Possible bug with 'Use the PHP Encryption library with the openssl extension (highest security)'

[Chandra]

Error 500 on sign in page when Ciphering algorithm is set to Use the PHP Encryption library with the openssl extension (highest security) on TB1.0.8 'Use the custom BlowFish class' works fine. Interestingly the PHP encryption option works fine on a new site with the same setting.

Reckon this is a bug? Thanks.

``` [ThirtyBeesException]

String expected for argument 1. Boolean given instead. at line 98 in file vendor/defuse/php-encryption/src/Crypto.php

1. • @return string
2. */
3. public static function decrypt($ciphertext, $key, $raw_binary = false)
4. {
5. if (!\is_string($ciphertext)) {
6. throw new \TypeError(
7. 'String expected for argument 1. ' . \ucfirst(\gettype($ciphertext)) . ' given instead.'
8. );
9. }
10. if (!($key instanceof Key)) {

11.          throw new \TypeError(
    

    Defuse\Crypto\Crypto::decrypt - [line 76 - classes/PhpEncryption.php] - [2 Arguments] PhpEncryptionCore->decrypt - [line 601 - modules/referralprogram/referralprogram.php] - [1 Arguments] ReferralProgram->hookCreateAccountForm - [line 776 - classes/Hook.php] - [1 Arguments] HookCore::coreCallHook - [line 486 - classes/Hook.php] - [3 Arguments] HookCore::execWithoutCache - [line 288 - classes/Hook.php] - [7 Arguments] HookCore::exec - [line 173 - controllers/front/AuthController.php] - [1 Arguments] AuthControllerCore->initContent - [line 262 - classes/controller/Controller.php] ControllerCore->run - [line 253 - classes/controller/FrontController.php] FrontControllerCore->run - [line 837 - classes/Dispatcher.php] DispatcherCore->dispatch - [line 33 - index.php]

```

[datakick]

This problem originates from referralprogram module. I'm pretty sure this exception will be thrown even on tb1.0.7, if this module is installed and url does not contain &sponsor=xxx parameter.

The reason this exception is thrown is because Tools::getValue('sponsor') returns false when 'sponsor' parameter is not part of the request. This invalid value is then passed to cipher tool for decryption. Blowfish would return null for invalid input (boolean type), while PhpEncryption will throws exception. This should be fixed in the core -- the behaviour should be consistent.

But the module itself should be fixed as well -- there's no need for decryption call, if we don't have anything to decrypt.

[Chandra]

@datakick You amaze as always!

Should I raise a bug on github?

[datakick]

Not necessary, it's simple fix, already submitted