RE: Security Question - Revisited

Saidi; Marwan Thu, 26 Apr 2001 10:26:33 -0700
Thanks Peter and Joshua.

I actually found the code that you refer to about 5 minutes after my last
post. We now have it working fine. Thanks again to both of you.

Marwan Saidi
Webmaster
CED - Concord IS
[EMAIL PROTECTED]
407.741.8645


-----Original Message-----
From: Peter Froh [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 26, 2001 12:13 PM
To: CF-Talk
Subject: RE: Security Question - Revisited


I have not used the hash function but this is the code straight from
allaires website:

<CFIF Hash(Form.Password) IS NOT MyQuery.PasswordHash>
    <CFLOCATION URL="unauthenticated.cfm">
</CFIF>

I beleive your code should work.

Do you have CF Server 4.5?  (use #server.coldfusion.productversion# to find
the version of CF Server)

-----Original Message-----
From: Saidi; Marwan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 26, 2001 7:40 AM
To: CF-Talk
Subject: Security Question - Revisited


Good day all,

Yesterday, Joshua Meekhof suggested using the hash() function to hash up
user passwords before inserting them into the database. Seems like this
would work. However, when I try it, it fails. Maybe I am doing something
wrong.

Here is the code:

Password: <input type="password" name="password">

This goes to action page:

<cfset hashedpword=hash(form.password)>

<cfquery name="update" datasource="#request.mainDSN#">
UPDATE users
SET password='#hashedpword#'
WHERE userID=#form.userID#
</cfquery>

Finally, on the login page I pass the plain text password to the login
action page, which has this code:

<cfset hashedpword=hash(form.password)>
<cfquery name="checkuser" datasource="#request.mainDSN#">
SELECT *
FROM users
WHERE userName='#form.userName#' AND password='#hashedpword#'
</cfquery>

This query returns no records. Does the hash() function return a random
value? If so, Joshua, how do you compare the user's login to what you have
in the DB? Any help in this regard would be appreciated. Thanks.

Marwan Saidi
Webmaster
CED - Concord IS
[EMAIL PROTECTED]
407.741.8645


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Security Question - Revisited

Reply via email to
