Simple Encryption Routine VBA to PHP URL Encoding Problem

[Shinzan]

Hi everyone first time poster here wOOt!

 

Question is about encryption in Visual Basic then dercrypted on PHP Here are my encryption decryption functions they work fine.  The problem is when I pass the base64_encode(encryptedstring) to my web app via parameter string the decryption works mostly well on several smaller strings but longer strings only decrypt halfway!

 

PHP Decrypt:

function php_DecryptValue($cypher,$key){
 // Our output text
 $outText = '';
 
 // Iterate through each character
 for($i=0;$i<strlen($cypher) // Dont need to increment here
 {
     for($j=0;$j<strlen($key);$j++,$i++)
     {
         $outText .=  $key{$j} ^ $cypher{$i};
     }
 }
 
 return $outText;
}

VB6/VBA Encrypt

Public Function php_EncryptValue(strText As String, strKey As String) As String
'strText length should match strkey length for maximum strength

    Dim i As Integer            'Loop counter
    Dim intKeyChar As Integer   'Character within the key that we'll use to encrypt
    Dim strTemp As String       'Store the encrypted string as it grows
    Dim strChar1 As String * 1  'The first character to XOR
    Dim strChar2 As String * 1  'The second character to XOR
    Dim s

    
    'Loop through each character in the text
    For i = 1 To Len(strText)
        'Get the next character from the text
        strChar1 = Mid(strText, i, 1)
        'Find the current "frame" within the key
        intKeyChar = ((i - 1) Mod Len(strKey)) + 1
        'Get the next character from the key
        strChar2 = Mid(strKey, intKeyChar, 1)
        'Convert the charaters to ASCII, XOR them, and convert to a character again
        strTemp = strTemp & Chr(Asc(strChar1) Xor Asc(strChar2))
    Next i
    
    'Display the resultant encrypted string
    
    php_EncryptValue = strTemp

End Function

So theses algorithms match up fine I encrypt a string in VBA then base64encode it, then urlencode it and pass it to my webapp like this:

 

http://www.MyWebApp.com/index.php?Hash=sdjafkjlsflsaklfjlasjdlfblahblahblah

 

if the string is 300 or so characters it works, when the string is 700-2000 I have issues but I really feel like its a php encoding issue and not with the encryption algorithms.  If I encrypt a string and base encode it my vba app and then paste that value into the decrypt php function i get the string I want.  But when I pass it via URL it goes straight to pot.  I have tried urlencode on the passed string, I've tried rawurlencode / rawurldecode on the string I've tried just base64_encode/base64_decode but nothing is working 100% 

 

Would some php guru kindly point out my mistake? PHP is not my primary language, and I really feel like this is an encoding issue that I'm not seeing clearly.

 

Thanks!

 

David

[Shinzan]

Can't Edit for some reason but for instance

 

echo php_DecryptValue(base64_decode("HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF/dG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF/dG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN+eXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF/dG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V+"),"secetkey");

 

This decodes fine because it is the string directly from VBA copied out fo the debug window then pasted into a test.php code page

echo php_DecryptValue(base64_decode("HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF%2FdG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF%2FdG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN%2BeXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF%2FdG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V%2B"),"secretkey");
 

This decodes half way and fails half way through, same code but urlencoded and passed by URL

 

It has to be an encoding issue I just can't seem to fix it!

[Shinzan]

Further more i think the encoding is causing the parameter string to be broken into to multiple pieces for instance:

 

Parameter=HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF%2FdG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF%2FdG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN%2BeXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhDycgCBELHyw4YmlpZmV4aRcjOCAlIyAsADEnJiIrNT0oLToEJC82LDMxPCAxYmlpZgQVBRIHc2VhFDUlKCY1PSQDJzouIT0oNSs7JwwnOSskMCchKDIYKCMnOGl8YnNubWIaJi8PMSQjJyYPJCd0dGFlc2VhFwcICiMmKDUnBygvISAgLiwxLWF%2FdG4HAxgaBGV4aWEWPSoqJyA6ADQ1IC0jNiUkDTolKCwxaXxicw8ADgcMZm50aTYjPT8kMCAsOTZ0aXxic2dvZXRpFgoRGwRiACY0MDooLCc6PQgGdHRhc2V%2B

 

 

But when i echo the red parameter it returns:

 

HQcSBwYdYQsaHQ5iMDseNjs8Myw1JCQsIGlpFjs8Myw1JCQsIAAFa3QfAA4BDBJifGlwc2NgehcEDQAWEWklMAs9LjcmJyAvMSc1YgcMFWJ0DDcnOj0PIzksYX90bnNyZXphFgxpEDc1JSgkPSwzZXhpDCc5KyQwJyEoMgYsMDc9OyQmdHRhZRIIDRERbm1iGCYiIyAgLix0dGFlBCgyIzAsLyN4aRUac2VhBjU9JBEgKDM2dHRhZWZ5cHF5fGxzZG5tYhAoNScRJyViaWlmcGR4cm9hZHByc2VhATsmMyY9JyA2OzsPIzksYX90bhUadAgSDXNlYQ8xJC5iaWlmZXhpNy8LIDUnOSAlYnR0YWVzZWE0ORYxIy0kJCwgICViaWlmZXhpDCMmImF/dG4HAxgaBGV4aRcjOCAlIyAsEDc1JSgkPSwzYmlpZgQVBRIHc2VhATslLSc3PRUnNSQILDImYX90bgcDGBoEZXhpESo7PS4QMTg0KyYsJWJpaWYEFQUSB3NlYRQxJzQnGigsJ3R0YWUVJyUnJjphBS0kYRE1J2EINSooLCAmYQE7JS0nMyxmbnQfJCwhLAAmMDskMSd4YX90bnlyYnlhESQsLyExO2EKIzBmbnQfJCwhLAAmMDskMSd7YX90bmZudB8kLCEsAisgMGF/dG4RIycoJSc6KGZudB8kLCEsGyskKi4mMWl8YnN eXBlcWZudAUgNjEvJCd0dGFlc2VhDz06MicwGDQjOCAnKzE7BycxaXxic25tYhgoNScSLCQRICgzNidpfGJzZGxibnNmbnQINDY8ByQ2GCYmKzoABWJpaWZleGkANyAhD

[Shinzan]

ok I finally figured it out but this is stupid.  So the urlencoded results are automatically urldecoded by the server.  Fine. no problem but to get back the results i need I have to do this: (So confirmed encryption algs work fine its an encoding issue and this solves it.... BUT WHY !

 

$parameter = ff_getParam('ff_param_hash','');   //get the parameter but it will be urldecoded by default as this function wraps get

$ProperResults = base64_decode(rawurldecode(urlencode($sqlpackage)));

 

However even this isn't quite right, it returns the fully decrypted, fully unencoded string with the last character missing!!! ARGHH! So I fudge it by padding the whole string with a few extra spaces so it will drop those vs real data on the VB side

 

VBA CODE:

        strPackage = strPackage & "    "  'padding so no chars are stripped off on php side I added this once i realized the ProperResults was cutting off the last character!!

        strPackage = php_EncryptValue(strPackage, "secretkey")
        strPackage = base64_encode(strPackage)
        strPackage = URLEncode(strPackage)

 

)

[Shinzan]

Is there a cleaner way, it works now and thats important, but I hate stupid hacks like this!

[trq]

I've got to ask why your doing all of this?

 

Get an ssl and be done with it.

[Shinzan]

I have ssl Thats not the issue, can you help me with the issue?

[Shinzan]

I need the parameter to be encrypted from human eyes not just site to site on the wepage URL itsself.

Edited April 11, 2013 by Shinzan

[Shinzan]

for instance https://MyWebApp.com/indexp.php&?param="HeyYouWerentSupposedToBeAbleToReadThis"

 

needs to be https://MyWebApp.com/indexp.php&?param="Wfwdsdfakldsjf;kljasdlkjf;fweqjfeiowuprqiouewioqoireuwpwerieowjkflasfs"

 

Its not just about encryption its about obfuscation of the parameter in the url from human eyes and modification  ssl wont do anything for a user changing the value and refreshing the browser

[Shinzan]

For instance (And I have about 15 uses for this code) Lets assume the VBA app wants to launch a userpage with a user already logged in, we encrypt the data:

 

UserID:4,BogusData

 

then explode it out later get the userid and auto login the user

 

If the url is Http://myweapp.com/index.php?param=UserID:4,BogusData

 

Thats pretty useless since a user could just change it to 5 refresh and bob's your uncle hes logged in as the wrong user:

 

I could go on and on with examples of how I can use this to let an offline client communicate with my server app but hopefully this is enough.

 

this is just 1 example of the reason it needs encrypted from human eyes more importantly than simple SSL encrypting it in transit

Edited April 11, 2013 by Shinzan

[DavidAM]

1) Use POST rather than GET. It is hidden better (though still not invisible); the length limits are higher (you are sending a lot of data for a GET); it might avoid the "truncation"

 

 

$ProperResults = base64_decode(rawurldecode(urlencode($sqlpackage)));

 

2) urlencode()/urldecode() are different from rawurlencode()/rawurlencode(). Since you are having to urlencode it back and then rawurldecode it, there is an apparent mis-match between the VBA and PHP. There may also be some minor discrepancies in the interpretation of the specs between VBA and PHP.

 

You can get the un-urldecoded (that is, the raw) values from $_SERVER['QUERY_STRING'], I believe. Of course, you will have to split the string up yourself if there is more than one parameter.

 

If at all possible, I would use POST for this.

[Shinzan]

$_SERVER['QUERY_STRING'],

 

I will go straight to that to get my unaltered parametter thank you!