I have a PHP script that does basic encryption of a string through the method below:
<?php
$key = 'secretkey';
$string = $_GET['str'];
if ($_GET['method'] == "decrypt")
{
$output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
}
if ($_GET['method'] == "encrypt")
{
$output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
}
echo $output;
?>
An example of a URL to encrypt a string would look like this:
Encrypt.php?method=encrypt&str=the quick fox
Which would return this as the encrypted string:
LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=
Now to decrypt the string all you have to do is change the "method" query to "decrypt", like so:
Encrypt.php?method=decrypt&str=LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=
The only problem is that when that encrypted string is decrypted it returns this:
¬ƒ§rYV}̳5Äš·nßì(ñïX8Þ;b
I have narrowed down the problem to the plus sign that is in the encrypted string. PHP's GET method seems to translate a plus sign into a blank space. I have searched this bug and found out that it has already been filed here. I have tried different methods listed on that page and others with no success. The closest I got is by using this:
$fixedstring = str_replace(" ", "+", $string);
and then using $fixedstring in the encryption methods, the problem is, upon decryption, all blank spaces are converted to plus signs. Any ideas?
I know using POST would make more sense but I am using GET for specific reasons. I will spare the details.