1

I'm trying to encrypt a string in one php page and pass it to another page using $_POST[] and decrypt it again.

The encryption works fine but when I POST it to another page to decrypt it, it doesn't get decrypted at all and I get another encrypted string again!

This is the code on page 1 where I encrypt:

<?php
/*
 * PHP mcrypt - Basic encryption and decryption of a string
 */
$string = "[email protected]";
$secret_key = "This is my secret key";

// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $string, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);

echo "Original string : " . $string . "<br />\n";
echo "Encrypted string : " . $encrypted_string . "<br />\n";
echo "Decrypted string : " . $decrypted_string . "<br />\n";
?>

<form action="2.php" method="post">
<input type="text" id="" name="input" value="<?php echo $encrypted_string; ?>"/>
<button type="submit" >submit</button>
</form>

And this is the code in page 2 where I'm trying to decrypt again:

<?php
    $input = $_POST['input'];

    $secret_key = "This is my secret key";

// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $input, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);


echo $decrypted_string;
?>

Could someone please advise on this issue? is what i'm trying to do even possible?

Improve this question
7
  • 1
    mcrypt_create_iv uses MCRYPT_MODE_ECB and mcrypt_encrypt,mcrypt_decrypt uses MCRYPT_MODE_CBC....Try using any one of them! Commented Apr 6, 2016 at 9:59
  • Note that you're storing unauthenticated ciphertext on the client, which makes your form vulnerable to chosen-ciphertext attacks. Please don't roll your own; check out defuse's library instead. (It's MIT licensed.) Commented Apr 6, 2016 at 19:21
  • @ScottArciszewski, I ended up going with BLOWFISH Commented Apr 7, 2016 at 9:14
  • Why blowfish instead of defuse? Blowfish isn't authenticated. Commented Apr 7, 2016 at 10:56
  • @ScottArciszewski, i don't really need to authenticate the value! I just needed a way to encrypt the $variable so the users can't see it in the browser as it is in a hidden html input and then decrypt it again on the next page. Commented Apr 7, 2016 at 11:11

1 Answer 1

Reset to default
2

Observe the following line:

$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

It generates random IV everytime you call it. So you need to use same IV as you have used to encrypt it. So I suggest you to post the IV value too or use a specific IV instead such as:

$iv = "My Secret IV"; //On both pages
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

That worked like a charm and it decrypts the value in the second page but i get this error on both pages: Warning: mcrypt_encrypt() [function.mcrypt-encrypt]: The IV parameter must be as long as the blocksize
Try sending the IV using POST instead of using your own IV.
I did try sending it as a POST but that doesn't work and I get an encrypted string again on the second page but when I use my own "Secret IV", it works on the second page but I get that error on both pages 1 and 2.
Actually, Mangesh is right (in the comments), you are using two modes, try only one mcrypt mode.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.