Encryption and decryption query string on next page

[shakeel]

Hi All,

I have query strings like as follows

http://localhost/egifts3/invoic.php?order_id=20070000010

I want to encrypt and decrypt on invoic.php by get method.

Please if anybody help me to encrypt the above string by the SHA1 or anyother secure method of encryption.

Thanks & Regards
Shakeel

[CrYpTiC_MauleR]

SHA-1 is for hashing so its one way, you can't reverse it, You should use mcrypt using AES-256.

http://us3.php.net/manual/en/function.mcrypt-module-open.php this show how to do that in their example using AES-256, shows how to encrypt and decrypt. How exactly will you be using this? If you are encrypting the query string which just contains an orderid it will be useless since an attacker can use the query string decrypted or the encrypted string to view the invoice as well. Just make sure you run by us the setup you plan on doing and we can determine if it will indeed make the application more secure.

[shakeel]

Many thanks for your repl. Actualy client want not to show the invoice number in query string

http://localhost/PDFClass/pdf_sample.php?orderid=20070000212

then this querystring should look like

http://localhost/PDFClass/pdf_sample.php?dshfgdhfvbncxgvxchjgvxnbv

because user can can see anyother person invoice by giving invoice number shown above

REgards
Shakeel

[CrYpTiC_MauleR]

What will be displayed on the invoice page pdf_sample.php?
Also why is a cookie session not being used to store the orderid? That way there is no need to encrypt the querystring and safer than trying to obfuscate the orderid through encryption which just adds the illusion of protection. If the URL with the encrypted string is being emailed to the customer as confirmation then it depends on what is being displayed on the page. If transaction information, or personal information (shipping address, name, phone, card number used, etc) then using a cookie session which requires customer to login is more secure, since email is not a secure means to transmit the URL. Also the page should be SSL/TLS protected.
Now if the page is displayed only after a transaction is done that doesn't require a login or can be accessed by customer after logging in then encrypting the querystring is acceptable but session cookies should still be used as a more secure means of protecting the URL from being tampered with. It all just depends on the circumstances of the system to determine what would be the secure choice.

[rdivilbiss]

What will be displayed on the invoice page pdf_sample.php?

If it is sensitive, then the user must reauthenticate before viewing the information.

Also why is a cookie session not being used to store the orderid?

Agreed, passing this information as a parameter, either in a GET (URL) or POST is asking for trouble. 

SSL/TLS is a must.

If this is the result of a chain of actions resulting from an order form, you have more than just this to consider.  Read: http://www.expertsrt.net/main/components/com_mambowiki/index.php?title=Building_Secure_And_Standards_Compliant_Web_Forms