|
Posted by Jochem Maas on 01/14/05 04:08
Brian Dunning wrote:
> Howdy all -
>
> I have RTFM and STFW and I still can't get encryption to work. What I
good man! (for trying that is) bummer its not working yet...
> finally ended up with from the PHP documentation is long, unwieldy,
> confusing, and doesn't work. I give up. I threw my big mess away and
you could have lived with the 'long, unwieldy, confusing' part no doubt!
> would like to start from scratch.
does that mean you tried using the mcrypt extension? I guess it must do.
>
> Could anyone point me to a web page or other documentation that shows a
> SIMPLE example of encryption? I need two-way encryption & decryption,
this tutorial (2 parts) at webmonkey does quite a good job
of taking you thru it step by step:
http://webmonkey.wired.com/webmonkey/programming/php/tutorials/tutorial1.html
also there has just been a thread on this list which might help you (in
case you hadn't seen/read it)
subject: Data Encryption
started by: shaunthornburgh@hotmail.com
started on: 12-Jan-2005
AFAIKT though proper encryption and SIMPLE just don't go hand in hand.
on the other hand encryption and ''brainfreeze' were made for each other
:-) if you ask me.
> not a one-way hash. I'll be using this to obfuscate get parameters.
do you just want to obfuscate or is it important that content is
actually secure?
I can imagine that the issue is compounded in your case by the fact that
the GET params are pushed over the wire (which may garbble the encrypted
strings - can anyone confirm/deny that hypothesis?) in which case use of
url_encode()/url_decode() may need to be used to protect the integrity
of the strings.
---
If the parameters are taken from a fixed list of values - e.g.
columnnames for instance then maybe one-way encryption will work for
you. for instance say you have a sortby GET param, you could take the
columnnames of your table and hash them with md5sum() or sha1() and
stick them into the relevant urls - then if/when a url comes back to the
server the hash in the GET param could be checked against the hashes of
the columnnames until you find a match - if you find a match you know
which column was requested.
The example is contrived but hopefully you understand what I mean and
you can determine whether this is a possibility for you.
---
Lastly you may have to ask yourself if it's necessary/feasable to do GET
param encryption (in bang for buck kind of way). Unfortunately I can
imagine that such a decision may have been made for you by some
non-tehnical manager (it wouldn't be the first time!).... in which case
arm yourself with a good argument and go batter him with it ;-)
>
> Any pointers appreciated. Thanks all,
>
> - Brian
>
[Back to original message]
|