How to show encrypted password in URL
Question
I encrypted password, and now trying to show in URL, but in URL i am always getting actual password which is real: kimd
I guess i am not passing $encrypted_string in url , please check my php script and let me know that How can i pass $encrypted_string in URL ?
and whenever i call my form getting everything, details like: actual password , encrypted password and decrypted password
For an example:
Original upass : kimd
Encrypted upass : 5¾VªÜly.TÀîÈ¥MÜQüÑLøø‹y\\ñU
Decrypted upass : kimd
legals.php:-
<?php
.......................
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $upass, MCRYPT_MODE_CBC, $iv);
// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
................................
?>
I just want to show encrypted password in URL not actual password, i have two fields in legals table, namely :- uname and upass
where i am doing mistake ? please let me know ..
3 answers
solution1
0 2014-08-13 06:00:02
Firstly, Its not good practice to send Password through GET parameters . Its Should always be send through POST parameters
<form method="POST" id="contact_form" action="legals.php">
and you can retrieve them as:
$uname = $_POST['uname'];
$upass = $_POST['upass'];
But still if you want to encrypt in URL only use base64_encode() or md5() in your .php file.
solution2
0 2014-08-13 06:39:05
I'm by no means a guru, but from the code you have posted, it appears your query "SELECT * FROM legals WHERE upass = '$upass'" is pulling the non-encrypted password from your database. Although you have echoed encrypted and decrypted strings, I don't see where you are using the encrypted string in any other way.
solution3
0 2014-08-13 07:01:13
Here is your answer, assuming you can get $ukey and $secret_key !
<?php
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $ukey, MCRYPT_MODE_CBC, $iv);
// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
?>
<div align="center">
<form method="get" id="contact_form" action="legal.php">
<p>Enter First Name</p>
<input type="text" name="fname" value="" />
<p>Enter Last Name</p>
<input type="text" name="lname" value="" />
<input type="hidden" name="uname" value="kim" /> <!-- uname could be dynamic here -->
<input type="hidden" name="upass" value="<?php echo $encrypted_string; ?>" /><br/>
<input type="submit" id="submit_btn" value="Submit" />
</form>
</div>
On legal.php page:
$uname = isset($_GET['uname'])?$_GET['uname']:'';
$upass = isset($_GET['upass'])?$_GET['upass']:'';
$con = mysqli_connect(" "," "," "," ");
$result = mysqli_query($con,"SELECT * FROM `legals` WHERE `upass` = '$upass'");
$row = mysqli_fetch_array($result);
// else {echo "Username/Key Error";}
mysqli_close($con);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.