedia.org/wiki/Percent-encoding
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
Comment Utility
Plus signs in a URL should be decoded into blanks in the $_GET array element.  But that aside, it looks like your $key variable contains plus signs.  Double encoding has munged the data, perhaps?

I believe that base64_encode() may be all the encoding you need for binary-safe transport.  The additional call to htmlentities() may be superfluous.

See if this code snippet provides any useful ideas for your transport of encrypted data.
<?php // RAY_encrypt_decrypt.php
error_reporting(E_ALL);

// MAN PAGE: http://us.php.net/manual/en/ref.mcrypt.php

class Encryption
{
    protected $key;
    protected $eot;
    protected $ivs;
    protected $iv;

    public function __construct($key='quay', $eot='___EOT')
    {
        // SET KEY, DELIMITER, INITIALIZATION VECTOR - MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
        $this->key = $key;
        $this->eot = $eot;
        $this->ivs = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB);
        $this->iv  = mcrypt_create_iv($this->ivs);
    }

    public function encrypt($text)
    {
        // APPEND END OF TEXT DELIMITER
        $text .= $this->eot;

        // ENCRYPT THE DATA
        $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);

        // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
        return base64_encode($data);
    }

    public function decrypt($text)
    {
        // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
        $text = base64_decode($text);

        // DECRYPT THE STRING
        $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $this->key, $text, MCRYPT_MODE_ECB, $this->iv);

        // REMOVE END OF TEXT DELIMITER
        $data = explode($this->eot, $data);
        return $data[0];
    }
}

// INSTANTIATE THE CLASS
$c = new Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = '';
$decoded = '';

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST["clearstring"]))
{
    $encoded = $c->encrypt($_POST["clearstring"]);
    echo "<br/>{$_POST["clearstring"]} YIELDS ENCODED ";
    var_dump($encoded);
}

if (!empty($_POST["cryptstring"]))
{
    $decoded = $c->decrypt($_POST["cryptstring"]);
    echo "<br/>{$_POST["cryptstring"]} YIELDS DECODED ";
    var_dump($decoded);
}

$form = <<<FORM
<form method="post">
<input name="clearstring" value="$decoded" />
<input type="submit" value="ENCRYPT" />
<br/>
<input name="cryptstring" value="$encoded" />
<input type="submit" value="DECRYPT" />
</form>
FORM;

echo $form;

Open in new window

HTH, ~Ray
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
base64_encode() won't be adequate because it includes the '+' and '/' characters which must be URLencoded.  http://en.wikipedia.org/wiki/Base64  And 'htmlentities()' could possibly put '&' in the query string which are supposed to designate the start of a name/value pair so you don't really want that.

I was wondering why you don't just take the hex output of sha() because it is perfectly safe consisting of 0-9 and a-f and doesn't need anymore encoding.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
I do not find any problem with using base64_encode() to create a URL string.  Please see:
http://www.laprbass.com/RAY_encrypt_decrypt_GET.php?clearstring=&cryptstring=XEnjL5CT6s%2BYgJgtiFsHqPg6wFS6JQ9gQT94nGoqfic%3D

This is just the same encrypt/decrypt script posted above, but with the POST method changed to the GET method so that the data is passed in the URL.  I tried a few different strings and did not encounter any character encoding issues.  The data seems to survive the round trip unscathed.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
But the string is URLencoded, Ray, that was the point.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Dave: Yes, I think the browser or the server or something else handled the encoding for me.  It's not part of my script; that's 100% of the instructions in the earlier code snippet.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Normally, an HTML form submission in the browser will do that for you.  But that means it can still be part of the problem if the author is constructing his own query string for something like curl() or another PHP function that accesses a file by HTTP.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
Comment Utility
Yes, I think that makes sense.  If it goes into the URL, it should be URLencoded().  But I don't think htmlentities() would be in play here.  Maybe when echoing output to the client browser...
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You're right, htmlentities()  could cause problems if it added a '&' to the query string because that is a separator for name/value pairs.
0
 

Author Closing Comment

by:brucegust
Comment Utility
Thanks, guys!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now