Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

encrypt password in coldfusion

Posted on 2008-10-01
6
264 Views
Last Modified: 2013-12-24
Hello experts.
I have one registration page with the registration form and the password field.
My Insert query is:

<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#Form.password#')
</cfquery>

Now i want first to encrypt the password in the DB  and second how can i get and change the
encrypted password on the update page?
(i have cf8 and use MSSQL )

the register form:(register.cfm)
<form method="post" name="RegForm"  id="RegForm">
<table width="496" border="1">
  <tr>
    <td width="150">firstname</td>
    <td width="330"><label>
      <input type="text" name="firstname" id="firstname" />
    </label></td>
  </tr>
  <tr>
    <td>Lastname</td>
    <td><label>
      <input type="text" name="lastname" id="lastname" />
    </label></td>
  </tr>
  <tr>
    <td>email</td>
    <td><label>
      <input type="text" name="email" id="email" />
    </label></td>
  </tr>
  <tr>
    <td>password</td>
    <td><label>
      <input type="password" name="password" id="password" />
    </label></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><label>
      <input type="submit" name="button" id="register" value="register" />
    </label></td>
  </tr>
</table>
</form>the update form:(update.cfm)
<form id="form1" name="form1" method="post" action="">
        <table width="359" cellpadding="0" cellspacing="0">
          <tr>
            <td>New Password</td>
            <td><input type="password" name="password" id="password" /></td>
          </tr>
          <tr>
            <td>Confirm new Password</td>
            <td><input type="password" name="confirmpassword" id="confirmpassword" /></td>
          </tr>
          <tr>
            <td><input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" /></td>
            <td>&nbsp;</td>
          </tr>
        </table>
      </form>

Open in new window

0
Comment
Question by:Panos
  • 3
  • 3
6 Comments
 
LVL 27

Accepted Solution

by:
azadisaryev earned 500 total points
ID: 22612460
well, CF has encrypt() and hash() functions for starters... check cfml reference manual for details on how to use them and encryption options.

use the function you prefer on your #FORM.password# when you insert the data in your db. e.g:
<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#hash(Form.password)#')
</cfquery>
make sure your password field in the db allows appropriate length strings to be stored.
and please please please use <cfqueryparam> in your queries!!!

on the update side, you do not seem to check the old password, at least not in the code you posted, so you do not really need to decrypt the old password, do you?

just remember to also encrypt the password submitted by user at login when you check it against the password stored in the db.

hth
0
 
LVL 2

Author Comment

by:Panos
ID: 22612550
Hi azadisayev.
It seems that most of the coldfusion developers prefer the hash function.
I did not check the old password because i have difficulties to do this.

So  i need in the update page a query to get the values from the user:
<cfquery name="getuserdata" datasource="#dsn#">
SELECT user_ID,Firstname ,Lastname,email,password
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
And the UPDATE code:
<cfquery name="Updateuser" datasource="#dsn#">
UPDATE users
SET
Firstname=<cfqueryparam value="#Form.Firstname#' CFSQLType="CF_SQL_VARCHAR" >,
Lastname=<cfqueryparam value="#Form.Lastname#' CFSQLType="CF_SQL_VARCHAR" >,
Email= <cfqueryparam value="#Form.Lastname#" CFSQLType="CF_SQL_VARCHAR" >,
Password=<cfqueryparam value='#hash(Form.password)#' CFSQLType="CF_SQL_VARCHAR" >
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
Can you please check the code i tried to write and fill the update form?
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22612573
yes, i mostly use hash() as well...
is your update page user-accessed? i mean, will the user fill out the update form and submit it or is it just for you to update all passwords currently in the db to use hash encryption?

the update query syntax looks fine. i would probably use cf_sql_integer data type for user_id, but otherwise it looks fine...
your select query, however, is missing the FROM clause...
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 2

Author Comment

by:Panos
ID: 22612689
The update page is user accessed
(In the SELECT  i did not use the hash tag for the password.It must be wrong or not.)
Is the update form like this?
<form id="form1" name="form1" method="post" action="updateuser.cfm">
   New Password:
  <input type="password" name="password" id="password" value="<cfoutput>#getuserdata.password#</cfoutput></br>
Firstname:<input type="text" name="Firstname" id="Firstname" value="<cfoutput>#getuserdata.Firstname#</cfoutput></br>
Lastname:<input type="text" name="Lastname" id="Lastname" value="<cfoutput>#getuserdata.Lastname#</cfoutput></br>
email:<input type="text" name="email" id="email" value="<cfoutput>#getuserdata.email#</cfoutput></br>
  <input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" />
             </form>
0
 
LVL 27

Assisted Solution

by:azadisaryev
azadisaryev earned 500 total points
ID: 22612859
yep, something like that, just a couple of things:
a) better put one <cfoutput> block around the whole form instead of multiple cfoutputs around field vaues
b) for a NEW password, you probably do not want to pre-populate the field with the old one, do you? just leave it blank.
c) i would probably add a Confirm Password field to the form as well, just to safeguard against typos...

and, no, do not use hash() in the SELECT query. you probably do not even need to select the password field since you will not be using the current password anywhere.

i assume you have some form data validation code on your action page to check that the data is correct and all required fields have been filled-in...

i would also probably modify the UPDATE query to update the password only if a new password has been entered and it matches confirm password value... just a simple cfif will do:
UPDATE ...
SET
.... = ...,
<cfif len(trim(form.password))>password = <cfqueryparam ....>,</cfif>
....
WHERE ....

hth
0
 
LVL 2

Author Closing Comment

by:Panos
ID: 31501880
Hi again.
I did not understand enough the update function with the cfif tag but if i will problems i will make a new question.
thank you
panos
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
json_decode return null? 8 92
IIS 8.5 2 52
how can I temporarily cancel my monthly membership with Hostgator.com? 11 143
assigning port numbers to web sites and web services 2 78
Now that Expression Web 4.0 (http://www.microsoft.com/expression/products/Upgrade.aspx) is free if you buy or have the full version of Expression Web 3.0, now is the best time to  migrate from FrontPage to Expression Web (http://www.frontpage-to-exp…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
The purpose of this video is to demonstrate how to add AdSense Ads to a WordPress Website, and how to set up WordPress to automatically place Ads in Sidebars. This will be demonstrated using a Windows 8 PC. Log into your AdSense account. : Cli…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question