Use $ _GET only for data that has no problem to be exposed in the URL, such as search parameters, where the user can copy the URL and send it to someone else who will see exactly the same page as the page.
When we are dealing with user data, the most recommended is to use $ _POST with HTTPS encryption. Encrypting and decrypting strings in PHP is tricky, because you will usually need libraries that are not available in all hosts, such as OpenSSL, etc. See: link
Here is a working example with OpenSSL:
<?php
$chave = 'AlgumaStringAleatóriaSegura';
$texto = "minha mensagem";
function encriptar($texto, $chave)
{
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = openssl_random_pseudo_bytes($ivlen);
$ciphertext_raw = openssl_encrypt($texto, $cipher, $chave, $options=OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $ciphertext_raw, $chave, $as_binary=true);
return $ciphertext = base64_encode($iv.$hmac.$ciphertext_raw);
}
function desencriptar($textoCodificado, $chave)
{
$c = base64_decode($textoCodificado);
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$texto_original = openssl_decrypt($ciphertext_raw, $cipher, $chave, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertext_raw, $chave, $as_binary=true);
if (hash_equals($hmac, $calcmac)) {//PHP 5.6+ timing attack safe comparison
return $texto_original."\n";
}
}
// Texto encriptado
$textoEncriptado = encriptar($texto, $chave);
echo $textoEncriptado.'<br>';
// Texto desencriptado
$textoDesencriptado = desencriptar($textoEncriptado, $chave);
echo $textoDesencriptado.'<br>';