Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP - Plus sign with GET query

Tags:

php

get

I have a PHP script that does basic encryption of a string through the method below:

<?php $key = 'secretkey'; $string = $_GET['str'];  if ($_GET['method'] == "decrypt") {     $output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0"); }  if ($_GET['method'] == "encrypt") {     $output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key)))); }  echo $output; ?> 

An example of a URL to encrypt a string would look like this:

Encrypt.php?method=encrypt&str=the quick fox

Which would return this as the encrypted string:

LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

Now to decrypt the string all you have to do is change the "method" query to "decrypt", like so:

Encrypt.php?method=decrypt&str=LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

The only problem is that when that encrypted string is decrypted it returns this:

¬ƒ§rYV}̳5Äš·nßì(ñïX8Þ;b

I have narrowed down the problem to the plus sign that is in the encrypted string. PHP's GET method seems to translate a plus sign into a blank space. I have searched this bug and found out that it has already been filed here. I have tried different methods listed on that page and others with no success. The closest I got is by using this:

$fixedstring = str_replace(" ", "+", $string); 

and then using $fixedstring in the encryption methods, the problem is, upon decryption, all blank spaces are converted to plus signs. Any ideas?

I know using POST would make more sense but I am using GET for specific reasons. I will spare the details.

like image 544
user Avatar asked Apr 20 '10 00:04

user


People also ask

How to GET Plus sign from url in PHP?

The closest I got is by using this: $fixedstring = str_replace(" ", "+", $string);

How do you pass a plus sign in query string?

Now, if you want a literal + to be present in the query string, you need to specify %2B instead. + sign in the query string is URL-decoded to a space. %2B in the query string is URL-decoded to a + sign.


2 Answers

If you'll read the entirety of that bug report you'll see a reference to RFC 2396. Which states that + is reserved. PHP is correct in translating an unencoded + sign to a space.

You could use urlencode() the ciphertext when returning it to the user. Thus, when the user submits the ciphertext for decryption, you can urldecode() it. PHP will do this automatically for you if it comes in via the GET string as well.

Bottom line: The + must be submitted to PHP as the encoded value: %2B

like image 199
hobodave Avatar answered Sep 19 '22 17:09

hobodave


I realize that this is an old question, but I was looking for a solution to a similar problem with + signs in a GET string. I stumble upon this page and thought I would share the solution I came up with.

<?php $key = 'secretkey'; $string = $_GET['str'];  if ($_GET['method'] == "decrypt") {     $string = urlencode($string);     $string = str_replace("+", "%2B",$string);     $string = urldecode($string);     $output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "\0"); }  if ($_GET['method'] == "encrypt") {     $output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key)))); }  echo $output; ?> 
like image 41
Andrew Avatar answered Sep 20 '22 17:09

Andrew