Encrypt URL Query Parameters

Demonstrates how to encrypt URL query parameters. Query parameter values are encrypted using AES encryption and then base64 encoded. Base64 encoding is the most efficient means of transforming binary data into printable chars. In Base64 encoding, 4 printable chars represent 3 binary bytes. Therefore, the size of the output is expanded by 4/3rds. In addition, the output of AES encryption is always padded to a multiple of 16 bytes (prior to base64 encoding).

One issue with Base64 encoding is that the following alphabet is used:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

The "+" and "/" characters would disrupt a URL. Therefore, you'll want to URL-encode the base64 output. This example shows how to do it, and then how to reverse the process.

PS> The Base64 encoding algorithm may also include one or two "=" characters at the very end of the encoded data, and this would also disrupt a URL...

Download Chilkat Crypt ActiveX

CREATE PROCEDURE ChilkatSample
AS
BEGIN
    DECLARE @hr int
    DECLARE @sTmp0 nvarchar(4000)
    DECLARE @crypt int
    EXEC @hr = sp_OACreate 'Chilkat.Crypt2', @crypt OUT
    IF @hr <> 0
    BEGIN
        PRINT 'Failed to create ActiveX component'
        RETURN
    END

    --  We want to arrive at a URL with encrypted query parameter
    --  values, such as:
    --  www.chilkatsoft.com/login?fieldOne=xxxxxxxxxxxx&fieldTwo=xxxxxxxxxxxx&fieldThree=xxxxxxxxxxx&fieldFour=xxxxxxxxxxx

    --  Any string argument automatically begins the 30-day trial.
    DECLARE @success int

    EXEC sp_OAMethod @crypt, 'UnlockComponent', @success OUT, '30-day trial'
    IF @success <> 1
      BEGIN
        EXEC sp_OAGetProperty @crypt, 'LastErrorText', @sTmp0 OUT
        PRINT @sTmp0
        RETURN
      END

    DECLARE @fieldOne nvarchar(4000)

    SELECT @fieldOne = 'This is a test'

    EXEC sp_OASetProperty @crypt, 'CryptAlgorithm', 'aes'

    --  The default cipher mode is CBC (Cipher Block Chaining)
    --  We'll use ECB here because the amount of data to be
    --  encrypted is small anyway...
    EXEC sp_OASetProperty @crypt, 'CipherMode', 'ecb'

    --  AES supports 128, 192, and 256-bit encryption.
    EXEC sp_OASetProperty @crypt, 'KeyLength', 128

    --  We need a 16-byte secret key (i.e. 128 bits)
    EXEC sp_OAMethod @crypt, 'SetEncodedKey', NULL, '000102030405060708090A0B0C0D0E0F', 'hex'

    EXEC sp_OASetProperty @crypt, 'EncodingMode', 'base64'

    DECLARE @e1 nvarchar(4000)

    EXEC sp_OAMethod @crypt, 'EncryptStringENC', @e1 OUT, @fieldOne


    PRINT @e1

    --  Let's URL encode it:
    EXEC sp_OASetProperty @crypt, 'CryptAlgorithm', 'none'
    EXEC sp_OASetProperty @crypt, 'EncodingMode', 'url'
    --  Because the encryption algorithm = "none", it's a simple
    --  pass-through with encoding...
    DECLARE @e2 nvarchar(4000)

    EXEC sp_OAMethod @crypt, 'EncryptStringENC', @e2 OUT, @e1


    PRINT @e2

    --  Now form the URL:
    DECLARE @url nvarchar(4000)

ERROR-CONCAT    SELECT @url = 'http://www.chilkatsoft.com/login?fieldOne=' + @e2


    PRINT @url

    --  Now reverse the process:
    EXEC sp_OASetProperty @crypt, 'CryptAlgorithm', 'none'
    EXEC sp_OASetProperty @crypt, 'EncodingMode', 'url'
    DECLARE @d2 nvarchar(4000)

    EXEC sp_OAMethod @crypt, 'DecryptStringENC', @d2 OUT, @e2

    --  Back to base64:

    PRINT @d2

    --  Now back to the original string:
    EXEC sp_OASetProperty @crypt, 'CryptAlgorithm', 'aes'
    EXEC sp_OASetProperty @crypt, 'EncodingMode', 'base64'
    DECLARE @d1 nvarchar(4000)

    EXEC sp_OAMethod @crypt, 'DecryptStringENC', @d1 OUT, @d2


    PRINT @d1

    --  A final note:  If decrypting in ASP or ASP.NET,
    --  depending on what you're doing,
    --  you may not need the explicit URL-decoding step.
    --  It may be that ASP already did the URL decoding when you
    --  fetch the query parameter value.  If so, you only need
    --  to decrypt using base64 for the encoding mode.

END
GO