This article introduces how to use PHP to encrypt and transmit URL address parameters to improve website security. It has certain reference value. Now I share it with you. Friends in need can refer to it
When people use PHP to submit data through GET or POST, they often pass parameters in the URL, such as www.mdaima.com/get.php?id=1&page=5, where the id number and page number are parameters. Passing, if it is transmitted directly in clear text, the parameters will be directly exposed to the user. If it is more important data, I think it is not safe to transmit it like this. Would it be better if the parameters were changed to the following?
1 |
www.mdaima.com/get.php?VGsAYQ96VzkEaF08DTxTLQIyDmsBIQtnVj0Fe1ciAD0EN1M0X2MHMQYxDDcAOwI%2FXToBPVM5ADxfag%3D%3D Copy after login |
Let’s further strengthen it by renaming get.php to get_mb.php, and then using static rules to map get.html to get_mb.php, so that even if the user tries to access get.php, they will not be able to find the real PHP. file, because the real PHP file is not get.php but get_mb.php. What are the following .htaccess rule settings?
1 |
RewriteRule ^get.html$ get_mb.php?&%{QUERY_STRING} #.htaccess伪静态规则的设置(加入到.htaccess里就行) Copy after login |
1 | www.mdaima.com/get.html?VGsAYQ96VzkEaF08DTxTLQIyDmsBIQtnVj0Fe1ciAD0EN1M0X2MHMQYxDDcAOwI%2FXToBPVM5ADxfag%3D%3D Copy after login |
It's already a little better in comparison, at least it looks a lot better. So how to encrypt and decrypt it? Please look at the following function ( No need to look carefully, just take it and use it, focus on how to call )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | //---------------以下为加密函数(复制过去就行了)----------------- function keyED($txt,$encrypt_key){ $encrypt_key = md5($encrypt_key); $ctr=0; $tmp = ""; for($i=0;$i<strlen($txt);$i++) { if ($ctr==strlen($encrypt_key)) $ctr=0; $tmp.= substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1); $ctr++; } return $tmp; } function encrypt($txt,$key) { $encrypt_key = md5(mt_rand(0,100)); $ctr=0; $tmp = ""; for ($i=0;$i<strlen($txt);$i++) { if ($ctr==strlen($encrypt_key)) $ctr=0; $tmp.=substr($encrypt_key,$ctr,1) . (substr($txt,$i,1) ^ substr($encrypt_key,$ctr,1)); $ctr++; } return keyED($tmp,$key); } function decrypt($txt,$key){ $txt = keyED($txt,$key); $tmp = ""; for($i=0;$i<strlen($txt);$i++) { $md5 = substr($txt,$i,1); $i++; $tmp.= (substr($txt,$i,1) ^ $md5); } return $tmp; } function encrypt_url($url,$key){ return rawurlencode(base64_encode(encrypt($url,$key))); } function decrypt_url($url,$key){ return decrypt(base64_decode(rawurldecode($url)),$key); } function geturl($str,$key){ $str = decrypt_url($str,$key); $url_array = explode('&',$str); if (is_array($url_array)) { foreach ($url_array as $var) { $var_array = explode("=",$var); $vars[$var_array[0]]=$var_array[1]; } } return $vars; } $key_url_md_5 = 'mdaima.com-123-scc'; //可以更换为其它的加密标记,可以自由发挥 //---------------以上为加密函数-结束(复制过去就行了)----------------- Copy after login |
以上这个是关键的加密与解密函数,下面看一下如何调用,我们举例说一下将表单action中参数id和page进行加密并加入时间戳一起,这样每次的链接地址都是动态的,而且可以在接收页面设置页面限制超时的有效期了。
1 | <form id="form1" name="form1" method="post" action="?<?=encrypt_url("id=1&page=5"."&time=".time(),$key_url_md_5)?>" enctype="multipart/form-data"> Copy after login |
上面就是如何加密参数。再看一下如何解密接收到的参数:
1 2 3 4 | $url_info = geturl($_SERVER[QUERY_STRING],$key_url_md_5);//接收所有参数 $page=$url_info['page'];//解密对应参数 $id=$url_info['id']; $time=$url_info['time'];//这个是时间戳,大家可以利用这个参数判断一下链接生成的时间,就可以判断是否超时了(此项如果不需要也可以忽略) Copy after login |
这样我们就得到了解密的$page和$id参数了,大家试一下吧,有问题也可以联系我!
转载出处:http://www.mdaima.com/jingyan/36.html
The above is the detailed content of How to use PHP to encrypt and transmit URL address parameters to improve website security. For more information, please follow other related articles on the PHP Chinese website!