Jump to content

Recommended Posts

Hi everyone first time poster here wOOt!

 

Question is about encryption in Visual Basic then dercrypted on PHP Here are my encryption decryption functions they work fine.  The problem is when I pass the base64_encode(encryptedstring) to my web app via parameter string the decryption works mostly well on several smaller strings but longer strings only decrypt halfway!

 

PHP Decrypt:

function php_DecryptValue($cypher,$key){
 // Our output text
 $outText = '';
 
 // Iterate through each character
 for($i=0;$i<strlen($cypher) // Dont need to increment here
 {
     for($j=0;$j<strlen($key);$j++,$i++)
     {
         $outText .=  $key{$j} ^ $cypher{$i};
     }
 }
 
 return $outText;
}

VB6/VBA Encrypt

Public Function php_EncryptValue(strText As String, strKey As String) As String
'strText length should match strkey length for maximum strength

    Dim i As Integer            'Loop counter
    Dim intKeyChar As Integer   'Character within the key that we'll use to encrypt
    Dim strTemp As String       'Store the encrypted string as it grows
    Dim strChar1 As String * 1  'The first character to XOR
    Dim strChar2 As String * 1  'The second character to XOR
    Dim s

    
    'Loop through each character in the text
    For i = 1 To Len(strText)
        'Get the next character from the text
        strChar1 = Mid(strText, i, 1)
        'Find the current "frame" within the key
        intKeyChar = ((i - 1) Mod Len(strKey)) + 1
        'Get the next character from the key
        strChar2 = Mid(strKey, intKeyChar, 1)
        'Convert the charaters to ASCII, XOR them, and convert to a character again
        strTemp = strTemp & Chr(Asc(strChar1) Xor Asc(strChar2))
    Next i
    
    'Display the resultant encrypted string
    
    php_EncryptValue = strTemp

End Function

So theses algorithms match up fine I encrypt a string in VBA then base64encode it, then urlencode it and pass it to my webapp like this:

 

http://www.MyWebApp.com/index.php?Hash=sdjafkjlsflsaklfjlasjdlfblahblahblah

 

if the string is 300 or so characters it works, when the string is 700-2000 I have issues but I really feel like its a php encoding issue and not with the encryption algorithms.  If I encrypt a string and base encode it my vba app and then paste that value into the decrypt php function i get the string I want.  But when I pass it via URL it goes straight to pot.  I have tried urlencode on the passed string, I've tried rawurlencode / rawurldecode on the string I've tried just base64_encode/base64_decode but nothing is working 100% 

 

Would some php guru kindly point out my mistake? PHP is not my primary language, and I really feel like this is an encoding issue that I'm not seeing clearly.

 

Thanks!

 

David

Can't Edit for some reason but for instance

 

echo php_DecryptValue(base64_decode("HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF/dG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF/dG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN+eXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF/dG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V+"),"secetkey");

 

This decodes fine because it is the string directly from VBA copied out fo the debug window then pasted into a test.php code page

echo php_DecryptValue(base64_decode("HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF%2FdG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF%2FdG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN%2BeXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF%2FdG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V%2B"),"secretkey");
 

This decodes half way and fails half way through, same code but urlencoded and passed by URL

 

It has to be an encoding issue I just can't seem to fix it!

Further more i think the encoding is causing the parameter string to be broken into to multiple pieces for instance:

 

Parameter=HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF%2FdG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF%2FdG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN%2BeXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF%2FdG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V%2B

 

 

But when i echo the red parameter it returns:

 

HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF/dG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF/dG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN eXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhD

ok I finally figured it out but this is stupid.  So the urlencoded results are automatically urldecoded by the server.  Fine. no problem but to get back the results i need I have to do this: (So confirmed encryption algs work fine its an encoding issue and this solves it.... BUT WHY !

 

$parameter = ff_getParam('ff_param_hash','');   //get the parameter but it will be urldecoded by default as this function wraps get

$ProperResults = base64_decode(rawurldecode(urlencode($sqlpackage)));

 

However even this isn't quite right, it returns the fully decrypted, fully unencoded string with the last character missing!!! ARGHH! So I fudge it by padding the whole string with a few extra spaces so it will drop those vs real data on the VB side

 

VBA CODE:

        strPackage = strPackage & "    "  'padding so no chars are stripped off on php side I added this once i realized the ProperResults was cutting off the last character!!

        strPackage = php_EncryptValue(strPackage, "secretkey")
        strPackage = base64_encode(strPackage)
        strPackage = URLEncode(strPackage)

 

)

for instance https://MyWebApp.com/indexp.php&?param="HeyYouWerentSupposedToBeAbleToReadThis"

 

needs to be https://MyWebApp.com/indexp.php&?param="Wfwdsdfakldsjf;kljasdlkjf;fweqjfeiowuprqiouewioqoireuwpwerieowjkflasfs"

 

Its not just about encryption its about obfuscation of the parameter in the url from human eyes and modification  ssl wont do anything for a user changing the value and refreshing the browser

For instance (And I have about 15 uses for this code) Lets assume the VBA app wants to launch a userpage with a user already logged in, we encrypt the data:

 

UserID:4,BogusData

 

then explode it out later get the userid and auto login the user

 

If the url is Http://myweapp.com/index.php?param=UserID:4,BogusData

 

Thats pretty useless since a user could just change it to 5 refresh and bob's your uncle hes logged in as the wrong user:

 

I could go on and on with examples of how I can use this to let an offline client communicate with my server app but hopefully this is enough.

 

this is just 1 example of the reason it needs encrypted from human eyes more importantly than simple SSL encrypting it in transit

Edited by Shinzan

1) Use POST rather than GET. It is hidden better (though still not invisible); the length limits are higher (you are sending a lot of data for a GET); it might avoid the "truncation"

 

 

$ProperResults = base64_decode(rawurldecode(urlencode($sqlpackage)));

 

2) urlencode()/urldecode() are different from rawurlencode()/rawurlencode(). Since you are having to urlencode it back and then rawurldecode it, there is an apparent mis-match between the VBA and PHP. There may also be some minor discrepancies in the interpretation of the specs between VBA and PHP.

 

You can get the un-urldecoded (that is, the raw) values from $_SERVER['QUERY_STRING'], I believe. Of course, you will have to split the string up yourself if there is more than one parameter.

 

If at all possible, I would use POST for this.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.