I read some post how to encrypt data over post HTML with PHP. But I can't really figure out how it must be done.
I explain my easy example.
I have a dashboard where users can see their installations. Think about lots of installations and each one belongs to different users. Some has one installation some has five installation.
The fact is that i develop a button to download Excel info from their installation.
I've done a contactosDownload.php that $_GET['idInstalacion'] so on the main dashboard the button looks like:
<a href="contactosDownload.php?idInstalacion=
<? echo $idInstalacionPOST ?>"
class="btnDownload btn-success btn btn-info pull-left">
<i class="fa fa-download"></i> Descargar
</a>
It is working perfectly and when the button is pressed the contactosDowload gets idInstalacion and does a mysql select and then an Excel with the information of the instalation is downladed. PHPExcel does the job perfectly.
Even because this users that has three installations can select one of this installations and info is updated with Ajax I have a jquery update:
$('#InstaSelect').change(function(e) {
e.preventDefault();
.....
$('.btnDownload').attr("href", "contactosDownload.php?idInstalacion="+idInstalacion);
....
});
That is working as well.
Like all of you are thinking send the id is not really clever idea. Even because if someone get the link can start to retrieve data with:
http://www.aaaaa.com/contactosDownload.php?idInstalacion=1
http://www.aaaaa.com/contactosDownload.php?idInstalacion=2
and so one.
What is the best choice to uncrypt and decrypt the information and make secure the post info ?
Thanks
EDIT:
I forgot to tell that the users are authorized whith their user and password. And I store with var session all the user when they loggin.
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$dbid = preg_replace("/[^0-9]+/", "", $dbid); // XSS protection as we might print this value
$_SESSION['user_id'] = $dbid;
$_SESSION['login_string'] = hash('sha512', $tContra.$user_browser);
$_SESSION['ultimoAcceso'] = date("Y-n-j H:i:s");
$_SESSION['tTipoUsuLogged'] = $tTipo;
$_SESSION['tRolUsuLogged'] = $tRolUsuario;
$_SESSION['tEmail'] = $tUseNam;
and each php has (include 'validateSesion.php') that validates the user and tiemout.
So now I introduce this validation on the contactosDownload and if the user is not identified /index.php (login) appears.
First level got.
Now i have to encode the id on the post and check that the user form the SESSION has privileges to download the installation.
What about to encryp'/decrypt id with:
function encryptor($action, $string) {
$output = false;
$encrypt_method = "AES-256-CBC";
//pls set your unique hashing key
$secret_key = 'long logn text secret';
$secret_iv = '1a2b3c4d5e';
// hash
$key = hash('sha256', $secret_key);
// iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
$iv = substr(hash('sha256', $secret_iv), 0, 16);
//do the encyption given text/string/number
if( $action == 'encrypt' ) {
$output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
$output = base64_encode($output);
}
else if( $action == 'decrypt' ){
//decrypt the given text/string/number
$output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
}
return $output;
}
