Go4Expert

Go4Expert (http://www.go4expert.com/)
-   PHP (http://www.go4expert.com/forums/php/)
-   -   Mcrypt and "hidden" form-input (http://www.go4expert.com/forums/mcrypt-hidden-form-input-t22757/)

Typr451 19Jul2010 17:31

Mcrypt and "hidden" form-input
 
I'm working on a quiz and in the process of writing the questions I take a value from my database if the question is right or wrong. Then I send it as hiiden-input so I don't need to access the database again after submitting. The problem is anyone with FireBug can see those values.

I found this:

<?php

// Designate string to be encrypted
$string = "Applied Cryptography, by Bruce Schneier, is
a wonderful cryptography reference.";

// Encryption/decryption key
$key = "Four score and twenty years ago";

// Encryption Algorithm
$cipher_alg = MCRYPT_RIJNDAEL_128;

// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg,
MCRYPT_MODE_ECB), MCRYPT_RAND);

// Output original string
print "Original string: $string <p>";

// Encrypt $string
$encrypted_string = mcrypt_encrypt($cipher_alg, $key,
$string, MCRYPT_MODE_CBC, $iv);

// Convert to hexadecimal and output to browser
print "Encrypted string: ".bin2hex($encrypted_string)."<p>";

$decrypted_string = mcrypt_decrypt($cipher_alg, $key,
$encrypted_string, MCRYPT_MODE_CBC, $iv);

print "Decrypted string: $decrypted_string";

?>

It's from an article about mcrypt, the code works with encrypting and decrypting on my server. I figured I'd save a string as key at the top of my PHP-page so the same could be used to encrypt the hidden result-value then decrypt it as I'm calculating the result. I've got my sumbit-code under a isset if-statement before I print the quiz.

However it did not work, when I echo'ed the "decrypted" string (just like in that example) after submitting it just showed strange symbols, when I checked with FireBug the hidden-input also showed similar symbols. I figured the value was too long or that form-input didn't like binary-data so I did the bin2hex-function before sending them as hidden and it looked better in FireBug. The problem then was getting the data back, using the pack/unpack didn't work either.

Anyone know if the IV part, or variable is random and I have to pass it along to decrypt right? Either way I tried simply not having it in, like it says in the you can on PHP-net (it's suppse to use some default of zeroes) , but it threw out some errors about blank IV etc.

Was this suppose to work? What did I do wrong? I've since given up and just contact the database again but it's not hard going back to this, and I'm curious what went wrong. Also is there a better solution to prevent anyone seeing those answers with FireBug? Thanks!


All times are GMT +5.5. The time now is 06:25.