tags:

views:

1800

answers:

5
+4  Q: 

Two-way encryption in PHP

My application (obviously) uses a unique ID to distinguish records. This UID is passed in URLs (e.g. ./examplepage.php?UID=$example_int), among other things.

While I obviously have server-side validation in place to make sure clients don't access other clients' data, is there a two-way encryption method I can use in PHP to only pass encrypted UIDs (e.g. ./examplepage.php?EUID=$encrypted_int), to further reduce the chance of anyone thinking "hey, what happens if I increment this integer?"

TIA.

+1  A: 

Placing a hash next to the ID to ensure it's security, or padding the ID with extra data, or even converting the ID to hex would all work fairly well I think.

scragar  2009-09-07 22:16:52
Thanks, good call on converting to hex.
benjy  2009-09-07 22:20:14
Although it wouldn't protect from anyone "tech savvy" to try the next hex number. You are just changing bases, the "potential" problem remains.
rogeriopvl  2009-09-07 22:27:40
@benjy anyone who has the initiative to increment the UID, will immediately recognize a hex or padded int. You really should be doing what @caf suggested. Or just generating non-incrementing, non-predictable UIDs.
bucabay  2009-09-08 00:18:50
A: 

Knock yourself out with crypt:

http://us.php.net/manual/en/function.crypt.php

Amber  2009-09-07 22:17:06
Thanks for the hint, but it seems like crypt() is only one-way. Are there any two-way functions available?
benjy  2009-09-07 22:18:29
+2  A: 

While PHP supports many two way hashing algorithms I do not see it being useful in this example. What you need to do is:

  1. Load the row from storage by the provided id
  2. Check that the owner of the row is the authenticated user and if not throw an exception and inform the user not to do that again

But if your heart is set on hashing just pick one of the algorithms provided.

Miha Hribar  2009-09-07 22:19:08
Thanks for the suggestion. I actually am already doing that, but I just wanted one more way to dissuade users from messing with that value.
benjy  2009-09-07 22:20:52
Sure thing. I usually don't worry about things like that. There's little damage a user can do by messing with the ids if you have proper ACLs in place.
Miha Hribar  2009-09-07 22:42:07
+1  A: 

For two-way encryption check mcrypt, or if you prefer a pure implementation phpseclib.

rogeriopvl  2009-09-07 22:19:53
+7  A: 

You don't need two-way encryption - encryption is for maintaining secrecy, but what you're really looking for here is authenticity.

HMACs (essentially, keyed hashes) are one way of getting cryptographic authenticity. Accompany the UID with a HMAC of the UID (PHP has a HMAC implementation), using a key that only the server knows. At the start of each request, check the HMAC.

Basically, use the right tool for the right job.

caf  2009-09-07 22:24:19

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases