In a nutshell, what I'm trying to do is to make a jQuery POST request from a clicked html element that has an encrypted data attribute uid and sending this encrypted data attribute uid through the jQuery POST request to a getData.php file which decrypts the uid and uses the decrypted uid to query from the database and return json encoded results.
Here is what the .html file would contain:
<div data-uid="YshZrKI4qWCHBUnX3vd/Aw==" class="request" style="border:5px solid black;">
uid is encrypted with AES-128-CBC
</div>
This would be the jquery:
$('.request').on('click', function() {
var UID=$(this).data('uid');
$.post( "pull/data.php", { uid:UID}) // Maybe add a token?
.done(function(request_data) {
data = JSON.parse(request_data);
alert(data);
});
});
pull/data.php would look something like this:
//some kind of verification here?
if($_SESSION['User']['Token'] == SomeKindOfValidationFunc()) // Would this make it more secure?
include_once '../databack.php';
include_once '../keys/request.key.php'; // contains static key and iv
$key = $evalrequest_key;
$iv = $evalrequest_iv;
$id = openssl_decrypt($_POST['uid'], 'AES-128-CBC', $key,0,$iv);
$results = Get("SELECT * FROM tableX"); //just returns an associative array of results from db
echo json_encode($results);
Is this technique safe?
