PHP:将加密查询字符串 (GET) 的表单示例(数据隐藏而不是安全性)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12102670/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP : Form example which will encrypt query string (GET) (data hiding rather than security)
提问by SEU
I intend to use GET for my form but would like to encrypt the values in the query string so that users are not able to change it. (not for security, but for data hiding purposes)
我打算将 GET 用于我的表单,但想加密查询字符串中的值,以便用户无法更改它。(不是为了安全,而是为了数据隐藏目的)
I came across a couple of websites which explained encryption, but it is not clear to me how to implement it once the user presses the submit button. Ex: http://myscriptlibrary.wordpress.com/2010/04/14/how-to-encrypt-query-string-in-php/
我遇到了几个解释加密的网站,但我不清楚一旦用户按下提交按钮如何实现它。例如:http: //myscriptlibrary.wordpress.com/2010/04/14/how-to-encrypt-query-string-in-php/
Is there an example which could show this?
有没有可以说明这一点的例子?
Thanks.
谢谢。
回答by Glenn Dayton
From my understanding of the link that you provided. You want to encrypt the GET variables, or at least obfuscate them.
根据我对您提供的链接的理解。您想要加密 GET 变量,或者至少混淆它们。
The best and easiest way that this could be done is using base64_decode/encodeFor example to encode the string you would do something like:
最好和最简单的方法是使用base64_decode/encode例如对字符串进行编码,您将执行以下操作:
$link = "http://www.example.com/?item=".urlencode(base64_encode("user-data"));
$linkwould look something like http://www.example.com/?item=rklgEwkelnf%3D%3D, but to translate the seemingly garbled (base64ed) text into something usable you would use:
$link看起来像http://www.example.com/?item=rklgEwkelnf%3D%3D,但要将看似乱码(base64ed)的文本转换为可用的内容,您可以使用:
foreach($_GET as $loc=>$item)
$_GET[$loc] = base64_decode(urldecode($item));
Then you can freely use the $_GETvariable as you normally would.
然后您可以$_GET像往常一样自由使用该变量。
回答by alfasin
The following solution is easy enough to implement and is strong enough unless you deal with very sensitive data such as credit-cards information or NASA algorithms...
When you send the parameter via. GET - add a hash value along with it, for example:
以下解决方案很容易实现并且足够强大,除非您处理非常敏感的数据,例如信用卡信息或 NASA 算法......
当您通过发送参数时。GET - 添加一个散列值,例如:
$parameter = "abc"; //The parameter which you'll pass as a GET parameter
$salt = "cV0puOlx";
$hashed = md5($salt.$parameter);//A hash that you'll pass as well
header("Location: http://www.yourdomain.com?param=$parameter&hash=$hash");
Then when you read the parameters, check that the hash is a valid one:
然后,当您读取参数时,请检查哈希值是否有效:
$parameter = $_GET['param'];
$hash = $_GET['hash'];
$salt = "cV0puOlx";
$hashed = md5($salt.$parameter);
//now you check:
if ($hash === $hashed){
//everything's fine - continue processing
}
else{
// ERROR - the user tried to tamper with your parameter
// show error-message and bail-out
}
回答by HeavyHead
The accepted answer here doesn't provide any real protection. You can just take the encoded parameters and put them into an online base64_decode and it shows the values as if you have just passed them directly!
这里接受的答案没有提供任何真正的保护。您可以将编码后的参数放入在线 base64_decode 中,它会显示值,就像您刚刚直接传递它们一样!
The other answer uses $hash as a pass through value but that value hasn't been defined only $hashed.
另一个答案使用 $hash 作为传递值,但该值并未仅被定义为 $hashed。
回答by Louis Schwartz
1- Crypt your var
1- 加密你的 var
2- Make sure to encode correctly with base64 MIME.
2- 确保使用 base64 MIME 正确编码。
3- Do what you want (example : store in your database in order to decrypt later, pass into GET etc ...)
3-做你想做的事(例如:存储在你的数据库中以便稍后解密,传递到 GET 等......)
4- Decode base64 safely your var.
4- 安全地解码 base64 你的 var。
5- Decrypt your var
5- 解密你的 var
I implemented a class which does the job. (security and data hiding) Use openssl method with aes-256 mode cbc to secure crypt (don't forget initialization vector)
我实现了一个可以完成工作的类。(安全和数据隐藏)使用带有 aes-256 模式 cbc 的 openssl 方法来保护 crypt(不要忘记初始化向量)
class Encryption{
public static function safe_b64encode($string='') {
$data = base64_encode($string);
$data = str_replace(['+','/','='],['-','_',''],$data);
return $data;
}
public static function safe_b64decode($string='') {
$data = str_replace(['-','_'],['+','/'],$string);
$mod4 = strlen($data) % 4;
if ($mod4) {
$data .= substr('====', $mod4);
}
return base64_decode($data);
}
public static function encode($value=false){
if(!$value) return false;
$iv_size = openssl_cipher_iv_length('aes-256-cbc');
$iv = openssl_random_pseudo_bytes($iv_size);
$crypttext = openssl_encrypt($value, 'aes-256-cbc', 'your security cipherSeed', OPENSSL_RAW_DATA, $iv);
return self::safe_b64encode($iv.$crypttext);
}
public static function decode($value=false){
if(!$value) return false;
$crypttext = self::safe_b64decode($value);
$iv_size = openssl_cipher_iv_length('aes-256-cbc');
$iv = substr($crypttext, 0, $iv_size);
$crypttext = substr($crypttext, $iv_size);
if(!$crypttext) return false;
$decrypttext = openssl_decrypt($crypttext, 'aes-256-cbc', 'your security cipherSeed', OPENSSL_RAW_DATA, $iv);
return rtrim($decrypttext);
}
}
Example :
例子 :
$pass_get = 'hello';
$base64_crypt = Encryption::encode($pass_get); // get base64 of crypt data
// Later pass into $_GET for example
// 稍后传入 $_GET 例如
<a href="https://toto.com?v=<?php echo $base64_crypt;?>" >Other page</a>
// In your other page, recover your var
// 在你的另一个页面中,恢复你的 var
$my_get_crypt_var = $_GET['v'];
Encryption::decode($my_get_crypt_var); // return 'hello' or false in case the string to be decrypted is invalid.
!!! This solution is not hashing, but CRYPTING ! So, it means that you can recover the content of your var. Can be used for no sensitive data, but not for password for example. !!!
!!!这个解决方案不是散列,而是加密!因此,这意味着您可以恢复 var 的内容。可用于无敏感数据,但不能用于例如密码。!!!
