A personal selection of world-class software

Simple encryption for VBA and PHP

This freeware encryption program for PHP and VBA can encrypt data in sensitive situations like in URL parameters where only certain characters are allowed. Pass encrypted data between a web site and a spreadsheet and be the only one to know what happened.

As information is sent across the internet, the risk of intellectual theft increases. More and more information needs to be protected, or at least made unrecognizable, all the way from the source to the target.

  • An affiliate may want to encrypt information about keywords used in search engine advertising, in order to prevent the merchant from "stealing" the affiliate’s most profitable keywords.
  • A software developer may want to include information about the source of the free download from a cookie when the user is clicking on the "Buy" button.

The problems with standard encryption algorithms

Most encryption models are difficult to tailor to everyday needs. If data is transferred in a way that restricts the possible character set, it may be impossible to use conventional encryption techniques that create binary data.

One example is the URL parameter string. Sending information as URL parameters is very useful, but the information is clearly visible in the URL, which increases the need for some kind of encryption. However, the URL parameters may only contain the "safe" a-z and 0-9 character ranges and a few other characters. A program used to encrypt URL parameters must create encrypted strings adhering to these strict rules.

Another problem with standard encryption tools is that they use technology that originally was intended for warfare. This may limit their application, or in which countries the technology may be used. It may also increase the cost of the encryption tool.

Solution: a free encryption program for PHP

In many cases, the strength of the encryption algorithm is not that important. The encrypted information just isn’t worth that much. The algorithm needs to be just good enough to make it not worth the effort to try to break the code.

British developer Tony Marston has published an very useful encryption routine for PHP on his website www.tonymarston.net. His paper A reversible encryption routine for PHP describes a very simple, yet elegant way of substituting one character string for another. There is no fixed substitution, so each character may be replaced by a different character each time. This encryption is quite good enough for many regular purposes. It also gives full control of the characters used in the encrypted string. Tony Marston has generously made the encryption application for PHP available as a free download.

Please note that an enhanced version of Tony Marston’s PHP code and its Visual Basic counterpart is described below.

The VBA implementation

For most people, however, PHP is a server-side web scripting language. It may not be your first choice when it comes to desktop applications. So when your web site encrypts data using PHP, you will need a desktop implementation of the same encryption logic to decrypt the data for use in desktop applications. For this reason, Swedish developer Magnus Wester has created a VBA (Visual Basic for Applications) version of the encryption program and made it available for free.

The VBA version can be used in all Microsoft Office applications to encrypt and decrypt data, and can exchange data with the PHP version if the same encryption parameters are used.

Other implementations

If you port this encryption logic to additional platforms, please send a copy to Magnus Wester in order to make it available to other developers.

Enhanced implementation, May 2005

In the enhanced implementation, compatible with the original, a few small modifications has made it a lot more useful and fault-tolerant:

  • In the original version, if the source string was shorter than the specified length, it was padded with blanks. However, blanks may not be allowed in the encrypted string, e.g. in an encrypted URL parameter. In the enhanced version, the first character in the translation table is used for padding.
  • In the enhanced version, characters outside the approved character set in the encryption key or source string are also replaced by the first character in the translation table before encryption. This makes the logic much less prone to errors caused by incorrect input data. In rare cases, the decrypted output must be identical to the input before encryption. In such cases it is easy to verify that the string to be encrypted conforms to the character set before encryption.
  • Support for dynamic selection of character sets has been added to the function calls for encryption and decryption. This makes transitions from one setup to another much easier, e.g. when adding or modifying translation tables.

Five translation tables are included with the enhanced implementation:

  1. The character set from Tony Marston’s original version.
  2. An enhancement to 1 with a space at the beginning for nicer padding.
  3. A character set suitable for URL parameters.
  4. An enhancement to 3 where the underscore is used for padding (no blanks allowed in URLs).
  5. An alphanumeric character set with minus and underscore.

Free downloads

*) Remove the ".txt" file type after download.

40 0.1439