Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

encrypt password in coldfusion

Hello experts.
I have one registration page with the registration form and the password field.
My Insert query is:

<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#Form.password#')
</cfquery>

Now i want first to encrypt the password in the DB  and second how can i get and change the
encrypted password on the update page?
(i have cf8 and use MSSQL )

the register form:(register.cfm)
<form method="post" name="RegForm"  id="RegForm">
<table width="496" border="1">
  <tr>
    <td width="150">firstname</td>
    <td width="330"><label>
      <input type="text" name="firstname" id="firstname" />
    </label></td>
  </tr>
  <tr>
    <td>Lastname</td>
    <td><label>
      <input type="text" name="lastname" id="lastname" />
    </label></td>
  </tr>
  <tr>
    <td>email</td>
    <td><label>
      <input type="text" name="email" id="email" />
    </label></td>
  </tr>
  <tr>
    <td>password</td>
    <td><label>
      <input type="password" name="password" id="password" />
    </label></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><label>
      <input type="submit" name="button" id="register" value="register" />
    </label></td>
  </tr>
</table>
</form>the update form:(update.cfm)
<form id="form1" name="form1" method="post" action="">
        <table width="359" cellpadding="0" cellspacing="0">
          <tr>
            <td>New Password</td>
            <td><input type="password" name="password" id="password" /></td>
          </tr>
          <tr>
            <td>Confirm new Password</td>
            <td><input type="password" name="confirmpassword" id="confirmpassword" /></td>
          </tr>
          <tr>
            <td><input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" /></td>
            <td>&nbsp;</td>
          </tr>
        </table>
      </form>

Open in new window

0
Panos
Asked:
Panos
  • 3
  • 3
2 Solutions
 
azadisaryevCommented:
well, CF has encrypt() and hash() functions for starters... check cfml reference manual for details on how to use them and encryption options.

use the function you prefer on your #FORM.password# when you insert the data in your db. e.g:
<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#hash(Form.password)#')
</cfquery>
make sure your password field in the db allows appropriate length strings to be stored.
and please please please use <cfqueryparam> in your queries!!!

on the update side, you do not seem to check the old password, at least not in the code you posted, so you do not really need to decrypt the old password, do you?

just remember to also encrypt the password submitted by user at login when you check it against the password stored in the db.

hth
0
 
PanosAuthor Commented:
Hi azadisayev.
It seems that most of the coldfusion developers prefer the hash function.
I did not check the old password because i have difficulties to do this.

So  i need in the update page a query to get the values from the user:
<cfquery name="getuserdata" datasource="#dsn#">
SELECT user_ID,Firstname ,Lastname,email,password
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
And the UPDATE code:
<cfquery name="Updateuser" datasource="#dsn#">
UPDATE users
SET
Firstname=<cfqueryparam value="#Form.Firstname#' CFSQLType="CF_SQL_VARCHAR" >,
Lastname=<cfqueryparam value="#Form.Lastname#' CFSQLType="CF_SQL_VARCHAR" >,
Email= <cfqueryparam value="#Form.Lastname#" CFSQLType="CF_SQL_VARCHAR" >,
Password=<cfqueryparam value='#hash(Form.password)#' CFSQLType="CF_SQL_VARCHAR" >
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
Can you please check the code i tried to write and fill the update form?
0
 
azadisaryevCommented:
yes, i mostly use hash() as well...
is your update page user-accessed? i mean, will the user fill out the update form and submit it or is it just for you to update all passwords currently in the db to use hash encryption?

the update query syntax looks fine. i would probably use cf_sql_integer data type for user_id, but otherwise it looks fine...
your select query, however, is missing the FROM clause...
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
PanosAuthor Commented:
The update page is user accessed
(In the SELECT  i did not use the hash tag for the password.It must be wrong or not.)
Is the update form like this?
<form id="form1" name="form1" method="post" action="updateuser.cfm">
   New Password:
  <input type="password" name="password" id="password" value="<cfoutput>#getuserdata.password#</cfoutput></br>
Firstname:<input type="text" name="Firstname" id="Firstname" value="<cfoutput>#getuserdata.Firstname#</cfoutput></br>
Lastname:<input type="text" name="Lastname" id="Lastname" value="<cfoutput>#getuserdata.Lastname#</cfoutput></br>
email:<input type="text" name="email" id="email" value="<cfoutput>#getuserdata.email#</cfoutput></br>
  <input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" />
             </form>
0
 
azadisaryevCommented:
yep, something like that, just a couple of things:
a) better put one <cfoutput> block around the whole form instead of multiple cfoutputs around field vaues
b) for a NEW password, you probably do not want to pre-populate the field with the old one, do you? just leave it blank.
c) i would probably add a Confirm Password field to the form as well, just to safeguard against typos...

and, no, do not use hash() in the SELECT query. you probably do not even need to select the password field since you will not be using the current password anywhere.

i assume you have some form data validation code on your action page to check that the data is correct and all required fields have been filled-in...

i would also probably modify the UPDATE query to update the password only if a new password has been entered and it matches confirm password value... just a simple cfif will do:
UPDATE ...
SET
.... = ...,
<cfif len(trim(form.password))>password = <cfqueryparam ....>,</cfif>
....
WHERE ....

hth
0
 
PanosAuthor Commented:
Hi again.
I did not understand enough the update function with the cfif tag but if i will problems i will make a new question.
thank you
panos
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now