Mcrypt and "hidden" form-input
I'm working on a quiz and in the process of writing the questions I take a value from my database if the question is right or wrong. Then I send it as hiiden-input so I don't need to access the database again after submitting. The problem is anyone with FireBug can see those values.
I found this:
// Designate string to be encrypted
$string = "Applied Cryptography, by Bruce Schneier, is
a wonderful cryptography reference.";
// Encryption/decryption key
$key = "Four score and twenty years ago";
// Encryption Algorithm
$cipher_alg = MCRYPT_RIJNDAEL_128;
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg,
// Output original string
print "Original string: $string <p>";
// Encrypt $string
$encrypted_string = mcrypt_encrypt($cipher_alg, $key,
$string, MCRYPT_MODE_CBC, $iv);
// Convert to hexadecimal and output to browser
print "Encrypted string: ".bin2hex($encrypted_string)."<p>";
$decrypted_string = mcrypt_decrypt($cipher_alg, $key,
$encrypted_string, MCRYPT_MODE_CBC, $iv);
print "Decrypted string: $decrypted_string";
It's from an article about mcrypt, the code works with encrypting and decrypting on my server. I figured I'd save a string as key at the top of my PHP-page so the same could be used to encrypt the hidden result-value then decrypt it as I'm calculating the result. I've got my sumbit-code under a isset if-statement before I print the quiz.
However it did not work, when I echo'ed the "decrypted" string (just like in that example) after submitting it just showed strange symbols, when I checked with FireBug the hidden-input also showed similar symbols. I figured the value was too long or that form-input didn't like binary-data so I did the bin2hex-function before sending them as hidden and it looked better in FireBug. The problem then was getting the data back, using the pack/unpack didn't work either.
Anyone know if the IV part, or variable is random and I have to pass it along to decrypt right? Either way I tried simply not having it in, like it says in the you can on PHP-net (it's suppse to use some default of zeroes) , but it threw out some errors about blank IV etc.
Was this suppose to work? What did I do wrong? I've since given up and just contact the database again but it's not hard going back to this, and I'm curious what went wrong. Also is there a better solution to prevent anyone seeing those answers with FireBug? Thanks!
|All times are GMT +5.5. The time now is 05:56.|