Encrypted URL parameter working on local Windows system NOT on Host Unix system

[JRS]

Hello,

 

I have a local test system using Windows (PHP 4.3.7 - mcrypt >=2.4.x)and the host I am using is on Unix (Linux) PHP 4.4.4system (mcrypt >= 2.4x).

 

The website displays a list of users. Users can click on a name and details of the person is displayed to authorized users.

When a user clicks - details are sent via URL parameters.

 

http://mysite.com/test.php?var1=1&var2=2&var3=3

 

To prevent people from changing the variables and getting access to information about people they don't have access to - I decided to

encrypt the parameters using mcrypt to the following format:

http://mysite.com/test.php?var=x&data=ENCRYPTEDSTRING

 

The data variable is an urlencoded mcrypt encrypted string.

 

Here is the problem: some of the listed names do not work on the unix system - decryption appears to fail and the parameters are corrupted when decrypted.

 

If test the same names on local windows system - works fine without a problem. If cut and paste a problem URL in Unix into the Windows system it works fine.

 

If I remove the encryption - both system work fine. Also, the data being encrypted are var1=number; no fancy chars. Also the fact

only some URLs are failing - others are working fine on UNIX system and all work on Windows - has me confused.

 

Any thoughts or ideas on how to solve it - would be much appreciated.

 

Thanks in advance

JS

[JRS]

bump!

[DarkWater]

Show me an example of the ones that don't work on UNIX.

 

Also, instead of being lazy (no offense) and encrypting the URLs (which won't really work, because if someone "shares" a link, they'll have access to it anyway), how about just checking whether or not they have access to it or not? =/

[JRS]

Hi DarkWater,

 

Thanks for your response....

 

I am checking access rights after I decrypt - I guess I just wanted to limit the number parameters I pass or not disclose much info on the URL.

 

Here is a link that fails to decrypt properly on the Host site but works fine on my windows test site

 

http://www.website.com/test.php?var=5&var1=2&ed=GBwKdfU7mpKdX+F6+pILknjlns/EQkK2

with no encryption

http://www.website.com/test.php?var=5&var1=2&ed=2&var2=6&var3=32&var4=1 (works fine - no encryption)

 

This URL works fine on both sites: listed in the same table - generated using the same code

 

http://www.website.com/test.php?var=5&var1=2&ed=GiqCoFDo6BmZmMGjQhFsBHjlns/EQkK2

with no encryption

http://www.website.com/test.php?var=5&var1=2&ed=2&var2=1&var3=36&var4=1

 

The last parameter var4 used to be random string but I hard coded it '1' - just to see if that was causing a problem.

Since some links work and others don't about 30% fails - the others are fine. That's what's got me confused.

 

Again thanks for looking at it - and any suggestion will be much appreciated.

Thanks

JRS

[DarkWater]

Oh, okay, at least you check access rights.  Although, I DO think it's a bit of overkill....and why are you passing so many vars in a URL?  o_O  Is there a better way to pass them (i.e: sessions, etc)?

[JRS]

The reason for using URL parameter is due to the fact the list of people could be very large....say from 30 to 500 - I thought passing data to identify them via URL will have less drain on the system resources than storing data in sessions or in a database.

 

Besides I didn't think I would run into this strange problem with encryption/decryption for something so simple.

Thanks

JRS

[DarkWater]

Hmm....Does it error or something, or just not return the expected values?

[JRS]

No there are no errors - the values that are returned on the unix system when decrypted are gibberish.

If I take the same string and plug into my test windows system - decryption works correctly.

 

I'm also running urlencode on the encrypted string so there should be no illegal chars in the URL. Also, there

are other URL's generated that work on the same table and same page.

 

If I turn off the encryption - everything works - so there is something going on with certain encrypted strings being

passed via URL.

 

Not sure how to figure what is causing the problem!

Thanks

JRS

PS: PHP is fun. ONLY WHEN STUFF WORKS!!!!