How to show encrypted password in URL

Question

I encrypted password, and now trying to show in URL, but in URL i am always getting actual password which is real: kimd

I guess i am not passing $encrypted_string in url, please check my php script and let me know that How can i pass $encrypted_string in URL ?

and whenever i call my form getting everything, details like: actual password, encrypted password and decrypted password

For an example:

Original upass : kimd

Encrypted upass : 5¾VªÜly.TÀîÈ¥MÜQüÑLøø‹y\ñU

Decrypted upass : kimd

legals.php:-

<?php
.......................
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $upass, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
................................
?>

I just want to show encrypted password in URL not actual password, i have two fields in legals table, namely :- uname and upass

where i am doing mistake ? please let me know ..

Answer 1

I'm by no means a guru, but from the code you have posted, it appears your query "SELECT * FROM legals WHERE upass = '$upass'" is pulling the non-encrypted password from your database. Although you have echoed encrypted and decrypted strings, I don't see where you are using the encrypted string in any other way.

Answer 2

Here is your answer, assuming you can get $ukey and $secret_key!

<?php 
// Create the initialization vector for added security.
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);

// Encrypt $string
$encrypted_string = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $secret_key, $ukey, MCRYPT_MODE_CBC, $iv);

// Decrypt $string
$decrypted_string = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $secret_key, $encrypted_string, MCRYPT_MODE_CBC, $iv);
?>

<div align="center">
       <form method="get" id="contact_form" action="legal.php">
                 <p>Enter First Name</p>
                 <input type="text" name="fname" value="" />
                 <p>Enter Last Name</p>
                 <input type="text" name="lname" value="" />
                 <input type="hidden" name="uname" value="kim" /> <!-- uname could be dynamic here -->
                 <input type="hidden" name="upass" value="<?php echo $encrypted_string; ?>" /><br/>
                 <input type="submit" id="submit_btn" value="Submit" />
       </form>
</div>

On legal.php page:

$uname = isset($_GET['uname'])?$_GET['uname']:'';
$upass = isset($_GET['upass'])?$_GET['upass']:'';
$con = mysqli_connect(" "," "," "," ");

$result = mysqli_query($con,"SELECT * FROM `legals` WHERE `upass` = '$upass'");
$row = mysqli_fetch_array($result);

   // else {echo "Username/Key Error";}
mysqli_close($con);

Answer 3

Firstly, Its not good practice to send Password through GET parameters. Its Should always be send through POST parameters

 <form method="POST" id="contact_form" action="legals.php">

and you can retrieve them as:

$uname = $_POST['uname'];
$upass = $_POST['upass'];

But still if you want to encrypt in URL only use base64_encode() or md5() in your .php file.