1

I want to know how to encrypt the URL on Apache/PHP?

For example:

www.example.com/how-to-encrypt.html

to

www.example.com/DMQRzZWMDdGQtbndzBHNsawN0aXRsZQR0ZXN0AzcwMQR3b2UDMjQwMjEwNQ

This example also seen on yahoo as well like this link:

us.yahoo.com/_ylt=As6pPqj3t7OBn2LQbZCUU7abvZx4;_ylu=X3oDMTVocThw330824863

I want to know how to do like this, is it through JavaScript/PHP/Apache?

rakeb.mazharul
  • 5,513
  • 3
  • 19
  • 40
Adel Agoudjil
  • 21
  • 1
  • 1
  • 2

3 Answers3

1

You're probably looking for Apache mod_rewrite together with PHP. That URL isn't (and wasn't meant to be) encrypted, it's probably just a key that redirects to a database on Yahoo! severs. See this article.

Yuval
  • 2,871
  • 28
  • 41
  • not an answer to the question. Regardless of the example the OP is giving, at the end of the day the OP needs to know how to encrypt a URL. – Chase Florell Mar 03 '12 at 01:52
  • 1
    "encrypt a URL" is a misnomer. Maybe the OP should specify whether they need the technology to generate software-driven URLs, to generate hash codes, or both. – Yuval Mar 03 '12 at 02:16
0

It's best to perform security operations at the database level. Here is how to perform MySQL database operations using PHP: PHP Database Operations with MySQL. Then, you have access to all of the database operations related to security, such as: Encryption and Compression Functions. Thus, you can generate the string in the database and pass a token in a URL parameter to the user. It is best to also pass another parameter, such as a username, into the URL to reduce security risk. Upon client response, you just grab the parameters from the url and validate the user. Be sure to sanitize and validate input before performing the database operation. Sanitize and validate before assuming data is safe.

And for information, you should never use JavaScript to perform important security operations, at least not without seriously evaluating the risks and alternative options. (Any hacker will see your entire security logic in the JavaScript code.)

Notice that you can grab the _ylt & _ylu parameters from this url:

  • us.yahoo.com/_ylt=As6pPqj3t7OBn2LQbZCUU7abvZx4;_ylu=X3oDMTVocThw330824863

Those parameters are what you will grab for your database operation. You could use these in a particular page like this:

  • us.yahoo.com/myPage/_ylt=As6pPqj3t7OBn2LQbZCUU7abvZx4;_ylu=X3oDMTVocThw330824863
Community
  • 1
  • 1
devinbost
  • 4,282
  • 2
  • 39
  • 45
-4

I'm not a PHP guy, but a quick Google Search brought me to this link.

class Encryption {
    var $skey   = "SuPerEncKey2010"; // you can change it

    public  function safe_b64encode($string) {

        $data = base64_encode($string);
        $data = str_replace(array('+','/','='),array('-','_',''),$data);
        return $data;
    }

    public function safe_b64decode($string) {
        $data = str_replace(array('-','_'),array('+','/'),$string);
        $mod4 = strlen($data) % 4;
        if ($mod4) {
            $data .= substr('====', $mod4);
        }
        return base64_decode($data);
    }

    public  function encode($value){ 

        if(!$value){return false;}
        $text = $value;
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->skey, $text, MCRYPT_MODE_ECB, $iv);
        return trim($this->safe_b64encode($crypttext)); 
    }

    public function decode($value){

        if(!$value){return false;}
        $crypttext = $this->safe_b64decode($value); 
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        $decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->skey, $crypttext, MCRYPT_MODE_ECB, $iv);
        return trim($decrypttext);
    }
}

and the usage

$this->encrypt->encode('Your data');
$this->encrypt->decode('Your encrypted data');
Chase Florell
  • 44,766
  • 56
  • 181
  • 369
  • The encrypt *and* decrypt both create a random IV? How is that ever going to work? The string is not padded in advance (defaulting to zero padding, it seems), and ECB mode is used instead of CBC. That's an awfull lot of things that are wrong with this answer. – Maarten Bodewes Mar 03 '12 at 23:32
  • Oh, forgot about directly using a string as a key. – Maarten Bodewes Mar 03 '12 at 23:34
  • @owlstead it all depends on the amount of cryptography needed. If the OP is securing banking info, sure this isn't the best way. If the OP is simply hiding a true URL, it'll work fine. Also, more of the point to the answer is that spending a little time searching will generate results before the need to ask a question on SO. – Chase Florell Mar 04 '12 at 03:44
  • I was dreading the response to the rather harsh comments I made, especially the one you are giving me now. The problems inherent in the source code is the reason why you *shouldn't* just google up an example that isn't part of a cryptographic framework. Almost all sample code out there is faulty regarding security. Personally, I don't think you should point to such a flawed implementation *ever* unless you are really sure that a very low security level is required by the asker. – Maarten Bodewes Mar 04 '12 at 13:09
  • You may be right. As I said, I'm not a php guy. When I did my search, I didn't test the code, I read the comments (all positive) and read through what I could. Seeing that the it's using `RIJNDAEL_256` tells me more good than bad. I would of course not store the key IN the code, but the OP is simply asking how to take `how-to-encrypt.html` and turn it into something like `DMQRzZWMDdGQtbndzBHNsawN0aXRsZQR0ZXN0AzcwMQR3b2UDMjQwMjEwNQ`, and to me, this should work based on the above comments and my observations. I see in your profile that you're a security guy, I'll be happy to upvote your answer. – Chase Florell Mar 04 '12 at 15:32
  • 1
    I can't post because I don't know the use case yet. It depends completely on what the asker is trying to achieve. Encryption is commonly refered to while hashing is actually meant, and the security depends on the use case as well, e.g. a client/server scheme without integrity controls is likely succeptible to (padding) oracle attacks, lowering the security to 128 * #cipher text - nothing at all in other words. – Maarten Bodewes Mar 04 '12 at 16:52
  • "OpenSSL - this library has existed for as long as I can remember and the documentation is still full of holes", @MaartenBodewes, you are beauty! – rakeb.mazharul Jun 03 '15 at 07:58