How is the internal algorithm of PHP encryption and decryption implemented?

When I was learning about URL jump recently, I learned three super easy-to-use PHP encryption and decryption functions, which seem to be in discuz... The reason for using these encryption and decryption is because sometimes someone wants to crack your URL address after it is obtained. The content of the value must know your key. Without the key, it will take a while to know the content of your URL.

Package them into a file and call it fun.php

The code is as follows:

<?php 
function passport_encrypt($txt, $key) { 
srand((double)
microtime
() * 1000000); 
$encrypt_key = md5(rand(0, 32000)); 
$ctr = 0; 
$tmp = &#39;&#39;; 
for($i = 0;$i < strlen($txt); $i++) { 
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; 
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]); 
} 
return base64_encode(passport_key($tmp, $key)); 
} 
function passport_decrypt($txt, $key) { 
$txt = passport_key(base64_decode($txt), $key); 
$tmp = &#39;&#39;; 
for($i = 0;$i < strlen($txt); $i++) { 
$md5 = $txt[$i]; 
$tmp .= $txt[++$i] ^ $md5; 
} 
return $tmp; 
} 
function passport_key($txt, $encrypt_key) { 
$encrypt_key = md5($encrypt_key); 
$ctr = 0; 
$tmp = &#39;&#39;; 
for($i = 0; $i < strlen($txt); $i++) { 
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; 
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; 
} 
return $tmp; 
} 
?>

The following are some examples to deepen the understanding of these three encryption and decryption functions. Understand the

code as follows:

//string.php 
<?php 
include
 “fun.php”; 
$txt = “This is a test”; 
$key = “testkey”; 
$encrypt = passport_encrypt($txt,$key); 
$decrypt = passport_decrypt($encrypt,$key); 
echo $txt.”<br><hr>”; 
echo $encrypt.”<br><hr>”; 
echo $decrypt.”<br><hr>”; 
?> 
//array.php 
<?php 
include “fun.php”; 
$array = array( 
"a" => "1", 
"b" => "2", 
"c" => "3", 
"d" => "4" 
); 
//serialize产生一个可存储的值,返回一个
字符串
,unserialize还原 
$txt = serialize($array); 
$key = “testkey”; 
$encrypt = passport_encrypt($txt,$key); 
$decrypt = passport_decrypt($encrypt,$key); 
$decryptArray = unserialize($decrypt); 
echo $txt.”<br><hr>”; 
echo $encrypt.”<br><hr>”; 
echo $decrypt.”<br><hr>”; 
echo $decryptArray.”<br><hr>”; 
?>

The key point is when you want to jump to another URL, but you must ensure that your session is correct Sometimes, you need to do something with the session. It seems that a company has a website and a forum, and there are registration and login in both places, but you don’t want the session to expire when the user jumps to the forum after logging in on the homepage, that is, Log in once and run the entire company

How to handle the user's session

Web pages are stateless. If you want to continue to use the session in a new web page, you need to change the session from Moving one place to another, some people may have thought that I can call it by passing the URL. PHP has a variable for processing sessions, called $_SESSION. So the session that needs to be registered is converted into an array. Well. Then, you can write like this:

The code is as follows:

//login.php 
<?php 
session_start(); 
include “fun.php”; 
$_SESSION[“userid”]; 
$_SESSION[“username”]; 
$_SESSION[“userpwd”]; 
header("Location: http://$domain/process.php?s=".urlencode(passport_encrypt(serialize($_SESSION),"sessionkey"))); 
?>

In the above example, serialize is first used to turn $_SESSION into storable data, and then the data is converted into storable data through passport_encrypt. The reason for adding urlencode to encryption is because when $_SESSION is encrypted, unexpected encoding may occur, so just in case (it turns out to be very effective)

Let’s deal with it first

The code is as follows:

//process.php 
<?php 
session_start(); 
include “fun.php”; 
$_SESSION=unserialize(passport_decrypt($_GET["s"],"sessionkey")); 
header("Location: http://$domain/index.php"); 
?>

First use $_GET["s"] to obtain the parameters of the URL, then use passport_decrypt to decrypt it, and then use unserialize to restore the data to the original data. At this step After processing, your web page can jump freely through the header.

This method also involves security issues. If your url address is obtained by others during the address transmission process, it would be really embarrassing. Although they may not be able to decipher the content in the url. , but people can also directly use this URL address to log in to some of your personal accounts, email accounts, and even bank accounts (of course, few people will write like this, I am an exception, haha). It sounds scary. But in fact, you can jump Transfer the page to cancel the session.

The following is the enhanced version of process.php

The code is as follows:

<?php 
session_start(); 
include_once"fun.php"; 
$_SESSION=unserialize(passport_decrypt($_GET["s"],"sessionkey")); 
if((time()-$_SESSION["TIME"])>30){ 
header("Location: http://$domain/ login.php"); 
unset($_SESSION["USERNAME"]); 
unset($_SESSION["PASSWORD"]); 
} 
else 
header("Location: http://$domain/ index.php"); 
?>

Before writing this file, you must log in Set there

$_SESSION["TIME"] = time();

The reason for setting this is mainly to get the time on both sides. If the jump time exceeds 30 seconds, you You can make it jump to the login.php login page. Customers with slow Internet speeds will be embarrassed, but this also prevents the problem if this URL is obtained by someone and the person does not log in within 30 seconds. Ah, log in again after timeout.

$_SESSION["USERNAME"] and $_SESSION["PASSWORD"] are the username and password that user needs to enter when logging in. The reason for canceling these two sessions is that if your URL is obtained by someone, although that person will jump to the login.php page within more than 30 seconds, those passed sessions are still valid, as long as the URL suffix is ​​login. php is changed to index.php. Then he can log in successfully.

The above is the detailed content of How is the internal algorithm of PHP encryption and decryption implemented?. For more information, please follow other related articles on the PHP Chinese website!