Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

encrypt password in coldfusion

Posted on 2008-10-01
6
Medium Priority
?
272 Views
Last Modified: 2013-12-24
Hello experts.
I have one registration page with the registration form and the password field.
My Insert query is:

<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#Form.password#')
</cfquery>

Now i want first to encrypt the password in the DB  and second how can i get and change the
encrypted password on the update page?
(i have cf8 and use MSSQL )

the register form:(register.cfm)
<form method="post" name="RegForm"  id="RegForm">
<table width="496" border="1">
  <tr>
    <td width="150">firstname</td>
    <td width="330"><label>
      <input type="text" name="firstname" id="firstname" />
    </label></td>
  </tr>
  <tr>
    <td>Lastname</td>
    <td><label>
      <input type="text" name="lastname" id="lastname" />
    </label></td>
  </tr>
  <tr>
    <td>email</td>
    <td><label>
      <input type="text" name="email" id="email" />
    </label></td>
  </tr>
  <tr>
    <td>password</td>
    <td><label>
      <input type="password" name="password" id="password" />
    </label></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><label>
      <input type="submit" name="button" id="register" value="register" />
    </label></td>
  </tr>
</table>
</form>the update form:(update.cfm)
<form id="form1" name="form1" method="post" action="">
        <table width="359" cellpadding="0" cellspacing="0">
          <tr>
            <td>New Password</td>
            <td><input type="password" name="password" id="password" /></td>
          </tr>
          <tr>
            <td>Confirm new Password</td>
            <td><input type="password" name="confirmpassword" id="confirmpassword" /></td>
          </tr>
          <tr>
            <td><input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" /></td>
            <td>&nbsp;</td>
          </tr>
        </table>
      </form>

Open in new window

0
Comment
Question by:Panos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 27

Accepted Solution

by:
azadisaryev earned 2000 total points
ID: 22612460
well, CF has encrypt() and hash() functions for starters... check cfml reference manual for details on how to use them and encryption options.

use the function you prefer on your #FORM.password# when you insert the data in your db. e.g:
<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#hash(Form.password)#')
</cfquery>
make sure your password field in the db allows appropriate length strings to be stored.
and please please please use <cfqueryparam> in your queries!!!

on the update side, you do not seem to check the old password, at least not in the code you posted, so you do not really need to decrypt the old password, do you?

just remember to also encrypt the password submitted by user at login when you check it against the password stored in the db.

hth
0
 
LVL 2

Author Comment

by:Panos
ID: 22612550
Hi azadisayev.
It seems that most of the coldfusion developers prefer the hash function.
I did not check the old password because i have difficulties to do this.

So  i need in the update page a query to get the values from the user:
<cfquery name="getuserdata" datasource="#dsn#">
SELECT user_ID,Firstname ,Lastname,email,password
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
And the UPDATE code:
<cfquery name="Updateuser" datasource="#dsn#">
UPDATE users
SET
Firstname=<cfqueryparam value="#Form.Firstname#' CFSQLType="CF_SQL_VARCHAR" >,
Lastname=<cfqueryparam value="#Form.Lastname#' CFSQLType="CF_SQL_VARCHAR" >,
Email= <cfqueryparam value="#Form.Lastname#" CFSQLType="CF_SQL_VARCHAR" >,
Password=<cfqueryparam value='#hash(Form.password)#' CFSQLType="CF_SQL_VARCHAR" >
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
Can you please check the code i tried to write and fill the update form?
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22612573
yes, i mostly use hash() as well...
is your update page user-accessed? i mean, will the user fill out the update form and submit it or is it just for you to update all passwords currently in the db to use hash encryption?

the update query syntax looks fine. i would probably use cf_sql_integer data type for user_id, but otherwise it looks fine...
your select query, however, is missing the FROM clause...
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 2

Author Comment

by:Panos
ID: 22612689
The update page is user accessed
(In the SELECT  i did not use the hash tag for the password.It must be wrong or not.)
Is the update form like this?
<form id="form1" name="form1" method="post" action="updateuser.cfm">
   New Password:
  <input type="password" name="password" id="password" value="<cfoutput>#getuserdata.password#</cfoutput></br>
Firstname:<input type="text" name="Firstname" id="Firstname" value="<cfoutput>#getuserdata.Firstname#</cfoutput></br>
Lastname:<input type="text" name="Lastname" id="Lastname" value="<cfoutput>#getuserdata.Lastname#</cfoutput></br>
email:<input type="text" name="email" id="email" value="<cfoutput>#getuserdata.email#</cfoutput></br>
  <input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" />
             </form>
0
 
LVL 27

Assisted Solution

by:azadisaryev
azadisaryev earned 2000 total points
ID: 22612859
yep, something like that, just a couple of things:
a) better put one <cfoutput> block around the whole form instead of multiple cfoutputs around field vaues
b) for a NEW password, you probably do not want to pre-populate the field with the old one, do you? just leave it blank.
c) i would probably add a Confirm Password field to the form as well, just to safeguard against typos...

and, no, do not use hash() in the SELECT query. you probably do not even need to select the password field since you will not be using the current password anywhere.

i assume you have some form data validation code on your action page to check that the data is correct and all required fields have been filled-in...

i would also probably modify the UPDATE query to update the password only if a new password has been entered and it matches confirm password value... just a simple cfif will do:
UPDATE ...
SET
.... = ...,
<cfif len(trim(form.password))>password = <cfqueryparam ....>,</cfif>
....
WHERE ....

hth
0
 
LVL 2

Author Closing Comment

by:Panos
ID: 31501880
Hi again.
I did not understand enough the update function with the cfif tag but if i will problems i will make a new question.
thank you
panos
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question