Encrypt() & SQL Server

[webmigit]

Ok I had this problem a while back and I still have it and have never been fully satisfied with the fix..

For some reasons when I submit certain texts to be encrypted, the script trips up.. I think that it is somehow single quotes that are doing it.

Here's my question.. Has anyone else had a problem like this with encrypt and SQL Server? Were you able to fix it?

The only solution I have found is to use the similar (undocumented) function cfusion_encrypt but apparently that encryption is not as strong..

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[webmigit]

Good News Everyone..

I made it work..

When I sent the message, I encrypt and then URLEncode:

      insert into Messages(mfrom,mto,msubject,mMessage)
      values('#sid#','#form.mTo#','#form.mSubject#','#urlencodedformat(encrypt(form.mMessage,enckey))#')

And then when I read the message.. I decode and then I decrypt

      decrypt(urldecode(mmessage),enckey)

Tony

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[dtkelly72]

Hey guys,

Hi,

I am using the Encrypt/Decrypt functions in ColdFusion MX to secure password fields in my database. I am using a password key that is established in the application.cfm document, or a field in the database.

I need a safe place to hide my password key value because if someone gets in to view my code they know the password key, and if they get into the database they have the encrypted values for the passwords. If someone has the key and the encrypted value, they can run the decrypt function themselves.

How can I hide that "password key" value so my CF pages can access it, but it is secure form prying eyes.

Thanks!

 

[webmigit]

Hash your passwords..

The way it works is this..

You #hash(form.password)# (or whatever your variable name is) when you insert it into your db.. That's unencryptable encryption.. the way then to detect if the password is correct is to hash the password for logging in and match it..

Remember though hashing is case sensitive.. Hash would create a different value than hash, HASH, hAsh, etc..

http://livedocs.macromedia.com/coldfusion/6/CFML_Reference/functions-pt1113.htm

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[NorthStarDA]

hey webmigit,

i saw your idea for using encrypt and urlencodedformat and i decided to use it to hide all of the URL variables in my application, it works well but i think i've run into a problem. In my case, the result of the Encrypt function produces a +(plus) sign in many cases, then the URLEncode i think turns that plus into %20 or something like that, then when it is decoded on the other side, that %20 turns into a space instead of a plus and it does not decode properly. Know how i can get around it doing this?

thanks

 

[webmigit]

before encoding but after encryption, change it to a string like xplusx

Replace(str,"+","xmyplusx","ALL")

After decoding but before encryption, undo the replace

Replace(str,"xmyplusx","+","ALL")

That would be browser, os friendly solution.. since url encode does not encode alphanumeric..

Now of course there is the hole that the string might contain xmyplusx but that is very very very very unlikely.

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.