Skip to content Skip to sidebar Skip to footer
Home / Encryption / Javascript / Php

Obfuscating Post Variables Between Javascript & Php

Post a Comment
Ideally I would want to encrypt the variables so there is no way to figure them out, however given that the client will send the variable via javascript and that anything can be de

Solution 1:

If you want to stop people from sniffing your web traffic, use https instead of http.

If there's one thing you should learn, it's that encryption is hard. Really hard. If you try to do it yourself, you're not going to get it right, and will likely make some subtle mistake that could bite you later. It's best to leave encryption to the people who know what they're doing.

Solution 2:

I assume HTTPS is out of the question.

Have you thought about ROT? Stupid simple implementation at least:

var output = "";
for(var i = 0; i < input.length; i++)
{
    char = ( input.charCodeAt(i) + SOME_NUMBER ) %255;
    output += String.fromCharacterCode( char )
}

Then, in PHP

$chars = $_POST['chars'];
$output = "";
for($i = 0; $i < strlen($chars); $i++ )
{
    $char = ord($chars[$i]) - SOME_NUMBER;
    if($char < 0 )$char += 255;
    $output .= chr($char);
}

Solution 3:

If you want some strong, PKI encryption on Javascript, you should check jcryption.

Solution 4:

I suggest that AES encryption is a good option. You can find the JavaScript library here https://code.google.com/archive/p/crypto-js/ and PHP one https://packagist.org/packages/blocktrail/cryptojs-aes-php

Now on PHP side:

<?phpinclude"vendor/autoload.php";
useBlocktrail\CryptoJSAES\CryptoJSAES;

$passphrase = "secret";
$text = "example value";

$encrypted = CryptoJSAES::encrypt($text, $passphrase);
echo"Encrypted: ", $encrypted, PHP_EOL;

It outputs:

Encrypted: U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=

We take the encrypted code and decrypt it in JavaScript:

<!DOCTYPE html><html><head><scriptsrc="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script></head><body><script>const passphrase = "secret",
            encrypted = "U2FsdGVkX1/JVv/nS7aExFZiatvG8Lha7MflNsfuLHo=";
            decrypted = CryptoJS.AES.decrypt( encrypted, passphrase );
      console.log( decrypted.toString( CryptoJS.enc.Utf8 ) );
    </script></body></html>

After firing up this HTML in a browser you get the JavaScript console:

example value

So, you can encrypt for example sensitive data in PHP and obtain in the client application with JavaScript and decrypt. You can do it in the opposite direction. Just do not forget to obfuscate JavaScript and make the secret looking like some JavaScript.

Yet you understand that it's not really secure - with considerable effort one can figure out the encryption method, find the secret and uncover the data.

Post a Comment for "Obfuscating Post Variables Between Javascript & Php"