SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot
    Join Date
    Jan 2006
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Want function to encode/decode user information

    I have a site that uses javascript/AJAX on the client side to send information to my server. I'd like to create a javascript variable that contains the user's id and then be able to decode it on the server side so I can tell who the request is coming from.

    If I'm not looking DOD type security as it isn't a very sensitive function, is there a way to do this without storing a key in the database for each user ID?

    As and example, I want to take a user id (say '63') and convert it into something onerous (say 'f357fde7ab813c9f872c'), then on the client side be able to simply convert it back into '63'. I don't want to add another field to each user account to contain the hashed value if possible. Make sense?

  2. #2
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hash it with md5. You should consider storing the hash in your database, instead of clear text though. It's a security risk to store passwords in clear text, anywhere in your system.

    http://www.google.com/search?q=javascript%20md5
    md5

  3. #3
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by whitemank View Post
    I have a site that uses javascript/AJAX on the client side to send information to my server. I'd like to create a javascript variable that contains the user's id and then be able to decode it on the server side so I can tell who the request is coming from.

    If I'm not looking DOD type security as it isn't a very sensitive function, is there a way to do this without storing a key in the database for each user ID?

    As and example, I want to take a user id (say '63') and convert it into something onerous (say 'f357fde7ab813c9f872c'), then on the client side be able to simply convert it back into '63'. I don't want to add another field to each user account to contain the hashed value if possible. Make sense?
    For this operation, it really would be much easier to add another column to the user table with the value of the hashed id or username+id combo or something. That way, you will never have to encode/decode and you can do a simple lookup.

    The problem with doing it the way you want is that it will tie the Javascript and PHP together, making them dependant on each other for the encoding/decoding to work the exact same way. It seems like a better solution to leave it on the PHP side because it's not dependent on the client browser.

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2006
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I actually define the javascript variable in php on my server when it serves the page to the user.

    I guess what I really want is to store a key on my webserver that can be used to encode/decode the variable. Javascript won't do any hashing - it just uses the variable it is given. I am using this to encode a user id so that users can't pretend to be other users and access their account info. The problem is that I can't use session variables with AJAX since it is calling a script that doesn't know who is calling it.

    Is there a function that takes a unique key and then hashes/dehashes the input string according the key?

  5. #5
    SitePoint Zealot
    Join Date
    Jan 2006
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay... I figured out how to do it. I found an example on php.net and turned it into a class. Here is what I came up with in case anyone else is interested.

    crypt.php:
    Code:
    <?php
    class crypt{
    	var $key;
    
    	function __construct(){
    		$this->key='your long and complex private key goes here';
    	}
    
    	function encrypt($value){
    	
    		/* Open module, and create IV */
    		$td = mcrypt_module_open('des', '', 'ecb', '');
    		$key = substr($this->key, 0, mcrypt_enc_get_key_size($td));
    		$iv_size = mcrypt_enc_get_iv_size($td);
    		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    		
    		/* Initialize encryption handle */
    		if (mcrypt_generic_init($td, $key, $iv) != -1) {
    		
    			/* Encrypt data */
    			$c_t = mcrypt_generic($td, $value);
    			mcrypt_generic_deinit($td);
    			$c_t = urlencode($c_t);
    
    			/* Clean up */
    			mcrypt_module_close($td);
    			return $c_t;
    		}else{
    			return -1;
    		}
    
    	}
    	
    	function decrypt($value){
    	
    		/* Open module, and create IV */
    		$td = mcrypt_module_open('des', '', 'ecb', '');
    		$key = substr($this->key, 0, mcrypt_enc_get_key_size($td));
    		$iv_size = mcrypt_enc_get_iv_size($td);
    		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
    		
    		/* Initialize encryption handle */
    		if (mcrypt_generic_init($td, $key, $iv) != -1) {
    		
    			/* Reinitialize buffers for decryption */
    			$c_t = urldecode($value);
    			mcrypt_generic_init($td, $key, $iv);
    			$p_t = mdecrypt_generic($td, $c_t);
    			
    			/* Clean up */
    			mcrypt_generic_deinit($td);
    			mcrypt_module_close($td);
    			
    			return $p_t;
    		}else{
    			return -1;
    		}
    	}
    }
    
    ?>
    Usage:

    test.txt:
    Code:
    <?php
    include("crypt.php");
    
    $crypt=new crypt();
    
    $encrypted=$crypt->encrypt("63");
    $decrypted=$crypt->decrypt($encrypted);
    
    echo "Encrypted: ".$encrypted."<br>";
    echo "Decrypted: ".$decrypted;
    ?>

  6. #6
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by whitemank View Post
    The problem is that I can't use session variables with AJAX since it is calling a script that doesn't know who is calling it.
    Just send the session-id over the query-string, or copy the cookie-headers into the xhr.

    This should give you a starting point:
    http://www.google.com/search?q=php+s...request+cookie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •