Redirect form data in encrypted form to another domain

Question

I want to send form data via url to another domain in encrypted form

<form action="http://localhost:85/abc/?<?php echo $_POST['name'] ?>" method="POST">
    First name:<br>
    <input type="text" name="name" placeholder="name"> 
    <input type="submit" value="Submit">
</form>

While searching for solution I found different way but none of them works for me. For e.g. I found if I use GET method in form then I can send data like this

<form action="http://localhost:85/abc/?<?php echo $_GET['name'] ?>" method="GET">

Its working But the problem with this solution is that it don't send data in encrypted form + I can't change my form method from POST to GET Because from is created by plugin called caldera forms. I only can change form action in it.

As per another solutions I tried to use action like this

<form action="http://localhost:85/abc/?<?php echo $_REQUEST['name'] ?>" method="POST">

But this also didn't work for me. Any suggestion what else I can try. Right now I am testing it in localhost by creating a small form not by plugin.

Answer 1

I found a solution of my problem and sharing with everyone. This solution works in 4 steps as follow.

Step 1: For encryption and decryption, I am using following functions in my functions.php file.

function Encryptstr($password, $data)
{

    $salt = substr(md5(mt_rand(), true), 8);

    $key = md5($password . $salt, true);
    $iv  = md5($key . $password . $salt, true);

    $ct = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, $iv);

    return base64_encode('Salted__' . $salt . $ct);
}
function Decryptstr($password, $data)
{

    $data = base64_decode($data);
    $salt = substr($data, 8, 8);
    $ct   = substr($data, 16);

    $key = md5($password . $salt, true);
    $iv  = md5($key . $password . $salt, true);

    $pt = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $ct, MCRYPT_MODE_CBC, $iv);

    return $pt;
}

I was told that encryption function can't be performed on action path of form directly So I am using another way for it. I am redirecting form to a page and on that page I am encrypting my form field.

Step 2:
First build a simple form like this and in action of form I have given path of page in which I will perform encryption

<form action="http://localhost:85/xyz/" method="POST">  //In action I am giving path to the page in which I will perform encryption     
    <input type="text" name="fname" placeholder="First Name">
    <input type="submit" value="Login">
</form>

Step 3: After form redirect to this page, I store data of my form field in a variable and encrypt it as follow

$name = $_POST['fname']; //fname is the name of the form control (Text Box)
// Performing encryption on it like this
$encrypt = Encryptstr('myPass123', $name); // Here "myPass123" is the key that will be use to encrypt and decrypt and "Encryptstr" Is function that I have put in functions.php as shown above.

After encrypt form data and storing it in a variable ($encrypt) I make another form whith hidden fields But in this form I am using GET method instead of POST.

<form action="http://localhost:85/abc/" method="GET">
    First name:<br>
    <input type="hidden" name="fname" value="<?php echo $encrypt; ?>">
    <input type="submit" value="Login">
</form>

In the value field of form's hidden field I used $encrypt varible in which I have stored the encrypted form of data earlier. I put it in value option so that we don't need to enter value again. And after clicking on Submit button form will send data to my mentioned page (Mentioned in action of form).

So this data will transmit via url something like this

http://localhost:85/abc/?fname=sdfhf3jh4jhdfjsdffsf

As you can see fname field is encrypted if I haven't put encryption then output will be like this

http://localhost:85/abc/?fname=Entered_value_by_user

Step 4: So in last step I just need to fetch data from url for that I used GET method like this. This is the page where encrypted data redirects

if(isset($_GET['fname']))    //Getting the value of fname field from url via GET method
{
    $entry = $_GET['fname'];  // Storing value in a variable
    //Decripting value using Decryptstr function where 'myPass123' is the key that we used to encrypt and same key needed to decrypt
    echo 'Result: '.Decryptstr('myPass123', $entry); 
}

Reference: http://heiswayi.github.io/php-encryption-decryption-and-password-hashing.html

Note: This method works very well But I don't know what is the level of security this method provides. I had two option for encryption first using ECB and second using CBC. So I searched on google to find out which is more secure to use. So I found a good article that describes ECB vs CBC In detail. And after reading article I found that cbc is more secure. Thats why I am using CBC.

Answer 2

Revised answer:

if you encrypt your parameter, it is irrelevant if you pass it as a GET or POST parameter, although I would recommend to pass all security-relevant information via POST rather then sending it as part of your query string (which is the part after the question mark in your URL, i.e. Rishabh in http://localhost:85/abc/?Rishabh) because the query string will be visible in the browser history and webserver logs as discussed here.

Anyways, here are at least two options you have:

Option 1: use HTTPS/SSL

If you use an SSL-secured communication ("https://" rather that "http://"), all data, even the query string, will be encrypted and send to the server so there is no need to encrypt the parameter manually. There are still ways to intercept the data (Man-in-the-middle attacks or faked SSL-certificates) but it is a very secure way to transmit data. Requires an SSL certificate (can be self-signed or bought by a so-called "CA authority) on your server. If you are using Linux and Apache, here's an article explaining it, this one explains it for Windows and Apache.

Option 2: handle the encryption and decryption manually

Sender:

function doEncrypt($encrypt)
{
    $crypt_key= '%{is}§a/G00d+kEy.F0r#3ncRypT!0n';

    $iv= mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
    $crypted= mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $crypt_key, $encrypt, MCRYPT_MODE_ECB, $iv);
    $encode= base64_encode($crypted);       
    return $encode;
}
$name= 'Rishabh';
$encoded= doEncrypt($name);
?>
<form action="http://localhost:85/abc/?<?php echo $encoded; ?>" method="GET">

Receiver (located inside your abc directory):

function doDecrypt($decrypt)
{
    $crypt_key='%{is}§a/G00d+kEy.F0r#3ncRypT!0n';
    $decoded= base64_decode($decrypt);
    $iv= mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
    $decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $crypt_key, $decoded, MCRYPT_MODE_ECB, $iv);

    return str_replace("\\0", '', $decrypted);
}
$name= doDecrypt($_REQUEST['QUERY_STRING']);

Here's a working example with the above functions: phpFiddle.

And here's more info on transmitting form data via curl, encoding and decoding may be done using the mcrypt extension of PHP in a secure manner.

Another remark and explanation of your code:

<form action="http://localhost:85/abc/?<?php echo $_POST['name'] ?>" method="POST">

will output the variable name that has previously been posted as part of a form submit, the parameter will be send as part of the GET-/Query string of the form request, all other elements inside the form will be send as part of a form submit.

<form action="http://localhost:85/abc/?<?php echo $_GET['name'] ?>" method="GET">

will output the variable name that has been passed along as a GET-/query string parameter, again it will be part of the Query string of the form request. All other form elements will be send as part of the query string rather than as form submit.

<form action="http://localhost:85/abc/?<?php echo $_REQUEST['name'] ?>" method="POST">

will output a parameter name that has either been posted via form submit or as part of the query string, it will also be part of the query string of the form request. All other form elements will be send as part of the POST / form data, same as in example 1.

Answer 3

You have to use php encrypt methods for encoding and decoding your data. By this way you can send data in an encrypted form and on the other side you have to decrypt data.

Have a look http://php.net/manual/en/function.mcrypt-encrypt.php

Answer 4

Can't you trigger an event on javascript first to encrypt your data, or you could just submit to another php file, and from there you could encrypt and send.