0

I have a function in php which decrypt as the title. This function decode from base64 and decrypt correctly:

function decrypt($base64encoded_ciphertext) {

    $key = 'a16byteslongkey!a16byteslongkey!';

    $plaintext = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($base64encoded_ciphertext), MCRYPT_MODE_CBC);
    $plaintext = trim($plaintext);

    //Sostituisco tutti i caratteri fasulli
    for($i=0; $i<32; $i++) $plaintext = str_replace(chr($i), "", $plaintext);

    return $plaintext;
}

But..if i send in input this string: Da/itClhHEVQH9BfL/gIug==

it return this: 100000065912248XNš!†Özé‰ÎªãaóÒ]`-ÐüõÁÔ…ayã›[¿gp—›s.ýý 3á«uÛ§hZ¼ú™R2.

instead of only 100000065912248

I have tried with a tool online and a encrypted string is correctly..

the online tool

Thank you!

Matteo Gobbi
  • 17,697
  • 3
  • 27
  • 41
  • 1
    Why are you using `MCRYPT_MODE_CBC` if you're not using an IV? And why is there a `for` loop that blindly strips a whole bunch of characters? – NullUserException Jan 18 '13 at 23:42
  • only CBC decrypt correctly..the others not work..i have a for because at the end of a correctly string, there are cur(3) or chr(4)... – Matteo Gobbi Jan 18 '13 at 23:47
  • 1
    That's not the point. The point is you're using cryptography incorrectly. Don't just try to randomly modify settings and strip characters until it works. That's a dangerous thing to do. If there are chr(3) and chr(4) at the end of the string, that's because you've made a mistake when encrypting, decrypting, or both. This should **not** be needed. And if you're going to use CBC, use an IV. – NullUserException Jan 18 '13 at 23:50
  • And whoever wrote that tool is a noob himself. They don't seem to have a clue of what they're doing. – NullUserException Jan 18 '13 at 23:54
  • why online tool work? and why with other string my function work? – Matteo Gobbi Jan 18 '13 at 23:56
  • Like I told you, the online tool is wrong. It's possible they've made the same mistake you did. The fact that you have to strip characters means that it **doesn't** work correctly. Encryption and decryption should be totally transparent. Where's the code you used to encrypt this? – NullUserException Jan 19 '13 at 00:00
  • Sorry..i have found a problem...a stupid error in GET params.. I encrypt string without IV..and decrypt without IV..Thanks – Matteo Gobbi Jan 19 '13 at 00:07
  • 1
    @NullUserException Well at least he's not using the official example: http://php.net/manual/en/function.mcrypt-encrypt.php – Maarten Bodewes Jan 19 '13 at 02:49

0 Answers0