I've written a php script that outputs html text for the user to plugin to their site. I want to encrypt that html text so that the URLs are not revealed or changed in any way.

urlencode is not going to do the trick. I've seen PayPal do this with their payment buttons.

The output is something completely unrecognizable, such as:

fsdoiisfjdadjsojiosfsdjsdl
sfjjjfsdfjasofjosfjiosjfiso

Yet, you plug it into your website, and you've got your payment button.

How the heck is that done? My guess would be that there is a bit of script just before the encrypted text that directs the browser to the decryption script on the paypal server. 😕

Anyhow, I would prefer a simple solution. Are there any PHP ideas on how to encrypt a block of html that will still be readable on another browser? Or do you think this is a JavaScript question?

    Firstly, urlencode just converts certain characters into characters that are 'safe' to include in urls - it's not anything to do with encryption or obfuscation.

    I think it's a javascript question - the client side code would be some javascript function applied to each character, for example convert each char to it's hex equivalent, and add one. Then the onload event would decrypt back.

      I think what Paypal do is store some information in an encoded form, then cryptographically sign that information so it's safe from tampering.

      You could do that quite easily, for example, urlencode your data into a string and add some kind of signed hash.

      When the user clicks to the URL and returns to your site (or someone else's), you can perform the same check again and ensure that the data have not had unauthorised modifications.

      In the case of using an asymmetrically signed hash, you would have to use a different key from the pair for the encryption / decryption, meaning that someone would be able to verify that the data were valid without needing your private key, but wouldn't be able to construct their own arbitrary data.

      Mark

        Let me get this straight - you want to encrypt the URLs that appear in your generated HTML? Something like this?

        <a href="ej38f89ehu2w92329hweu9">Click Here!</a>

        May I ask why? 🙂

        For the user to be able to follow the link, you'll have to supply their browser with some way to decrypt it - whether through Javascript, or whatever. And by doing so, you've completely defeated the point of encrypting it in the first place. It's sort of like locking your front door and then taping the key right next to the knob.

        Can you explain more broadly what you're trying to achieve? That is, explain the goal, not the step you think will get you there...

        Also, can you provide some sample HTML from PayPal's implementation?

          Sorry guys. This is very much a javascript question.

          To answer your post - I don't just want to encrypt the links. I want to encrypt the entire html code. I want to allow my customers to use code that pertains to my server. But I don't want them to be able to manipulate it, or know the locations of the folders that are in the links.

          Of course it still has to function on their own site without depending on functions that are set up on my own server, and I wanted to keep it as simple as possible.

          So I've started with this:

          <script>
          eval(unescape('f%75%6ec%74%69%6f%6e%20%78%78%28%6e%29%0D%0A%7B%7a%20%3D%20%75%6ee%73ca%70e%28%6e%29%3B%76a%72%20%79%20%3D%20%27%27%3B%0D%0Af%6f%72%20%28%69%3D0%3B%69%3C%7a%2e%6ce%6e%67%74%68%3B%69%2b%2b%29%20%0D%0A%7B%79%20%2b%3D%20%53%74%72%69%6e%67%2ef%72%6f%6dC%68a%72C%6fde%28%7a%2ec%68a%72C%6fdeA%74%28%69%29%2d1%29%3B%7D%0D%0Ad%6fc%75%6de%6e%74%2e%77%72%69%74e%28%75%6ee%73ca%70e%28%79%29%29%3B%0D%0A%7D%20'));
          </script>

          Which sets up the formula for the code that follows. The above statement with document.write is:

          function xx(n) {z = unescape(n);var y = ''; for (i=0;i<z.length;i++) {y += String.fromCharCode(z.charCodeAt(i)-1);} document.write(unescape(y)); }

          Now I need to place the html I want the users to have so that it can be deciphered with the function above.

          I know this isn't bullet-proof, but it's good enough.

          It's more like putting the key into the soil of the plant that sits next to the door. Most people won't bother to try and figure out the code, because it's not going to reveal anything completely sensitive such as CC information or database access.

          Also most of the users that will be using this, are not even html-savvy, so I don't think I'll need to worry about it. I just wanted a little bit of extra protection.

            Well, I imagine you could place the (encrypted) HTML code inside a <div id="whatever" style="visibility: hidden;">, and onload call a Javascript function that retrieves the .innerHTML of that <div>, applies the relevant transformation, sticks the transformed content back into the <div>, and sets its style.visibility to "visible".

            A simple replacement cipher, or something like rot13, would probably suffice for these purposes. Or maybe you could just invert the byte for each character (subtract its ASCII value from 255), and/or shift it by a certain number.

            Hell, you could probably just convert each character to its hexadecimal equivalent; that'd give you a big intimidating-looking string of hex digits that would at least look encrypted. It'd also double the size of the encrypted content (2 hex digits = 1 ASCII byte), but unless you're dealing with large chunks of HTML, it shouldn't be a problem.

              Write a Reply...