I'm working on a quiz and in the process of writing the questions I take a value from my database if the question is right or wrong. Then I send it as hiiden-input so I don't need to access the database again after submitting. The problem is anyone with FireBug can see those values. I found this: <?php // Designate string to be encrypted $string = "Applied Cryptography, by Bruce Schneier, is a wonderful cryptography reference."; // Encryption/decryption key $key = "Four score and twenty years ago"; // Encryption Algorithm $cipher_alg = MCRYPT_RIJNDAEL_128; // Create the initialization vector for added security. $iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg, MCRYPT_MODE_ECB), MCRYPT_RAND); // Output original string print "Original string: $string <p>"; // Encrypt $string $encrypted_string = mcrypt_encrypt($cipher_alg, $key, $string, MCRYPT_MODE_CBC, $iv); // Convert to hexadecimal and output to browser print "Encrypted string: ".bin2hex($encrypted_string)."<p>"; $decrypted_string = mcrypt_decrypt($cipher_alg, $key, $encrypted_string, MCRYPT_MODE_CBC, $iv); print "Decrypted string: $decrypted_string"; ?> It's from an article about mcrypt, the code works with encrypting and decrypting on my server. I figured I'd save a string as key at the top of my PHP-page so the same could be used to encrypt the hidden result-value then decrypt it as I'm calculating the result. I've got my sumbit-code under a isset if-statement before I print the quiz. However it did not work, when I echo'ed the "decrypted" string (just like in that example) after submitting it just showed strange symbols, when I checked with FireBug the hidden-input also showed similar symbols. I figured the value was too long or that form-input didn't like binary-data so I did the bin2hex-function before sending them as hidden and it looked better in FireBug. The problem then was getting the data back, using the pack/unpack didn't work either. Anyone know if the IV part, or variable is random and I have to pass it along to decrypt right? Either way I tried simply not having it in, like it says in the you can on PHP-net (it's suppse to use some default of zeroes) , but it threw out some errors about blank IV etc. Was this suppose to work? What did I do wrong? I've since given up and just contact the database again but it's not hard going back to this, and I'm curious what went wrong. Also is there a better solution to prevent anyone seeing those answers with FireBug? Thanks!
