Posted By

olemedia on 06/03/11


Tagged

data encrypting


Versions (?)

Encrypting sensitive data


 / Published in: PHP
 

URL: https://www.owasp.org/index.php/How_to_protect_sensitive_data_in_URL%27s

  1. //The concept is very similar to hashing the value, but now instead we will use a symmetric key to encrypt and decrypt the data.
  2.  
  3. $key = “This encrypting key should be long and complex.”;
  4. $encrypted_data = mcrypt_ecb (MCRYPT_3DES, $key,12345, MCRYPT_ENCRYPT); //encrypt using triple DES
  5. $id = urlencode(base64_encode($encrypted_data));
  6.  
  7. //The id will be base64 encoded and then urlencoded into Doj2VqhSe4k%3D so we will have the url as
  8.  
  9. //http://www.example.com/view_profile?id=Doj2VqhSe4k%3D
  10.  
  11. //(For perl programmer, you can use Digest::MD5 and Crypt::CBC to archive the same output)
  12.  
  13. //To decrypt the information we received we will do the following:
  14.  
  15. $id = $_REQUEST["id"]);
  16. $url_id = base64_decode(urldecode($id));
  17.  
  18. $decrypted_data = mcrypt_decrypt(MCRYPT_BLOWFISH,$key,$url_id, MCRYPT_MODE_CBC, $iv);
  19.  
  20. //The idea here is to url decode the input id value and follow by base64_decode it and then use back the same algorithm to get the actual data, which is 12345 in this case.
  21.  
  22. //This same idea can be used on session id to make sure the session id is not tampered with. One caveat to take note is encrypting and decrypting all data send and receive will possibly consume lot of cpu power, so make sure your system is properly size up.

Report this snippet  

You need to login to post a comment.