Assume that a malicious user knows what string is being encrypted (a user_id, for example, which the user can know) and can also see the result of the encryption (the encrypted user_id that is used to authenticate them to another site.)
If the user knows what is going into the encrypt function, as well as what is coming out, in theory it seems it could be possible for them to determine the encryption key as well.
Assuming that this is the case, what could be done to address this problem?
Background: The project I'm working on uses the code found below. I have concerns that the shared encryption key could become compromised http://grokbase.com/p/php/php-notes/1181cckm7e/note-105166-added-to-function-mcrypt-encrypt
The concern is simple: The key is shared, so if someone knows the key, they can trick the authentication mechanism and log in with whatever user ID they want.
