Mcrypt and "hidden" form-input

Discussion in 'PHP' started by Typr451, Jul 19, 2010.

  1. Typr451

    Typr451 New Member

    Apr 11, 2009
    Likes Received:
    Trophy Points:
    I'm working on a quiz and in the process of writing the questions I take a value from my database if the question is right or wrong. Then I send it as hiiden-input so I don't need to access the database again after submitting. The problem is anyone with FireBug can see those values.

    I found this:


    // Designate string to be encrypted
    $string = "Applied Cryptography, by Bruce Schneier, is
    a wonderful cryptography reference.";

    // Encryption/decryption key
    $key = "Four score and twenty years ago";

    // Encryption Algorithm
    $cipher_alg = MCRYPT_RIJNDAEL_128;

    // Create the initialization vector for added security.
    $iv = mcrypt_create_iv(mcrypt_get_iv_size($cipher_alg,

    // Output original string
    print "Original string: $string <p>";

    // Encrypt $string
    $encrypted_string = mcrypt_encrypt($cipher_alg, $key,
    $string, MCRYPT_MODE_CBC, $iv);

    // Convert to hexadecimal and output to browser
    print "Encrypted string: ".bin2hex($encrypted_string)."<p>";

    $decrypted_string = mcrypt_decrypt($cipher_alg, $key,
    $encrypted_string, MCRYPT_MODE_CBC, $iv);

    print "Decrypted string: $decrypted_string";


    It's from an article about mcrypt, the code works with encrypting and decrypting on my server. I figured I'd save a string as key at the top of my PHP-page so the same could be used to encrypt the hidden result-value then decrypt it as I'm calculating the result. I've got my sumbit-code under a isset if-statement before I print the quiz.

    However it did not work, when I echo'ed the "decrypted" string (just like in that example) after submitting it just showed strange symbols, when I checked with FireBug the hidden-input also showed similar symbols. I figured the value was too long or that form-input didn't like binary-data so I did the bin2hex-function before sending them as hidden and it looked better in FireBug. The problem then was getting the data back, using the pack/unpack didn't work either.

    Anyone know if the IV part, or variable is random and I have to pass it along to decrypt right? Either way I tried simply not having it in, like it says in the you can on PHP-net (it's suppse to use some default of zeroes) , but it threw out some errors about blank IV etc.

    Was this suppose to work? What did I do wrong? I've since given up and just contact the database again but it's not hard going back to this, and I'm curious what went wrong. Also is there a better solution to prevent anyone seeing those answers with FireBug? Thanks!

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice