JRS Posted June 19, 2008 Share Posted June 19, 2008 Hello, I have a local test system using Windows (PHP 4.3.7 - mcrypt >=2.4.x)and the host I am using is on Unix (Linux) PHP 4.4.4system (mcrypt >= 2.4x). The website displays a list of users. Users can click on a name and details of the person is displayed to authorized users. When a user clicks - details are sent via URL parameters. http://mysite.com/test.php?var1=1&var2=2&var3=3 To prevent people from changing the variables and getting access to information about people they don't have access to - I decided to encrypt the parameters using mcrypt to the following format: http://mysite.com/test.php?var=x&data=ENCRYPTEDSTRING The data variable is an urlencoded mcrypt encrypted string. Here is the problem: some of the listed names do not work on the unix system - decryption appears to fail and the parameters are corrupted when decrypted. If test the same names on local windows system - works fine without a problem. If cut and paste a problem URL in Unix into the Windows system it works fine. If I remove the encryption - both system work fine. Also, the data being encrypted are var1=number; no fancy chars. Also the fact only some URLs are failing - others are working fine on UNIX system and all work on Windows - has me confused. Any thoughts or ideas on how to solve it - would be much appreciated. Thanks in advance JS Quote Link to comment Share on other sites More sharing options...
JRS Posted June 19, 2008 Author Share Posted June 19, 2008 bump! Quote Link to comment Share on other sites More sharing options...
DarkWater Posted June 19, 2008 Share Posted June 19, 2008 Show me an example of the ones that don't work on UNIX. Also, instead of being lazy (no offense) and encrypting the URLs (which won't really work, because if someone "shares" a link, they'll have access to it anyway), how about just checking whether or not they have access to it or not? =/ Quote Link to comment Share on other sites More sharing options...
JRS Posted June 20, 2008 Author Share Posted June 20, 2008 Hi DarkWater, Thanks for your response.... I am checking access rights after I decrypt - I guess I just wanted to limit the number parameters I pass or not disclose much info on the URL. Here is a link that fails to decrypt properly on the Host site but works fine on my windows test site http://www.website.com/test.php?var=5&var1=2&ed=GBwKdfU7mpKdX+F6+pILknjlns/EQkK2 with no encryption http://www.website.com/test.php?var=5&var1=2&ed=2&var2=6&var3=32&var4=1 (works fine - no encryption) This URL works fine on both sites: listed in the same table - generated using the same code http://www.website.com/test.php?var=5&var1=2&ed=GiqCoFDo6BmZmMGjQhFsBHjlns/EQkK2 with no encryption http://www.website.com/test.php?var=5&var1=2&ed=2&var2=1&var3=36&var4=1 The last parameter var4 used to be random string but I hard coded it '1' - just to see if that was causing a problem. Since some links work and others don't about 30% fails - the others are fine. That's what's got me confused. Again thanks for looking at it - and any suggestion will be much appreciated. Thanks JRS Quote Link to comment Share on other sites More sharing options...
DarkWater Posted June 20, 2008 Share Posted June 20, 2008 Oh, okay, at least you check access rights. Although, I DO think it's a bit of overkill....and why are you passing so many vars in a URL? o_O Is there a better way to pass them (i.e: sessions, etc)? Quote Link to comment Share on other sites More sharing options...
JRS Posted June 20, 2008 Author Share Posted June 20, 2008 The reason for using URL parameter is due to the fact the list of people could be very large....say from 30 to 500 - I thought passing data to identify them via URL will have less drain on the system resources than storing data in sessions or in a database. Besides I didn't think I would run into this strange problem with encryption/decryption for something so simple. Thanks JRS Quote Link to comment Share on other sites More sharing options...
DarkWater Posted June 20, 2008 Share Posted June 20, 2008 Hmm....Does it error or something, or just not return the expected values? Quote Link to comment Share on other sites More sharing options...
JRS Posted June 20, 2008 Author Share Posted June 20, 2008 No there are no errors - the values that are returned on the unix system when decrypted are gibberish. If I take the same string and plug into my test windows system - decryption works correctly. I'm also running urlencode on the encrypted string so there should be no illegal chars in the URL. Also, there are other URL's generated that work on the same table and same page. If I turn off the encryption - everything works - so there is something going on with certain encrypted strings being passed via URL. Not sure how to figure what is causing the problem! Thanks JRS PS: PHP is fun. ONLY WHEN STUFF WORKS!!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.