Solved

encrypt password in coldfusion

Posted on 2008-10-01
6
262 Views
Last Modified: 2013-12-24
Hello experts.
I have one registration page with the registration form and the password field.
My Insert query is:

<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#Form.password#')
</cfquery>

Now i want first to encrypt the password in the DB  and second how can i get and change the
encrypted password on the update page?
(i have cf8 and use MSSQL )

the register form:(register.cfm)
<form method="post" name="RegForm"  id="RegForm">
<table width="496" border="1">
  <tr>
    <td width="150">firstname</td>
    <td width="330"><label>
      <input type="text" name="firstname" id="firstname" />
    </label></td>
  </tr>
  <tr>
    <td>Lastname</td>
    <td><label>
      <input type="text" name="lastname" id="lastname" />
    </label></td>
  </tr>
  <tr>
    <td>email</td>
    <td><label>
      <input type="text" name="email" id="email" />
    </label></td>
  </tr>
  <tr>
    <td>password</td>
    <td><label>
      <input type="password" name="password" id="password" />
    </label></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><label>
      <input type="submit" name="button" id="register" value="register" />
    </label></td>
  </tr>
</table>
</form>the update form:(update.cfm)
<form id="form1" name="form1" method="post" action="">
        <table width="359" cellpadding="0" cellspacing="0">
          <tr>
            <td>New Password</td>
            <td><input type="password" name="password" id="password" /></td>
          </tr>
          <tr>
            <td>Confirm new Password</td>
            <td><input type="password" name="confirmpassword" id="confirmpassword" /></td>
          </tr>
          <tr>
            <td><input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" /></td>
            <td>&nbsp;</td>
          </tr>
        </table>
      </form>

Open in new window

0
Comment
Question by:Panos
  • 3
  • 3
6 Comments
 
LVL 27

Accepted Solution

by:
azadisaryev earned 500 total points
ID: 22612460
well, CF has encrypt() and hash() functions for starters... check cfml reference manual for details on how to use them and encryption options.

use the function you prefer on your #FORM.password# when you insert the data in your db. e.g:
<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#hash(Form.password)#')
</cfquery>
make sure your password field in the db allows appropriate length strings to be stored.
and please please please use <cfqueryparam> in your queries!!!

on the update side, you do not seem to check the old password, at least not in the code you posted, so you do not really need to decrypt the old password, do you?

just remember to also encrypt the password submitted by user at login when you check it against the password stored in the db.

hth
0
 
LVL 2

Author Comment

by:Panos
ID: 22612550
Hi azadisayev.
It seems that most of the coldfusion developers prefer the hash function.
I did not check the old password because i have difficulties to do this.

So  i need in the update page a query to get the values from the user:
<cfquery name="getuserdata" datasource="#dsn#">
SELECT user_ID,Firstname ,Lastname,email,password
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
And the UPDATE code:
<cfquery name="Updateuser" datasource="#dsn#">
UPDATE users
SET
Firstname=<cfqueryparam value="#Form.Firstname#' CFSQLType="CF_SQL_VARCHAR" >,
Lastname=<cfqueryparam value="#Form.Lastname#' CFSQLType="CF_SQL_VARCHAR" >,
Email= <cfqueryparam value="#Form.Lastname#" CFSQLType="CF_SQL_VARCHAR" >,
Password=<cfqueryparam value='#hash(Form.password)#' CFSQLType="CF_SQL_VARCHAR" >
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
Can you please check the code i tried to write and fill the update form?
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22612573
yes, i mostly use hash() as well...
is your update page user-accessed? i mean, will the user fill out the update form and submit it or is it just for you to update all passwords currently in the db to use hash encryption?

the update query syntax looks fine. i would probably use cf_sql_integer data type for user_id, but otherwise it looks fine...
your select query, however, is missing the FROM clause...
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Author Comment

by:Panos
ID: 22612689
The update page is user accessed
(In the SELECT  i did not use the hash tag for the password.It must be wrong or not.)
Is the update form like this?
<form id="form1" name="form1" method="post" action="updateuser.cfm">
   New Password:
  <input type="password" name="password" id="password" value="<cfoutput>#getuserdata.password#</cfoutput></br>
Firstname:<input type="text" name="Firstname" id="Firstname" value="<cfoutput>#getuserdata.Firstname#</cfoutput></br>
Lastname:<input type="text" name="Lastname" id="Lastname" value="<cfoutput>#getuserdata.Lastname#</cfoutput></br>
email:<input type="text" name="email" id="email" value="<cfoutput>#getuserdata.email#</cfoutput></br>
  <input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" />
             </form>
0
 
LVL 27

Assisted Solution

by:azadisaryev
azadisaryev earned 500 total points
ID: 22612859
yep, something like that, just a couple of things:
a) better put one <cfoutput> block around the whole form instead of multiple cfoutputs around field vaues
b) for a NEW password, you probably do not want to pre-populate the field with the old one, do you? just leave it blank.
c) i would probably add a Confirm Password field to the form as well, just to safeguard against typos...

and, no, do not use hash() in the SELECT query. you probably do not even need to select the password field since you will not be using the current password anywhere.

i assume you have some form data validation code on your action page to check that the data is correct and all required fields have been filled-in...

i would also probably modify the UPDATE query to update the password only if a new password has been entered and it matches confirm password value... just a simple cfif will do:
UPDATE ...
SET
.... = ...,
<cfif len(trim(form.password))>password = <cfqueryparam ....>,</cfif>
....
WHERE ....

hth
0
 
LVL 2

Author Closing Comment

by:Panos
ID: 31501880
Hi again.
I did not understand enough the update function with the cfif tag but if i will problems i will make a new question.
thank you
panos
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Intranet Solution - Sharepoint Foundation or up 4 65
Collapseable list of URLs. 10 130
Apache SSL and mod_rewrite not working 8 157
Soundcloud.com 4 24
In this short web based tutorial, I wanted to show users how they can still use the powers of FrontPage in conjunction with Expression Web 3.  Even though Microsoft eliminated the use of Web components, we can still use them with FrontPage and edit …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The purpose of this video is to demonstrate how to insert an Iframe into WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Open Page or Post…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question