CFencrypt form input

Why can't I use encrypt thats built into coldfusion?

check out this
http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000457.htm

you can use built-in encrypt

Yes you can do it with encrypt() but if you have SSL it is much easier.  If you don't you will need to use <cfscript> to decrypt() the values and also pass the key to the action page.  I do this with URL variables but haven't tried with form fields.  I'll look for a way with forms but here's the URL example...

http://www.cflib.org/udf.cfm?ID=203

If you are running CF 7 then this is a good technote:
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=e546373d

pinaldave answered a similar question a while back:

http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/Q_21654541.html

I think, if you do not want to use post method, javascript and URL param, I would use encrypt and decrypt.

<!--- This example shows the use of Encrypt and Decrypt --->
<h3>Decrypt Example</h3>
<p>This function encrypts/decrypts a string. Enter a string and a key.
<cfif IsDefined("FORM.myString")>
   <cfset string = FORM.myString>
   <cfset key = FORM.myKey>
   <cfset encrypted = encrypt(string, key)>
   <cfset decrypted = decrypt(encrypted, key)>
   <cfoutput>
      <h4><B>The string:</B></h4> #string# <br>
      <h4><B>The key:</B></h4> #key#<br>
      <h4><B>Encrypted:</B></h4> #encrypted#<br>
      <h4><B>Decrypted:</B></h4> #decrypted#<br>
   </cfoutput>
</cfif>
<form action = "encrypt.cfm">
<p>Input your key:
<p><input type = "Text" name = "myKey" value = "foobar">
<p>Enter string to encrypt:
<p><textArea name = "myString" cols = "40" rows = "5" WRAP = "VIRTUAL">
This string will be encrypted (try typing some more)</textArea>
<input type = "Submit" value = "Encrypt my String">
</form>

but does this encrypt through the pass or after?

The URL method encrypts before the pass but I haven't used the form method.  I'm not sure if you would need to use the method="GET" in your form but that would pass the values as URL values instead of form values.

Are you trying to encrypt every form field or do you just need to encrypt the password?  If you are going to use a Social Security Number as a password it would be suggested to use SSL.  If you can't then make sure you use a really long key to encrypt the value before you send it.  I'll look around but I'm pretty sure you would need to use <cfscript> if order to change a form field before it is sent but I haven't done this before.

i just want to ensure that the SS is encrypted when its passed. I dont have to use it as password form field. I am looking into SSL for testing now and will repost different question there. for this thread i want to focus on can i encrypt form values before their passed?

The only way it might work is if you create a function in cfscript and call it when the form is submitted that would encrypt the ss number form field before it was sent.  

Something like:

<cfscript>

     function encryptSS(formvalue, key){

      // encode the ss number
      var newSS = cfusion_encrypt(formvalue, key);
       
            
      return newSS;
     }
</cfscript>

<input type="password" name="ss" id="ss" validate="social_security_number" required="yes" >

<cfset yourKey = "somecrazykeywithnumbersandletters">

<input type = "Submit" value = "Submit" onClick="document.ss.value=encryptSS(document.ss.value,#yourKey#);">

That's the idea but you will need the same key to decrypt the number on the action page.  Don't send the key to the action page or someone could get your key and then they could decrypt the value themselves.  

Hope this helps to point you in the right direction!

ok this is what i have for testing purposes

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<cfscript>
     function encryptSS(formvalue, key){
     // encode the ss number
     var newSS = cfusion_encrypt(formvalue, key);
     return newSS;
     }
</cfscript>
<body>
<cfform method="post" action="encproc.cfm">
<cfinput type="password" name="ss" id="ss" validate="social_security_number" required="yes" >
<cfset yourKey = "somecrazykeywithnumbersandletters">
<input type = "Submit" value = "Submit" onClick="document.ss.value=encryptSS(document.ss.value,#yourKey#);">
</cfform>
</body>
</html>

-----encproc.cfm-------

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<cfset yourKey = "somecrazykeywithnumbersandletters">
<cfset decryptedSS = decrypt(form.ss,yourKey)>
<body>
<cfoutput>Before Decrypt: #form.ss#<br>After Decrypted: #decryptedSS#</cfoutput>
</body>
</html>

i'm gettin the following error

There has been an error while trying to encrypt or decrypt your input string: The input and output encodings are not same..  
 
 
The error occurred in C:\Inetpub\wwwroot\forms\encproc.cfm: line 8
 
6 : </head>
7 : <cfset yourKey = "somecrazykeywithnumbersandletters">
8 : <cfset decryptedSS = decrypt(form.ss,yourKey)>
9 : <body>
10 : <cfoutput>Before Decrypt: #form.ss#<br>After Decrypted: #decryptedSS#</cfoutput>

It doesn't seem to be encrypting the value in the first place.  The cfscript I wrote was just an example of the logic but you will probably need to debug it and maybe do another post to see if any cfscript masters can get it to work.  I created a page for you that will illustrate that the value being passed hasn't been encrypted yet:

<cfif isdefined("form.ss")>

<cfset yourKey = "abc123blabla">
<!--- <cfoutput><cfset decryptedSS = "#decrypt(form.ss,yourKey)#"></cfoutput> --->
<cfset decryptedSS = "not encrypted">
<cfoutput>Before Decrypt: #form.ss#<br>After Decrypted: #decryptedSS#</cfoutput>


<cfelse>

<cfscript>
     function encryptSS(formvalue, key){
     // encode the ss number
     var newSS = cfusion_encrypt(formvalue, key);
     return newSS;
     }
</cfscript>

<cfform method="post" action="encproc.cfm">
<cfinput type="text" name="ss" id="ss" validate="social_security_number" required="yes" >
<cfset yourKey = "abc123blabla">
<input type = "Submit" value = "Submit" onClick="document.ss.value=encryptSS(document.ss.value,#yourKey#);">
</cfform>

</cfif>

This will let you use the same page for the form and the action page.  The idea behind this is to script a function that will take the form.ss value and encrypt it before it is sent by the form.  Once you get the value to be passed as encrypted then the code I gave will work for decrypting it.

i gotcha now
i'll work on it

Actually the form will need a name and you will need to call that in the script.

<cfform method="post" name="ssform" action="encproc.cfm">
<cfinput type="text" name="ss" id="ss" validate="social_security_number" required="yes" >
<cfset yourKey = "abc123blabla">
<input type = "Submit" value = "Submit" onClick="document.form.ssform.ss.value=encryptSS(document.form.ssform.ss.value,#yourKey#);">
</cfform>

I'm had problems trying to do javascript validation with a cfform so i usually just use a plain <form> tag instead.  

I'm pretty sure you can't use the DOM inside of a <cfscript> block now that I think about it.  So it doesn't look good unless you find a function inside javascript to encrypt() your value before it is sent.  

If you have any chance of installing or using an SSL certificate that is by far the best way to do this.  With information as sensitive as a social security number I wouldn't go with anything less.

Even if you write or find a javascript function to encrypt the value before it is sent (and presumably a matching cf function that will decrypt it at the server), it is still pointless.  People can view the source to find the javascript that encrypts it and work backwards from there.

Use SSL.

Alright, got an SSL up and running. thanks for the advice, please tell me a good use for CFENCRYPT if you dont mind.

One use I've found for it is if you have a login that is based on a cookie being an easy to guess value... for instance, if you have

<cfparam cookie.userid=0>
<cfif cookie.userid gt 0> <!--- ie, you've logged them in already --->
   show them the goods!
</cfif>

then someone cannot see the 0 in their cookies and just think "if i change this to 1, i can be logged in" (and then they could see someone else's information too)

another use I've had is when I need to pass customer data (or a user ID) through the URL between different sites on the same server... if they were on only one site, I could just read the session or cookie and do all db lookups there... but if you have to pass it to another site (or if you are putting them in forms or urls for some reason and then doing db lookups) people can see that "userID=503" or whatever and change the number to see someone else's info.  Encrypting the value helps there too.

You might also encrypt sensative data that will be stored in your database as well.  This way, if someone manages to find a way to your data and not your code, you aren't as worried.

I find it useful when I want to encrypt values in my URL also.  Here's the link to the UDF that I posted earlier.  If you are passing an integer in your URL and using it in a query it's also good to use <cfqueryparam> to prevent injection attacks.

http://www.cflib.org/udf.cfm?ID=203

Select * from table
Where yourID = <cfqueryparam sqltype="integer" value="#url.ID#">

Ike23