CodeCharge Studio
search Register Login  

Web Reporting

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> Archive -> GotoCode Archive

 Encrypting/Decryting Passwords ?!?

Print topic Send  topic

Author Message
George L.
Posted: 01/02/2002, 8:20 AM

I am trying to find out the best method of encrypting a password upon creating a user in a record form. The below method is what I am using in my Before Insert Event:
$fldUSER_PASS = crypt($fldUSER_PASS,substr($fldUSER_NAME,0,2));

In order to decrypt correctly upon login, I put this in my Custom Login Event:
$sPassword = crypt($sPassword,substr($sLogin,0,2));


Here is the problem. These two methods do exactly what I want them to do, since the SALT for this encrytion type is the same, it comes back true every time. But, when I want to go and modify existing user info, it shows the encrypted password everytime. That means that if for example I am only needing to change the user's phone number, then I must also change the user's password as well, or else the password will be set to the encrypted string, then encrypted again. ?!?


If I am making sense, here is what I want to do: I want to be able to show a user's DECRYPTED password when changing his/her user info. I am not able to do this with the crypt function, since it is a one-way hash algorithm.

Anybody know of an easier/better way to encrypt/decrypt passwords in database?
-George
Alex Alexapolsky
Posted: 01/03/2002, 2:37 AM

You should show crypted password from db ,
then crypt the second password in Before Update event ,
and compare both crypted ones in Validation event.
George L.
Posted: 01/03/2002, 7:39 AM

Yes, but is there a way to de-crypt a password that is already encrypted. I know the crypt function in PHP cannot, because it is a one-way algorithm. Is there an alternate way to encrypt and decrypt>?
Jer
Posted: 01/03/2002, 7:09 PM

George, I had the same problem.

what I did was create a form that included all the fields including the encrypted password. I made a special note for the password field, that this was the end result of encrypting the password.

Then, I created a separate form to change the password if necessary. It contained the same custom login event that you had.

A bit of a pain, but it didn't require me to do any manual coding.

Jer
Mark Andrews
Posted: 01/04/2002, 2:45 AM

I use a hidden field for the encrypted password and two non-database fields for password and password verification. These have a caption saying "leave blank to retain current password".

If password1 is non blank I compare with password2 and throw an error if they are different. If they are the same then I update the hidden encrypted field with the new password.

Only problem with this approach is that there is no provision for a "Lost Password" facility other then a password reset by admin.

You could keep a copy of the non-encrypted password in another field that is just used for the password update screen, but I decided against this approach for my sites.

Regards,
Mark

   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

Internet Database

Visually create Web enabled database applications in minutes.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.