通过URL参数发送一个mcrypt的加密字符串 - 德codeD文本是错位 [英] Sending an mcrypt-encrypted string via a URL parameter - decoded text is mangled

问题描述

我在玩弄一个简单的授权方案。我觉得这样做没有SSL或其他HTTP认证将是一个共享密钥加密的最简单方法。从PHP手册适应一个简单的例子，我想出了以下内容：

I'm messing with a simple authorization scheme. I think the easiest way to do it without SSL or other HTTP auth would be a shared key encryption. Adapting a simple example from the PHP manual, I came up with the following:

$text = "boggles the invisible monkey will rule the world";
$key = "This is a very secret key";

$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

$enc = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $text, MCRYPT_MODE_ECB, $iv);

$iv = base64_encode($iv);
$enc = base64_encode($enc);

echo '<a href="temp2.php?iv='.$iv.'&text='.$enc.'">link</a><br />';

这是收到这个请求（temp2.​​php）的页面看起来是这样的：

The page that receives this request (temp2.php) looks like this:

$key = "This is a very secret key";

$iv = base64_decode($_GET["iv"]);
$enc = base64_decode($_GET["text"]);

$crypttext = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, $enc, MCRYPT_MODE_ECB, $iv);

echo "$crypttext<br>";

这会非常接近，但它不会去code properly--呼应

This gets very close, but it doesn't decode properly-- it echoes

博格尔斯无形的猴子将统治T-;eôügJë

我不知道挂断是什么，我想urlen code / urlde code和ヶ辆，想着也许是性格是错位的请求，但没有什么区别。

I'm not sure what the hangup is, I tried urlencode/urldecode and htmlentities, thinking maybe a character was mangled in the request, but no difference.

有没有别的东西我丢失吗？也许填充？

Is there something else I'm missing? Perhaps padding?

感谢

推荐答案

碰巧你的加密文本最终会看起来像：

It happens that your encrypted text will end up looking something like:

Z5DlBqT8yEB4HKLkAlvfJoWaHgnNVLFh7jls6L85sLriedc82uFQxm+M62I41oB7

请参阅该加号吗？加上网址迹象都被转换为空间。

See that plus sign there? Plus signs in URLs get turned into spaces.

在手动转换的加号的空间和解密的结果，输出的是你亲眼目睹损坏垃圾。

When manually converting that plus sign to a space and decrypting the result, the output is the corrupted junk that you've witnessed.

您应该同时运行IV，并通过 加密后的文本rawurlen code （没有的 urlen code ）粘入链接之前。这将正确连接$ C C的加号，这将preserve它通过程序$。你并不需要（也不应该） urlde code 的另一边字符串 - PHP会为你这样做

You should run both the IV and the encrypted text through rawurlencode (not urlencode) before sticking it into the link. This will properly encode the plus sign, which will preserve it through the process. You don't need to (and should not) urldecode the string on the other side -- PHP will have done this for you.

这篇关于通过URL参数发送一个mcrypt的加密字符串 - 德codeD文本是错位的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！