How to encrypt/encode an array in an url friendly format better than using serialize and base64

Question

I'm currently using this code to generate an hyperlink in an .xls file from an intranet server.

This .xls file is an order I submit by email to one of my supplier.

/* WEBSERVER1 */  
$ORDER=$_GET['ORDER'];
$EZAB=$_GET['EZAB'];
$IP=$_GET['IP'];

$ARRAY = array(
    "ORDER" => $ORDER,
    "EZAB" => $EZAB,
    "IP" => $IP);

$SERIAL=serialize($ARRAY);
$q=base64_encode($SERIAL);
$URL="http://mywebsite/?q=".$q
$EXCELHYPERLINK='=hyperlink("'.$URL.'")';

I want my supplier to click on the link in the .xls file to confirm the order has been processed, instead of replying to the original email.

The intranet server not being accessible from the outside world, the link is pointing on a webserver hosting the following code.

/* WEBSERVER2 */
$q=$_GET['q'];
$SERIAL=base64_decode($q);
$ARRAY=unserialize($SERIAL);
// Do something...

I would rather prefer not to use database.

Do you have any thought on how i can make the content of the "$KEY" not that easy to find out?

Have you tried Mcrypt? http://php.net/manual/en/book.mcrypt.php — dAm2K, May 29 '12 at 15:44
Do you really need to prettify the link url: or is it enough to set the link text simply to say something like "Click here to confirm!".... e.g. =HYPERLINK("http://www.google.co.uk","Click here to visit Google") — Mark Baker, May 29 '12 at 15:48
@MarkBaker i'm allready using a =HYPERLINK("http://...","click here to confirm"), I just don't want to give the opportinity to tweak the url. this system is currently Business to Supplier, but i want to use it for Business to Customer and the level of security is not acceptable for that. — baptme, May 29 '12 at 15:59
use a POST request so the key isn't exposed in the url? However, anyone with a clue would look at the page source to get the key there. — Marc B, May 29 '12 at 16:32
@MarcB the link is in the .xls PHPExcel generated file. I'm pretty much limited to GET. — baptme, May 29 '12 at 18:24
@DavidThomas Now I see what you mean when saying "base_64 won't prettify". I've been using standard caracters before and it was pefectly fine. But now with a mcrypt before the base64_encode it's a other story. Since +/= are the only problematic characters in base64, a simple str_replace will correct the issue. — baptme, May 29 '12 at 18:37

score 2 · Accepted Answer · answered May 30 '12 at 09:48

mcrypt allows me to encrypt the data transmitted via GET. (thanks to @dAm2K)

The base64_encode is not enough to make the encrypted date URL friendly as it include ("+","/" and "=" characters) (thanks to @DavidThomas)

I used str_replace to replace those 3 characters and everything is working fine.

Here's the corrected code for the intranet server:

/* WEBSERVER1 */  
$ORDER=$_GET['ORDER'];
$EZAB=$_GET['EZAB'];
$IP=$_GET['IP'];

$ARRAY = array(
    "ORDER" => $ORDER,
    "EZAB" => $EZAB,
    "IP" => $IP);

$SERIAL=serialize($ARRAY);
$M=mcrypt_module_open('rijndael-256','','cbc','');
$KEY=md5("gi7aesawde2zomspgo8guvivmer8oici");
$IV=md5("dob1depatodop7lipdaig7bebeaion9d");
mcrypt_generic_init($M,$KEY,$IV);
$ENCRYPTEDDATA=mcrypt_generic($M,$SERIAL);
mcrypt_generic_deinit($M);
mcrypt_module_close($M);
$q=base64_encode($ENCRYPTEDDATA);
$q=str_replace(array('+','/','='),array('-','_','.'),$q);

$URL="http://mywebsite/?q=".$q;
$EXCELHYPERLINK='=hyperlink("'.$URL.'")';

and for the webserver :

/* WEBSERVER2 */
$q=$_GET['q'];
$q=str_replace(array('-','_','.'),array('+','/','='),$q);
$ENCRYPTEDDATA=base64_decode($q);
$M=mcrypt_module_open('rijndael-256','','cbc','');
$KEY=md5("gi7aesawde2zomspgo8guvivmer8oici");
$IV=md5("dob1depatodop7lipdaig7bebeaion9d");
mcrypt_generic_init($M,$KEY,$IV);
$SERIAL=mdecrypt_generic($M,$ENCRYPTEDDATA);
mcrypt_generic_deinit($M);
mcrypt_module_close($M);
$ARRAY=unserialize($SERIAL);

// Do something...

How to encrypt/encode an array in an url friendly format better than using serialize and base64

1 Answers1