SSL encryption provides a secure mechanism to protect information over public networks, but
it is not always available: A small business private network with Wi-Fi can expose sensitive
information, for example. There are many situations where the technical infrastructure or
economic resources do not allow the installation of secure communication protocols.
Some times the application level encryption may be sufficient, or can even complement the
session and/or transport level security. PHP Form Encryption offers a application level
How does it works:
1. Server receives a client request of a web page that contains a form.
2. Server generates a session RSA key pair, and send the public key included in the html
3. Client fills out the form and generate a AES-256 key that is returned to server encrypted
with the received public key and the AES encrypted form data. Client saves this AES key using
browser local storage.
4. Server receives the RSA-encrypted AES key and decrypt it using the RSA private key. Then
this AES key will be used to decrypt the received form data and to encrypt/decrypt future forms
until it's changed or session expires.
Session must be started before using Cryptopost class. Then, let's intercept an encrypted form:
$crypto = new Cryptopost(1024, './openssl.cnf');
$formId = $crypto->decodeForm();
So, now we know the id of the submited form and $_POST superglobal contains the decrypted data.
Before that $_POST will only contain somethig like:
Note that "crytoPost_key" will be received only once at first time that server receives a coded
form. Following posts will include only the "cryptoPost" value unless keys are reset.
<form id="form1" method="POST" action="test.php" onsubmit="return cryptoPost.encrypt('form1')">
Client may need an encrypted record to edit. Server can send it in this way:
$record = array(
"name" => $name,
"address" => $address,
"zipCode" => $zip
$encrypted = $crypto->encodeData($record, $formId);
... and then, at the bottom of the html code:
<script>cryptoPost.decrypt('<?php echo $encrypted;?>')</script>
That's a simple and easy way to protect your data even with no SSL.
PHP Form Encryption requires openssl extension and PHP 5.4+