Create a php encoding and decoding method

→ Are you a new visitor? Please visit the page guidance for new visitors ←

Create a php encoding and decoding method

In this article I’ll try to write a bit about how you can properly create an encoding and decoding method to allow you to pass information even in plain sight and be sure these are more secured. There are plenty of methods out there, and all are based more or less on the same methods. There are also php functions like base64_encode / base64_decode that does exactly this, but can’t really be relied on when passing information from one section to another since anyone can decode these.

So what has everyone suggested we do? Well we would use something that I call / others calls it a “salt“. Meaning we will use a completely random string that would be used in encoding something, but to decode the same string, you will need to know the salt. So if the encoded value is in plain sight, you can’t really decode it since you don’t know how it was encoded and what salt was used.

Creating the encoding method

I’ve seen a lot of ways to do this and all are fine really, but I decided to use a combination of the following functions:

  • base64_encode / base64_decode (you will see further why I use it)
  • mcrypt functions to encrypt / decrypt the string

I’ll also be using as a cifer MCRYPT_RIJNDAEL_256 and mod MCRYPT_MODE_ECB along with a little iv size. Regarding the iv, I can’t really say much, but here’s a decription from php.net:

Used for the initialization in CBC, CFB, OFB modes, and in some algorithms in STREAM mode. If you do not supply an IV, while it is needed for an algorithm, the function issues a warning and uses an IV with all its bytes set to “\0”.

Example of such encoding method:

What you need to be careful here is that you need to pass a string to this method. So if you wish to maybe encode an array, you probably want to call it something like:

I’ve also added a time value, so for example this string would expire within 24 hours. You do need to think of security when doing things like this, so if you want use the encoded strings in plain sight, then you should have it expire after some time.

Creating the decoding method

The decoding method is actually doing things in reverse, again simple using just the two functions I’ve already used. So for example, if I want to decode a string, I would use something like:

You would need to call it like so:

And if you had something like an array encoded, you can start using json_decode() function on the decoded string.

And from here you can play your own code, do checks in case you use an expire time on it and so on. I had to use something similar when I was playing with SignOn feature from two different location, you can’t really pass sessions like that so you would needed to pass credentials / details directly via browser.

One thing you need to keep in mind though, while this seems pretty secured, a hacker will probably find ways to hack a script or similar. In the end nothing really is secured. With this in mind, pass strictly the information you need in plain sight, the rest should be done on the server side where, presumably, no one has access.

That’s it for now, see you again in our next tutorial.

Request an article ←