When using PHP to pass important data
Question
When passing data to another PHP script using Get or Post, should I encrypt it with a MD5 with salt? or is there a better way to do it?
5 answers
solution1
9 ACCPTED 2010-01-28 21:05:10
What kind of data? MD5 isn't an encryption function, it's a hashing function--once you MD5 it there's no "unencrypt," you can't get the original data back.
If you're transmitting critical data (eg credit card, bank account, or social security numbers) you should use a secure SSL connection (ie HTTPS ).
solution2
3 2010-01-28 21:03:33
It depends on what you are trying to accomplish.
Generally, if you only want to verify that the data is coming from your app, pass the data along with a hash that verifies the data hasn't been tampered with.
If you are looking to literally encrypt data in the request, you should look into encryption and not hashing.
$a = 2;
$b = 3;
$hash = sha1($salt.$a.$b)
$link = "http://www.domain.tld/?index.php?a=$a&b=$b&hash=$hash";
Then:
$a = $_GET['a'];
$b = $_GET['b'];
$hash = sha1($salt.$a.$b);
if ($_GET['hash'] == $hash) {
//data ok
} else {
// data has been tampered with
}
solution3
0 2010-01-28 21:09:21
If you are sending sensible data (such as password, username or even email) you should send this data encrypted in some "strong" way. It can be sent in plain but over HTTPS for example.
If HTTPS is not an option you can always encrypt data with some free/open solutions like GnuPG .
By the way, MD5 is "one way" ( but it can be cracked ) so you can't un-MD5 easily.
solution4
0 2010-01-28 21:30:15
I get the impression that the underlying motivation for this question is the misconception that PHP is less safe than other web-development languages. Other platforms like ASP/.NET may have pre-built methods for keeping things top secret, but those methods only work if they are used. The same goes for PHP. Taking your question as a concern for PHP's security (which is an assumption, and while I could be wrong for you, it is a popular assumption), I would respond: the best way to secure data transfers with PHP is to use the same practices and techniques used for ALL other platforms, such as SSL, strong passwords, confirming IP addresses, not leaving the keys under the mat (ie role-based cookies), and everything else suggested for this question.
Having said that, you obviously want to be secure and want to use PHP, so I'm not jumping down your throat. But I would highly recommend studying up on some basic web-security techniques so that you will know not only how to encrypt your data, but the tons of other things to watch out for as well.
solution5
0 2010-01-28 22:04:15
If you do not want to use a HTTPS connection and are not passing sensitive data, I would recommend encrypting the data and possibly using a message authentication code in the process.
You may want to look at the Mcrypt manual .
While not specifically related to GET/POST data, I found an article entitled PHP encryption for the common man that discusses how to secure data in your PHP application.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.