3

I want to send form data via url to another domain in encrypted form

<form action="http://localhost:85/abc/?<?php echo $_POST['name'] ?>" method="POST">
    First name:<br>
    <input type="text" name="name" placeholder="name"> 
    <input type="submit" value="Submit">
</form>

While searching for solution I found different way but none of them works for me. For e.g. I found if I use GET method in form then I can send data like this

<form action="http://localhost:85/abc/?<?php echo $_GET['name'] ?>" method="GET">

Its working But the problem with this solution is that it don't send data in encrypted form + I can't change my form method from POST to GET Because from is created by plugin called caldera forms. I only can change form action in it.

As per another solutions I tried to use action like this

<form action="http://localhost:85/abc/?<?php echo $_REQUEST['name'] ?>" method="POST">

But this also didn't work for me. Any suggestion what else I can try. Right now I am testing it in localhost by creating a small form not by plugin.

Rishabh
  • 610
  • 2
  • 11
  • 32
  • What did you try to 'encrypt' the name? And I really don't understand what you are trying to achieve... – Cagy79 Sep 07 '16 at 08:16
  • This is in my form action `http://localhost:85/abc/?`. So I just want to send name field with url. Like if name entered in form `Rishabh` Then redirect url will be like this `http://localhost:85/abc/?Rishabh (but name in encrypted)`. I have shown my search progress regarding this problem and apart from this I also tried to use hidden field but it also not helpful for me. Forget about encrypted, right now I am not even able to send data in non-encrypted form if I use `POST` method in my form. – Rishabh Sep 07 '16 at 08:22

4 Answers4

1

Revised answer:

if you encrypt your parameter, it is irrelevant if you pass it as a GET or POST parameter, although I would recommend to pass all security-relevant information via POST rather then sending it as part of your query string (which is the part after the question mark in your URL, i.e. Rishabh in http://localhost:85/abc/?Rishabh) because the query string will be visible in the browser history and webserver logs as discussed here.

Anyways, here are at least two options you have:

Option 1: use HTTPS/SSL

If you use an SSL-secured communication ("https://" rather that "http://"), all data, even the query string, will be encrypted and send to the server so there is no need to encrypt the parameter manually. There are still ways to intercept the data (Man-in-the-middle attacks or faked SSL-certificates) but it is a very secure way to transmit data. Requires an SSL certificate (can be self-signed or bought by a so-called "CA authority) on your server. If you are using Linux and Apache, here's an article explaining it, this one explains it for Windows and Apache.

Option 2: handle the encryption and decryption manually

Sender:

function doEncrypt($encrypt)
{
    $crypt_key= '%{is}§a/G00d+kEy.F0r#3ncRypT!0n';

    $iv= mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
    $crypted= mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $crypt_key, $encrypt, MCRYPT_MODE_ECB, $iv);
    $encode= base64_encode($crypted);       
    return $encode;
}
$name= 'Rishabh';
$encoded= doEncrypt($name);
?>
<form action="http://localhost:85/abc/?<?php echo $encoded; ?>" method="GET">

Receiver (located inside your abc directory):

function doDecrypt($decrypt)
{
    $crypt_key='%{is}§a/G00d+kEy.F0r#3ncRypT!0n';
    $decoded= base64_decode($decrypt);
    $iv= mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
    $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $crypt_key, $decoded, MCRYPT_MODE_ECB, $iv);

    return str_replace("\\0", '', $decrypted);
}
$name= doDecrypt($_REQUEST['QUERY_STRING']);

Here's a working example with the above functions: phpFiddle.

And here's more info on transmitting form data via curl, encoding and decoding may be done using the mcrypt extension of PHP in a secure manner.

Another remark and explanation of your code:

<form action="http://localhost:85/abc/?<?php echo $_POST['name'] ?>" method="POST">

will output the variable name that has previously been posted as part of a form submit, the parameter will be send as part of the GET-/Query string of the form request, all other elements inside the form will be send as part of a form submit.

<form action="http://localhost:85/abc/?<?php echo $_GET['name'] ?>" method="GET">

will output the variable name that has been passed along as a GET-/query string parameter, again it will be part of the Query string of the form request. All other form elements will be send as part of the query string rather than as form submit.

<form action="http://localhost:85/abc/?<?php echo $_REQUEST['name'] ?>" method="POST">

will output a parameter name that has either been posted via form submit or as part of the query string, it will also be part of the query string of the form request. All other form elements will be send as part of the POST / form data, same as in example 1.

Community
  • 1
  • 1
SaschaM78
  • 4,376
  • 4
  • 33
  • 42
  • Thanks for the answer, Its seems interesting. I will test it soon and report you back. – Rishabh Sep 07 '16 at 12:36
  • Hi SaschaM78, I was testing your code and getting little confused about it. Can you tell me how I should put value inside encrypt method. Like in this line `$arrPost['payload']= yourEncodeMethod($yourValue);`In what format I should put value of form field to replace `$yourValue`? – Rishabh Sep 08 '16 at 04:46
  • Ok figured it out. – Rishabh Sep 08 '16 at 06:17
  • @Rishabh I updated my answer to give a usable example of what I was explaining to you and also added some comments about what you tried before, see if that makes sense to you. – SaschaM78 Sep 08 '16 at 09:43
  • Thanks for your detail explanation, Mean while I was also searching for solution and I found an encryption/decryption function as you shown in your answer. The difference in your and mine searched function is that you are using `MCRYPT_MODE_ECB` method and function that I found is using `MCRYPT_MODE_CBC`. I heard prev. that `ECB` is not secure so after I saw your answer I searched on google to know which is more secure `ECB` or `CBC`. So I found a good article that describes `ECB vs CBC` in detail. Here it is: https://adayinthelifeof.nl/2010/12/08/encryption-operating-modes-ecb-vs-cbc/ . – Rishabh Sep 09 '16 at 04:33
  • According to the article I mentioned in previous reply `ECB` is not secure and should not be use and as compare to `ECB` the more secure method is `CBC` that I am using right now. But up vote for your detail explanation. This is really appreciable, Thaks for this SaschaM78 :) – Rishabh Sep 09 '16 at 04:39
  • Thanks for mentioning the problem and for the upvote! You should now accept your own answer as accepted to mark the question as answered. And thanks for sharing! – SaschaM78 Sep 09 '16 at 06:36
0

Can't you trigger an event on javascript first to encrypt your data, or you could just submit to another php file, and from there you could encrypt and send.

Eldon Hipolito
  • 704
  • 1
  • 8
  • 24
  • I don't have good knowledge of JS But I will try to search regarding this. And your second solution You told just submit to another php file and there encrypt. Ok I can find a way to encrypt form data but but how can I send that encrypted data to another domain without performing any action? I dont want that the user have to click to redirect since he/she already click on submit form once. So any way to auto redirect after encrypt? – Rishabh Sep 07 '16 at 08:31
  • It's all on the backend side. – Eldon Hipolito Sep 07 '16 at 08:59
  • You could achieve it using the `header("Location:url?param=blabla")` if you could do GET, or you could refer to this link if you really need to POST. [POST on a PHP script](http://stackoverflow.com/questions/1217824/post-to-another-page-within-a-php-script) – Eldon Hipolito Sep 07 '16 at 09:03
0

You have to use php encrypt methods for encoding and decoding your data. By this way you can send data in an encrypted form and on the other side you have to decrypt data.

Have a look http://php.net/manual/en/function.mcrypt-encrypt.php

Tayyab Ahmed
  • 83
  • 3
0

I found a solution of my problem and sharing with everyone. This solution works in 4 steps as follow.

Step 1: For encryption and decryption, I am using following functions in my functions.php file.

function Encryptstr($password, $data)
{

    $salt = substr(md5(mt_rand(), true), 8);

    $key = md5($password . $salt, true);
    $iv  = md5($key . $password . $salt, true);

    $ct = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, $iv);

    return base64_encode('Salted__' . $salt . $ct);
}
function Decryptstr($password, $data)
{

    $data = base64_decode($data);
    $salt = substr($data, 8, 8);
    $ct   = substr($data, 16);

    $key = md5($password . $salt, true);
    $iv  = md5($key . $password . $salt, true);

    $pt = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $ct, MCRYPT_MODE_CBC, $iv);

    return $pt;
}

I was told that encryption function can't be performed on action path of form directly So I am using another way for it. I am redirecting form to a page and on that page I am encrypting my form field.

Step 2:
First build a simple form like this and in action of form I have given path of page in which I will perform encryption

<form action="http://localhost:85/xyz/" method="POST">  //In action I am giving path to the page in which I will perform encryption     
    <input type="text" name="fname" placeholder="First Name">
    <input type="submit" value="Login">
</form>

Step 3: After form redirect to this page, I store data of my form field in a variable and encrypt it as follow

$name = $_POST['fname']; //fname is the name of the form control (Text Box)
// Performing encryption on it like this
$encrypt = Encryptstr('myPass123', $name); // Here "myPass123" is the key that will be use to encrypt and decrypt and "Encryptstr" Is function that I have put in functions.php as shown above.

After encrypt form data and storing it in a variable ($encrypt) I make another form whith hidden fields But in this form I am using GET method instead of POST.

<form action="http://localhost:85/abc/" method="GET">
    First name:<br>
    <input type="hidden" name="fname" value="<?php echo $encrypt; ?>">
    <input type="submit" value="Login">
</form>

In the value field of form's hidden field I used $encrypt varible in which I have stored the encrypted form of data earlier. I put it in value option so that we don't need to enter value again. And after clicking on Submit button form will send data to my mentioned page (Mentioned in action of form).

So this data will transmit via url something like this

http://localhost:85/abc/?fname=sdfhf3jh4jhdfjsdffsf

As you can see fname field is encrypted if I haven't put encryption then output will be like this

http://localhost:85/abc/?fname=Entered_value_by_user

Step 4: So in last step I just need to fetch data from url for that I used GET method like this. This is the page where encrypted data redirects

if(isset($_GET['fname']))    //Getting the value of fname field from url via GET method
{
    $entry = $_GET['fname'];  // Storing value in a variable
    //Decripting value using Decryptstr function where 'myPass123' is the key that we used to encrypt and same key needed to decrypt
    echo 'Result: '.Decryptstr('myPass123', $entry); 
}

Reference: http://heiswayi.github.io/php-encryption-decryption-and-password-hashing.html

Note: This method works very well But I don't know what is the level of security this method provides. I had two option for encryption first using ECB and second using CBC. So I searched on google to find out which is more secure to use. So I found a good article that describes ECB vs CBC In detail. And after reading article I found that cbc is more secure. Thats why I am using CBC.

Rishabh
  • 610
  • 2
  • 11
  • 32