PHP encryption and decryption internal algorithm

Pack them into a file and call it fun.php

<?php 
function passport_encrypt($txt, $key) { 
srand((double)microtime() * 1000000); 
$encrypt_key = md5(rand(0, 32000)); 
$ctr = 0; 
$tmp = &#39;&#39;; 
for($i = 0;$i < strlen($txt); $i++) { 
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; 
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]); 
} 
return base64_encode(passport_key($tmp, $key)); 
} 

function passport_decrypt($txt, $key) { 
$txt = passport_key(base64_decode($txt), $key); 
$tmp = &#39;&#39;; 
for($i = 0;$i < strlen($txt); $i++) { 
$md5 = $txt[$i]; 
$tmp .= $txt[++$i] ^ $md5; 
} 
return $tmp; 
} 

function passport_key($txt, $encrypt_key) { 
$encrypt_key = md5($encrypt_key); 
$ctr = 0; 
$tmp = &#39;&#39;; 
for($i = 0; $i < strlen($txt); $i++) { 
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; 
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; 
} 
return $tmp; 
} 
?>

The following are some examples to deepen your understanding of these three encryption and decryption functions

//string.php 
<?php 
include “fun.php”; 

$txt = “This is a test”; 
$key = “testkey”; 
$encrypt = passport_encrypt($txt,$key); 
$decrypt = passport_decrypt($encrypt,$key); 

echo $txt.”<br><hr>”; 
echo $encrypt.”<br><hr>”; 
echo $decrypt.”<br><hr>”; 
?> 

//array.php 
<?php 
include “fun.php”; 

$array = array( 
"a" => "1", 
"b" => "2", 
"c" => "3", 
"d" => "4" 
); 
//serialize产生一个可存储的值,返回一个字符串,unserialize还原 
$txt = serialize($array); 
$key = “testkey”; 
$encrypt = passport_encrypt($txt,$key); 
$decrypt = passport_decrypt($encrypt,$key); 
$decryptArray = unserialize($decrypt); 

echo $txt.”<br><hr>”; 
echo $encrypt.”<br><hr>”; 
echo $decrypt.”<br><hr>”; 
echo $decryptArray.”<br><hr>”; 
?>

The key point is when you want to jump to another URL, but To ensure that your session is correct, you need to process the session. It seems that a company has a website and a forum, with registration and login in both places, but it does not want users to jump to the forum after logging in on the homepage. When the session expires, that is, logging in once to run the entire company

How to handle the user's session?

Web pages are stateless. If you want to continue to use the session in a new web page, you need to change the session from one Move the place to another place. Some people may have thought that I can call it by passing the URL. PHP has a variable for processing sessions called $_SESSION. So convert the session that needs to be registered into an array. .Then, you can write like this:

//login.php 
<?php 
session_start(); 
include “fun.php”; 
$_SESSION[“userid”]; 
$_SESSION[“username”]; 
$_SESSION[“userpwd”]; 

header("Location: http://$domain/process.php?s=".urlencode(passport_encrypt(serialize($_SESSION),"sessionkey"))); 
?>

In the above example, serialize is first used to turn $_SESSION into storable data, and then the data is encrypted through passport_encrypt. The reason for adding urlencode is because when $_SESSION is encrypted, there may be Like an unexpected encoding, so just in case (it turns out to be very effective)

Let’s deal with it first

//process.php 
<?php 
session_start(); 
include “fun.php”; 
$_SESSION=unserialize(passport_decrypt($_GET["s"],"sessionkey")); 
header("Location: http://$domain/index.php"); 
?>

First use $_GET["s"] to get the parameters of the URL, then use passport_decrypt to decrypt it, and then use unserialize to The data is restored to the original data. After this step of processing, your web page can jump freely through the header.

This method also involves security issues. If your url address is obtained by others during the address transmission process, it would be really embarrassing. Although people may not be able to decipher the content in the url, they can also You can directly use this URL address to log in to some of your personal accounts, email accounts, and even bank accounts (of course, few people will write this, except me, haha). It sounds scary. But in fact, you can cancel on the jump page. session processing.

The following is the enhanced version of process.php

<?php 
session_start(); 
include_once "fun.php"; 
$_SESSION=unserialize(passport_decrypt($_GET["s"],"sessionkey")); 
if((time()-$_SESSION["TIME"])>30){ 
header("Location: http://$domain/ login.php"); 
unset($_SESSION["USERNAME"]); 
unset($_SESSION["PASSWORD"]); 
} 
else 
header("Location: http://$domain/ index.php"); 
?>

Before writing this file, you have to set it on the login side

$_SESSION["TIME"] = time();


The reason for setting this The main thing is to get the time on both sides. If the jump time exceeds 30 seconds, you can let it jump to the login.php login page. Customers with slow network speed will be embarrassed, but this also prevents if this URL is blocked. If the person does not log in within 30 seconds, then sorry, timeout and log in again.

$_SESSION["USERNAME"] and $_SESSION["PASSWORD"] are the user logins. The username and password that need to be entered are required. The reason for canceling these two sessions is because if your URL is obtained by someone, although that person will jump to the logon.php page within more than 30 seconds, the session that was passed It is still valid, just change the url suffix login.php to index.php. Then he will still log in successfully.

For more articles related to PHP encryption and decryption internal algorithms, please pay attention to the PHP Chinese website!