Can I provide an encrypted string to users and be sure it is safe for 1-2 hours

Short answers:

1. From a technical POV, what you're doing is unsafe, although it might be enough for just a 2-hour timeframe.
2. What you're trying to do here is called "message authentication", but that's not how it should be done, which in turn does impact security. You should use a HMAC instead.

My advice would be to upgrade to CodeIgniter 3 (CI2 will stop receiving even security updates in a few months) as soon as possible, and use its new Encryption library instead. That will make it safe for years, not hours.

Long answer:

The encryption library should do both encryption and authentication for you, but unfortunately the CI_Encrypt class itself is badly written and lacking a lot of functionality (such as authentication), which is why it was DEPRECATED and is being replaced by a new (CI_Encryption) library in CodeIgniter 3.

Explaining all the flaws in here would be quite the task, so I'd rather link you to an external article (not self-promoting, don't worry), which does that quite nicely if you're interested in the low-level details.

No matter which library you use however, one thing must be noted - a password is not the same thing as an encryption key.

Passwords have a varying length and are used by humans, which means that they must be readable by humans, and that in turn limits them to a certain set of characters.

Encryption keys on the other hand have a fixed length (each encryption algorithm is designed to work with a specific key length; for Rijndael-256 that's 32 bytes, which you seem to match) and are not limited to human-readable characters (which means more entropy and therefore more security) - they represent raw binary data.

Anything else can be controlled (and therefore automatically done) by a library, but if you pass a password instead of a key - that's what the library will use, so you should take care of that.

The best and simple way to do that is to use the filesystem functions to create a simple text file for each user in non public path with two lines, the first of them is a unique random string (long string varied in length) and the second is the number.

Then using sha1_file get the hash value of the file then store it in the database related to its path and creating time, then send this hash to the user.

After the user has played, check the value by another script that get the value of the hash from the database, then read the file and parse its second line to display the number.

By this way, you have gave the user a hash not for a string, but it for a file and cracking it to get the file back is not simple as to be done in two hours.

You are giving your Encryption/Decryption logic to client side. Hacker will easily identify how your password and encryption strings are being match.

Many framework have their own password creationg and compare logics. Yii using SALT and other features like SHA1 etc...

Keep it simple and keep all things at your end. Generate your encryption things and store at your end. Follow simple steps,

1. Generate encryption password (using SALT and/or other encryption tools) and store at your end
2. Ask client (user) to enter their password (key) and get at server side
3. Convert your password (key) to encryption password and compare

CPasswordHelper will be helpful for you. Try to download Yii source code and put out their logic for you.

Hope that helps !!