1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mcrypt and "hidden" form-input

Discussion in 'PHP' started by Typr451, Jul 19, 2010.

  1. Typr451

    Typr451 New Member

    Apr 11, 2009
    Likes Received:
    Trophy Points:
    I'm working on a quiz and in the process of writing the questions I take a value from my database if the question is right or wrong. Then I send it as hiiden-input so I don't need to access the database again after submitting. The problem is anyone with FireBug can see those values.

    I found this:


    // Designate string to be encrypted
    $string = "Applied Cryptography, by Bruce Schneier, is
    a wonderful cryptography reference.";

    // Encryption/decryption key
    $key = "Four score and twenty years ago";

    // Encryption Algorithm
    $cipher_alg = MCRYPT_RIJNDAEL_128;

    // Create the initialization vector for added security.
    $iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg,

    // Output original string
    print "Original string: $string <p>";

    // Encrypt $string
    $encrypted_string = mcrypt_encrypt($cipher_alg, $key,
    $string, MCRYPT_MODE_CBC, $iv);

    // Convert to hexadecimal and output to browser
    print "Encrypted string: ".bin2hex($encrypted_string)."<p>";

    $decrypted_string = mcrypt_decrypt($cipher_alg, $key,
    $encrypted_string, MCRYPT_MODE_CBC, $iv);

    print "Decrypted string: $decrypted_string";


    It's from an article about mcrypt, the code works with encrypting and decrypting on my server. I figured I'd save a string as key at the top of my PHP-page so the same could be used to encrypt the hidden result-value then decrypt it as I'm calculating the result. I've got my sumbit-code under a isset if-statement before I print the quiz.

    However it did not work, when I echo'ed the "decrypted" string (just like in that example) after submitting it just showed strange symbols, when I checked with FireBug the hidden-input also showed similar symbols. I figured the value was too long or that form-input didn't like binary-data so I did the bin2hex-function before sending them as hidden and it looked better in FireBug. The problem then was getting the data back, using the pack/unpack didn't work either.

    Anyone know if the IV part, or variable is random and I have to pass it along to decrypt right? Either way I tried simply not having it in, like it says in the you can on PHP-net (it's suppse to use some default of zeroes) , but it threw out some errors about blank IV etc.

    Was this suppose to work? What did I do wrong? I've since given up and just contact the database again but it's not hard going back to this, and I'm curious what went wrong. Also is there a better solution to prevent anyone seeing those answers with FireBug? Thanks!

Share This Page