Solved

encrypt password in coldfusion

Posted on 2008-10-01
6
265 Views
Last Modified: 2013-12-24
Hello experts.
I have one registration page with the registration form and the password field.
My Insert query is:

<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#Form.password#')
</cfquery>

Now i want first to encrypt the password in the DB  and second how can i get and change the
encrypted password on the update page?
(i have cf8 and use MSSQL )

the register form:(register.cfm)
<form method="post" name="RegForm"  id="RegForm">
<table width="496" border="1">
  <tr>
    <td width="150">firstname</td>
    <td width="330"><label>
      <input type="text" name="firstname" id="firstname" />
    </label></td>
  </tr>
  <tr>
    <td>Lastname</td>
    <td><label>
      <input type="text" name="lastname" id="lastname" />
    </label></td>
  </tr>
  <tr>
    <td>email</td>
    <td><label>
      <input type="text" name="email" id="email" />
    </label></td>
  </tr>
  <tr>
    <td>password</td>
    <td><label>
      <input type="password" name="password" id="password" />
    </label></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><label>
      <input type="submit" name="button" id="register" value="register" />
    </label></td>
  </tr>
</table>
</form>the update form:(update.cfm)
<form id="form1" name="form1" method="post" action="">
        <table width="359" cellpadding="0" cellspacing="0">
          <tr>
            <td>New Password</td>
            <td><input type="password" name="password" id="password" /></td>
          </tr>
          <tr>
            <td>Confirm new Password</td>
            <td><input type="password" name="confirmpassword" id="confirmpassword" /></td>
          </tr>
          <tr>
            <td><input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" /></td>
            <td>&nbsp;</td>
          </tr>
        </table>
      </form>

Open in new window

0
Comment
Question by:Panos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 27

Accepted Solution

by:
azadisaryev earned 500 total points
ID: 22612460
well, CF has encrypt() and hash() functions for starters... check cfml reference manual for details on how to use them and encryption options.

use the function you prefer on your #FORM.password# when you insert the data in your db. e.g:
<cfquery name="InsertUser" datasource="#dsn#">
INSERT INTO users (Firstname,Lastname,email,password)
VALUES
('#Form.Firstname#','#Form.Lastname#','#Form.email#','#hash(Form.password)#')
</cfquery>
make sure your password field in the db allows appropriate length strings to be stored.
and please please please use <cfqueryparam> in your queries!!!

on the update side, you do not seem to check the old password, at least not in the code you posted, so you do not really need to decrypt the old password, do you?

just remember to also encrypt the password submitted by user at login when you check it against the password stored in the db.

hth
0
 
LVL 2

Author Comment

by:Panos
ID: 22612550
Hi azadisayev.
It seems that most of the coldfusion developers prefer the hash function.
I did not check the old password because i have difficulties to do this.

So  i need in the update page a query to get the values from the user:
<cfquery name="getuserdata" datasource="#dsn#">
SELECT user_ID,Firstname ,Lastname,email,password
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
And the UPDATE code:
<cfquery name="Updateuser" datasource="#dsn#">
UPDATE users
SET
Firstname=<cfqueryparam value="#Form.Firstname#' CFSQLType="CF_SQL_VARCHAR" >,
Lastname=<cfqueryparam value="#Form.Lastname#' CFSQLType="CF_SQL_VARCHAR" >,
Email= <cfqueryparam value="#Form.Lastname#" CFSQLType="CF_SQL_VARCHAR" >,
Password=<cfqueryparam value='#hash(Form.password)#' CFSQLType="CF_SQL_VARCHAR" >
WHERE User_ID = <cfqueryparam value="#SESSION.User_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
Can you please check the code i tried to write and fill the update form?
0
 
LVL 27

Expert Comment

by:azadisaryev
ID: 22612573
yes, i mostly use hash() as well...
is your update page user-accessed? i mean, will the user fill out the update form and submit it or is it just for you to update all passwords currently in the db to use hash encryption?

the update query syntax looks fine. i would probably use cf_sql_integer data type for user_id, but otherwise it looks fine...
your select query, however, is missing the FROM clause...
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 2

Author Comment

by:Panos
ID: 22612689
The update page is user accessed
(In the SELECT  i did not use the hash tag for the password.It must be wrong or not.)
Is the update form like this?
<form id="form1" name="form1" method="post" action="updateuser.cfm">
   New Password:
  <input type="password" name="password" id="password" value="<cfoutput>#getuserdata.password#</cfoutput></br>
Firstname:<input type="text" name="Firstname" id="Firstname" value="<cfoutput>#getuserdata.Firstname#</cfoutput></br>
Lastname:<input type="text" name="Lastname" id="Lastname" value="<cfoutput>#getuserdata.Lastname#</cfoutput></br>
email:<input type="text" name="email" id="email" value="<cfoutput>#getuserdata.email#</cfoutput></br>
  <input type="Submit" name="Submitbutton" id="Submitbutton" value="Update" />
             </form>
0
 
LVL 27

Assisted Solution

by:azadisaryev
azadisaryev earned 500 total points
ID: 22612859
yep, something like that, just a couple of things:
a) better put one <cfoutput> block around the whole form instead of multiple cfoutputs around field vaues
b) for a NEW password, you probably do not want to pre-populate the field with the old one, do you? just leave it blank.
c) i would probably add a Confirm Password field to the form as well, just to safeguard against typos...

and, no, do not use hash() in the SELECT query. you probably do not even need to select the password field since you will not be using the current password anywhere.

i assume you have some form data validation code on your action page to check that the data is correct and all required fields have been filled-in...

i would also probably modify the UPDATE query to update the password only if a new password has been entered and it matches confirm password value... just a simple cfif will do:
UPDATE ...
SET
.... = ...,
<cfif len(trim(form.password))>password = <cfqueryparam ....>,</cfif>
....
WHERE ....

hth
0
 
LVL 2

Author Closing Comment

by:Panos
ID: 31501880
Hi again.
I did not understand enough the update function with the cfif tag but if i will problems i will make a new question.
thank you
panos
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need to redirect request from IIS server to old Apache Server. 3 156
wordpress email form 23 85
AWS New EC2 Instance and EBS Storage 2 93
Problem to copy file 14 47
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
The purpose of this video is to demonstrate how to add AdSense Ads to a WordPress Website, and how to set up WordPress to automatically place Ads in Sidebars. This will be demonstrated using a Windows 8 PC. Log into your AdSense account. : Cli…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question