Problem with encoded/encrypted GET string

Kylotan

My application does the following:

Takes a string and encrypts it. This means it contains characters lower than 32 and hence unprintable.

rawurlencode()s it, and appends it to a URL to make a querystring/GET request.

I send this off as a CURL command:
$cl = curl_init();
curl_setopt ($cl, CURLOPT_URL, $getURL);
curl_setopt ($cl, CURLOPT_HEADER, 1);
curl_setopt ($cl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($cl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($cl, CURLOPT_TIMEOUT, 120);
$result = curl_exec ($cl);

On the other page which is the target of the URL, I check the appropriate GET variable to retrieve this value. The problem is that whereever the original encrypted and rawurlencoded string contained %00 (ie. ascii character zero), the GET variable now contains \0 (ie. 2 characters showing the C escape-code representation of character zero). In turn, this means that decrypting this string will not work as it has been altered from the original. Rawurldecoding this string doesn't change the "\0" back to "%00", either.

What is likely to be the cause of this, and how can I get around or fix it?

bad76

why don't try with addslashes / stripslashes instead of urlencode / urldecode ?

see you

Kylotan

Originally posted by bad76
Hi

why don't try with addslashes / stripslashes instead of urlencode / urldecode ?

I need urlencode because it's going in a url. I can apparently do without urldecode, but I can't rely on stripslashes as there might be slashes in there that I don't necessarily want to strip, and I can't force an addslashes on the sending side because I'm not always in control of the sending side. What I really want is for the GET variable to not be changed to \0.

bad76

And if
first of send add any value at every byte, like 32?
is unsafe?

Kylotan

I'm not sure exactly what you're trying to say. I can't control what is sent. It's a GET string that contains a string of numbers from zero to 255, urlencoded.

bad76

:eek: ah, i have understand lower than 32.

If you can't control what is sent is more complex.
The only secure way is to modify data sent.

Getting data you can try some solution with str_replace("\0", "%00", getURL); but i don't have any other ideas, sorry.🙁

bad76

Ok.
The problem is a PHP.INI variable, magic_quotes_gpc that is on.
If put off all work. I have tried it on my server.

Else we can hand-convert the four addslashed symbol: \0 \' \" \

Look these files:

1) test.php

<?
$Test="My name is \"mine\"½".chr(131).chr(136);

$GetURL="";
for($i=0; $i<20; $i++) // encrypt function: just sub "a" value.
                                   // to decrypt just add "a" value.
	$GetURL.=chr(ord(substr($Test,$i,1))-ord("a"));

$GetURL=rawurlencode($GetURL);
Header("Location: send.php?GetURL=".$GetURL);
?>

2) send.php

<?
echo "My name is \"mine\"½".chr(131).chr(136);
$GetURL=rawurldecode($GetURL);
echo "<BR>".$GetURL;
for($i=0; $i<24; $i++){
	$c=substr($GetURL,$i,1);
	if($c=="\\\\"){                        // The convert function
		$i++;
		$c=substr($GetURL,$i,1);
		if($c=="0") $c=chr(0);
	} //The decrypt function
	$Test.=chr(ord($c)+ord("a"));
}
echo "<BR>".$Test;
?>

The first make a string, crypt, rawurlencode and send to second.
The second receive, rawurldecode, CONVERT escaped char, decrypt and output.

All work fine on my server.

I hope that a good solution for you.

See you.

Kylotan

Ok, thanks. I may have to use that solution, if I can't convince the other people to consider sending it as a hexadecimal string instead. 🙂