How to encrypt data in a message using php
I have read several posts on how to encrypt data per HTML post using PHP. But I cannot figure out how this should be done.
I'll explain my simple example.
I have a dashboard where users can see their settings. Think of multiple installations, and each one applies to a different user. Some have one set that has five sets.
The thing is, I designed a button to download Excel information from their installation.
I made contactosDownload.php that $ _GET ['idInstalacion'] so on the main info panel the button looks like this:
<a href="contactosDownload.php?idInstalacion=
<? echo $idInstalacionPOST ?>"
class="btnDownload btn-success btn btn-info pull-left">
<i class="fa fa-download"></i> Descargar
</a>
It works fine and when the button is clicked contactosDowload gets idInstalacion and selects mysql and then Excel with setup information is reset. PHPExcel does the job perfectly.
Even though these users, who have three installations, can choose one of these installations, and the information is updated with Ajax. I have a jQuery update:
$('#InstaSelect').change(function(e) {
e.preventDefault();
.....
$('.btnDownload').attr("href", "contactosDownload.php?idInstalacion="+idInstalacion);
....
});
This works too.
Like all of you think of sending an id, it's not a very smart idea. Even if someone gets a link, they can start fetching data with:
http://www.aaaaa.com/contactosDownload.php?idInstalacion=1
http://www.aaaaa.com/contactosDownload.php?idInstalacion=2
etc.
What is the best choice for encrypting and decrypting information and keeping message information secure?
thank
EDIT:
I forgot to say that users are logged in with their username and password. And I store with var session all users when they are logged.
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$dbid = preg_replace("/[^0-9]+/", "", $dbid); // XSS protection as we might print this value
$_SESSION['user_id'] = $dbid;
$_SESSION['login_string'] = hash('sha512', $tContra.$user_browser);
$_SESSION['ultimoAcceso'] = date("Y-n-j H:i:s");
$_SESSION['tTipoUsuLogged'] = $tTipo;
$_SESSION['tRolUsuLogged'] = $tRolUsuario;
$_SESSION['tEmail'] = $tUseNam;
and each php has (includes 'validateSesion.php') which validates user and tiemout.
So now I submit this check on contactosDownload and if no user is authenticated, /index.php(login) appears.
First level obtained.
Now I need to encode the id in the post and check if the user has a SESSION form to download the installation.
How about encryp '/ decrypt id with:
function encryptor($action, $string) {
$output = false;
$encrypt_method = "AES-256-CBC";
//pls set your unique hashing key
$secret_key = 'long logn text secret';
$secret_iv = '1a2b3c4d5e';
// hash
$key = hash('sha256', $secret_key);
// iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
$iv = substr(hash('sha256', $secret_iv), 0, 16);
//do the encyption given text/string/number
if( $action == 'encrypt' ) {
$output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
$output = base64_encode($output);
}
else if( $action == 'decrypt' ){
//decrypt the given text/string/number
$output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
}
return $output;
}
source to share
First of all, make sure your URL is encoded so that it is not easy to read.
The second suggestion I would make is to use a honeypot .
Finally, if the data is particularly sensitive (like financial data), I would recommend moving away from the ID entirely and using a hash that can be matched to the ID behind the scenes.
source to share