PHP - 带 GET 查询的加号

2022-01-04 00:00:00 get php

我有一个 PHP 脚本,它通过以下方法对字符串进行基本加密:

I have a PHP script that does basic encryption of a string through the method below:

<?php
$key = 'secretkey';
$string = $_GET['str'];

if ($_GET['method'] == "decrypt")
{
    $output = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($string), MCRYPT_MODE_CBC, md5(md5($key))), "");
}

if ($_GET['method'] == "encrypt")
{
    $output= base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
}

echo $output;
?>

用于加密字符串的 URL 示例如下所示:

An example of a URL to encrypt a string would look like this:

Encrypt.php?method=encrypt&str=the quick fox

Encrypt.php?method=encrypt&str=the quick fox

这将作为加密字符串返回:

Which would return this as the encrypted string:

LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

现在要解密字符串,您只需将方法"查询更改为解密",如下所示:

Now to decrypt the string all you have to do is change the "method" query to "decrypt", like so:

Encrypt.php?method=decrypt&str=LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

Encrypt.php?method=decrypt&str=LCuT/ieVa6cl3/4VtzE+jd9QPT3kvHYYJFqG6tY3P0Q=

唯一的问题是当加密的字符串被解密时,它会返回:

The only problem is that when that encrypted string is decrypted it returns this:

¬ƒ§rYV}̳5Äš·nßì(ñïX8Þ;b

¬ƒ§rYV}̳5Äš·nßì(ñïX8Þ;b

我已将问题缩小到加密字符串中的加号.PHP 的 GET 方法似乎将加号转换为空格.我搜索了这个错误,发现它已经被提交这里.我尝试了该页面上列出的不同方法和其他方法,但均未成功.我得到的最接近的是使用这个:

I have narrowed down the problem to the plus sign that is in the encrypted string. PHP's GET method seems to translate a plus sign into a blank space. I have searched this bug and found out that it has already been filed here. I have tried different methods listed on that page and others with no success. The closest I got is by using this:

$fixedstring = str_replace(" ", "+", $string);

然后在加密方法中使用 $fixedstring ,问题是,在解密时,所有空格都转换为加号.有什么想法吗?

and then using $fixedstring in the encryption methods, the problem is, upon decryption, all blank spaces are converted to plus signs. Any ideas?

我知道使用 POST 会更有意义,但我出于特定原因使用 GET.我会省略细节.

推荐答案

如果您阅读该错误报告的全部内容,您将看到对 RFC 2396.这表明 + 是保留的.PHP 将未编码的 + 符号转换为空格是正确的.

If you'll read the entirety of that bug report you'll see a reference to RFC 2396. Which states that + is reserved. PHP is correct in translating an unencoded + sign to a space.

您可以在将密文返回给用户时使用 urlencode().因此,当用户提交密文进行解密时,您可以 urldecode() 它.如果 PHP 也通过 GET 字符串输入,PHP 会自动为您执行此操作.

You could use urlencode() the ciphertext when returning it to the user. Thus, when the user submits the ciphertext for decryption, you can urldecode() it. PHP will do this automatically for you if it comes in via the GET string as well.

底线: + 必须作为编码值提交给 PHP:%2B

Bottom line: The + must be submitted to PHP as the encoded value: %2B

相关文章