-1

In localhost i'm trying to develope and test my REST API. I have this code that send a JSON encrypted to the REST API

//The url i wish to send the POST request to
$url = "http://localhost/api/2.php";
$headers = array(
  "Accept: application/json",
  "Content-Type: application/json",
);

// Key
$encryption_key = "43274689933404c4bd47190b395f5e3a2c668fcca603c40ceb074c970047402d";
$iv = "274f5f54eff39aee1e4d2c614ccd99c9";
$method = "AES-256-CBC";

//The data to send via POST
$data = [
    'username'      => "RERERE",
    'password'      => "bbbb"
];

// Encrypted data
$encrypted = base64_encode(openssl_encrypt($data, $method, $encryption_key, 0, $iv));

//open connection
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch,CURLOPT_POSTFIELDS, $encrypted);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, true);

//execute post
$result = curl_exec($ch);
echo $result;

Now in 2.php file i can't retreive the content, i'm using something like this below but i got NULL

// Key
$encryption_key = "43274689933404c4bd47190b395f5e3a2c668fcca603c40ceb074c970047402d";
$iv = "274f5f54eff39aee1e4d2c614ccd99c9";
$method = "AES-256-CBC";

$json = file_get_contents('php://input',true);
$array = json_decode($json);

$decrypted = openssl_decrypt(base64_decode($array), $method, $encryption_key, 0, $iv);

echo $decrypted;

Can someone help me to unsderstand what is wrong and if this is the right way to do this?

Ivan
  • 9
  • 4
  • 2
    I don't see that you define your content as JSON anywhere, so trying to `json_decode` it makes no sense. Have you tried dumping the result of `file_get_contents('php://input',true)` to see what it really is? – El_Vanja Apr 06 '21 at 15:05
  • Also _from the manual_ `CURLOPT_POSTFIELDS The full data to post in a HTTP "POST" operation. This parameter can either be passed as a urlencoded string like 'para1=val1&para2=val2&...' or as an array with the field name as key and field data as value.` So just passing `$encrypted` wont help the situation either – RiggsFolly Apr 06 '21 at 15:10
  • Is this going to be an API that other people will be allowed to call? When you get it working?? – RiggsFolly Apr 06 '21 at 15:14
  • 2
    Don't roll your own encryption. just se HTTPS. – Quentin Apr 06 '21 at 15:22
  • @Quentin This must be and API that other people will be allowed to call. – Ivan Apr 06 '21 at 15:27
  • 2
    @Ivan — Yes. Use HTTPS. Don't roll your own encryption. – Quentin Apr 06 '21 at 15:28
  • @El_Vanja give dumping file_get_contents('php://input',true) give me string(0) "" – Ivan Apr 06 '21 at 15:30
  • @ Quentin Hoe to use HTTPS? – Ivan Apr 06 '21 at 15:31
  • 1
    Look at what is required to use this method !!!!!! If yo let me use this, you have to tell me the `Encryption_key` and the `iv` In other words you have to give away the Crown Jewels. In short about as secure as an AshTray on a Motor Cycle – RiggsFolly Apr 06 '21 at 15:31
  • 1
    @Ivan — Depends on your webserver. Since you are using PHP the answer is probably "Pick a hosting plan with it turned on by default". More complex answers are available but would need to be tailored to exactly how you plan to host and deploy your code. – Quentin Apr 06 '21 at 15:32

1 Answers1

0

Finally i got the result in this way:

File who send the requests

//The url you wish to send the POST request to
$url = "http://localhost/api/2.php";

$headers = array(
   "Accept: application/json",
   "Content-Type: application/json",
);

$username = "aaaaaa";
$password = "bbbbbb";

// Key
$encryption_key = "43274689933404c4bd47190b395f5e3a2c668fcca603c40ceb074c970047402d";
$iv = "274f5f54eff39aee1e4d2c614ccd99c9";
$method = "AES-256-CBC";
$usernameEncrypted = base64_encode(openssl_encrypt($username, $method, $encryption_key, 0, $iv));
$passwordEncrypted = base64_encode(openssl_encrypt($password, $method, $encryption_key, 0, $iv));

//The data to send via POST
$fields = [
    'username'       => $usernameEncrypted,
    'password'       => $passwordEncrypted
];
$fields = json_encode($fields);

//open connection
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch,CURLOPT_POST, true);
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields);
//So that curl_exec returns the contents of the cURL; rather than echoing it
curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); 

if(curl_errno($ch)){
    echo 'Curl error: ' . curl_error($ch);
}

//execute post
$result = curl_exec($ch);
echo $result;

And the file who receive the request and send the echo()

$encryption_key = "43274689933404c4bd47190b395f5e3a2c668fcca603c40ceb074c970047402d";
$iv = "274f5f54eff39aee1e4d2c614ccd99c9";
$method = "AES-256-CBC";

$datiInArray = json_decode(file_get_contents("php://input"),true);

$usernameCrypted = $datiInArray["username"];
$passwordCrypted = $datiInArray["password"];

$username = openssl_decrypt(base64_decode($usernameCrypted), $method, $encryption_key, 0, $iv);
$password = openssl_decrypt(base64_decode($passwordCrypted), $method, $encryption_key, 0, $iv);

// Here echo the result
echo $username."<br>".$password;
Ivan
  • 9
  • 4