Re: Encrypting Zip File
cfzip supports encryption out-of-box I believe zip optional encryptionAlgorithm = "standard|AES-128|AES-256" password = "password string" action = "zip" filter = "file filter" overwrite = "yes|no" prefix = "string" recurse = "yes|no" storePath = "yes|no"> Should be able to just put in the encryption algorithm and password and have it taken care of. Nick >Hi, > >What is the best way to encrypt a zip file in ColdFusion? > >Many thanks, >Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359052 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
re: Encrypting Zip File
In addition to zip4j, you can also look at installing 7Zip (http://www.7-zip.org/) on the server (if possible) and using the CLI interface to that via cfexecute. -- Jeff Original Message > From: "Richard White" > Sent: Thursday, July 31, 2014 9:19 AM > To: "cf-talk" > Subject: Encrypting Zip File > > Hi, > > What is the best way to encrypt a zip file in ColdFusion? > > Many thanks, > Richard > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359051 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypting Zip File
Maybe http://www.andyscott.id.au/blog/getting-better-zip-support-in-coldfusion-with-zip4j On Thu, Jul 31, 2014 at 12:18 PM, Richard White wrote: > > Hi, > > What is the best way to encrypt a zip file in ColdFusion? > > Many thanks, > Richard > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359050 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
Got it working. Thanks, guys. I don't get why this kind of information wouldn't be available in the cf9 reference. > I can't seem to get the encrypt function to take an initialization > vector. It doesn't matter what I put there. It returns the exact same > result as if there is no initialization vector. > > Is anyone using that? Can you please provide an example where it works? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351110 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
> You need to use a feedback mode other than ECB (the default when you omit > it from the algorithm) to use an IV, try using "AES/CBC/PKCS5Padding" for > your algorithm. This KB article has a lot of info about this stuff: > http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html As usual I get a phone call and Pete beats me to the punch. :) An IV is only used when AES is using a block cipher. CBC is Cipher Block Chaining Mode, so it would use an IV (algorithm = "AES/CBC/PKCS5Padding"); ECB is the default mode and doesn't use an IV (algorithm = "AES"). Also, the IV you pass in must be the same length as the block mode of the algorithm (e.g. the same as the key length), so in the original sample code, encrypting the "anotherkey" value and using that as the IV probably won't work. You can generate another key and use a hash of its value to the appropriate length to get a similar result (e.g. ). -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using "AES/CBC/PKCS5Padding" for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 10, 2012 at 2:52 PM, Carol Knapp wrote: > > Here's the test code. I'll take AES or DESEDE or better. Running cf > enterprise. > > > > > Test ENC > > Test ENC > > > > >theKey=generateSecretKey(Form.myAlgorithm); >anotherKey=generateSecretKey(Form.myAlgorithm); >useasiv = > encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); > >//Encrypt the string. >encrypted=encrypt(Form.myString, theKey, > Form.myAlgorithm,Form.myEncoding); >IVencrypted = encrypt(Form.myString, theKey, > Form.myAlgorithm,Form.myEncoding,useasiv); >//Decrypt it. >decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, > Form.myEncoding); >IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, > Form.myEncoding,useasiv); > > > > >The algorithm: #Form.myAlgorithm# > >The key: #theKey# > > >The string: #Form.myString# > >Encrypted: #encrypted# >IVencrypted: #IVencrypted# > >Decrypted: #decrypted# >IVecrypted: #ivdecrypted# > > > > > > > > > value="#onetimeid#"> >Select the encoding > >selected>UU >selected>Base64 >selected>Hex > > >Select the algorithm > >selected>AES >selected>DES > "DESEDE">selected>DESEDE > > >Enter string to encrypt > "VIRTUAL">1234567890123456 > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
Here's the test code. I'll take AES or DESEDE or better. Running cf enterprise. Test ENC Test ENC theKey=generateSecretKey(Form.myAlgorithm); anotherKey=generateSecretKey(Form.myAlgorithm); useasiv = encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); //Encrypt the string. encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding); IVencrypted = encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding,useasiv); //Decrypt it. decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding,useasiv); The algorithm: #Form.myAlgorithm# The key: #theKey# The string: #Form.myString# Encrypted: #encrypted# IVencrypted: #IVencrypted# Decrypted: #decrypted# IVecrypted: #ivdecrypted# Select the encoding selected>UU selected>Base64 selected>Hex Select the algorithm selected>AES selected>DES selected>DESEDE Enter string to encrypt 1234567890123456 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351106 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
> I can't seem to get the encrypt function to take an initialization > vector. It doesn't matter what I put there. It returns the exact > same result as if there is no initialization vector. Hi there, please post the line of code where you're calling the encryption function as that will help with troubleshooting. What encryption algorithm are you using? Not all of them will use an IV. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting data questions
I'll repeat the warning about storing sensitive data in your db. If you don't have to (and there usually isn't a reason that can't be worked around) then don't do it. All of the transaction gateways I've dealt with recently (Authorize.net, Transfirst, Sage) have the ability to set up a profile for the customer on their server and then you can store the profile account info locally instead of the actual credit card. That being said, AES is a good encryption algorithm and the one I would go with by default. The downside to that is that any encryption algorithm you pick in CF means that you are going to need a key that is also accessible to CF. In most circumstances, your app server is going to be publicly reachable and that represents a security risk. That would make me suggest that you consider database-level encryption options as well as your db server should not be publicly accessible at all. MS-SQL supports database-level encryption and, as for 2008 I believe, column level encryption so that only the columns you need encrypted are encrypted. I'm not sure about other dbms encryption setups but I'm sure they exist for at least the major commercial databases. Cheers, Judah On Tue, Feb 16, 2010 at 8:49 AM, Matthew Smith wrote: > > What encryption algorithm would be appropriate for cc data? AES or blowfish? > What kind of performance hit would it have? > > Also, what datatype is used to store the encrypted info in the d ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330782 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting data questions
Just a quick word of caution.if you don't have to store CC data DON'T. Payment processors have recurring billing options where THEY take all the risk of storing such data. If you store it and it leaks out or you get hackedyou/your client/the company you work for will be liable. Keep in mind you may have to go through a security audit if you choose to store CC data OK...warning over ;-) Cheers On Tue, 2010-02-16 at 11:49 -0500, Matthew Smith wrote: > What encryption algorithm would be appropriate for cc data? AES or blowfish? > What kind of performance hit would it have? > > Also, what datatype is used to store the encrypted info in the db? > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330781 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting data questions
> What encryption algorithm would be appropriate for cc > data? AES or blowfish? What kind of performance hit > would it have? We've been using Triple DES (DESEDE for the cf encryption functions) and storing it base64 encoded in a varchar field. As for performance, it depends on how many transactions you're doing. We didn't notice much of a difference, but the sites I'm using this on are not all that high volume. Haven't had any problems so far. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330780 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting/Decrypting XML
Scott, >Is there a way to encrypt and decrypt XML on the fly. > >I'm building a small cms, and want to store the login information in an XML >file. I need to be able to read > >An encrypted file, do the typical login/password check and leave the file >encrypted on the server, to keep it away from prying eyes. You could just hash the password and then store it in clear text in the XML. -Dan ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:294249 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting database information
md5 (one way encrypt) Hash pretty much standard way for passwords. I know alot of people that dont even encrypt passwords any more. The thought is if they have hacked your database what do they need the password for :) As for credit cards,customer details and such Usually requires something around the lines of an (nChiper Key storage box which you would need a backup in case one breaks) to be PCI compliant. I have a cheap way I use for my Web Hosting Billing Software. I have a Ioncube encoded/encrypted php file that Accepts a value and returns an encrypted value. The key for the hash is stored in the file. If my site is compromised they would have to break ioncube's encryption before they can decode any database values. Its just one more step. Ioncube has been broken before but it takes alot of time and money :) Eric On 7/18/07, Tom Chiverton <[EMAIL PROTECTED]> wrote: > > On Wednesday 18 Jul 2007, [EMAIL PROTECTED] wrote: > > Can anyone recommend a good encryption method for sensitive > > information(login details, etc...) stored in database tables? > > Does simply hashing the value before insert solve your problem ? > > -- > Tom Chiverton > > > > This email is sent for and on behalf of Halliwells LLP. > > Halliwells LLP is a limited liability partnership registered in England > and Wales under registered number OC307980 whose registered office address > is at St James's Court Brown Street Manchester M2 2JF. A list of members is > available for inspection at the registered office. Any reference to a > partner in relation to Halliwells LLP means a member of Halliwells LLP. > Regulated by the Law Society. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and > may be confidential or legally privileged. If you are not the addressee you > must not read it and must not use any information contained in nor copy it > nor inform any person other than Halliwells LLP or the addressee of its > existence or contents. If you have received this email in error please > delete it and notify Halliwells LLP IT Department on 0870 365 8008. > > For more information about Halliwells LLP visit www.halliwells.com. > > > ~| ColdFusion MX7 and Flex 2 Build sales & marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:284004 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Encrypting database information
On Wednesday 18 Jul 2007, [EMAIL PROTECTED] wrote: > Can anyone recommend a good encryption method for sensitive > information(login details, etc...) stored in database tables? Does simply hashing the value before insert solve your problem ? -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283996 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Encrypting Link Information
On Thursday 29 September 2005 20:03, David Reeves wrote: > This idea will be used for our private company website, alot of the users > are bookmarking pages but we want them to use the main page as the a portal > (rather than lots of portals). How will encrypting the page name help ? My browser doesn't care if the bookmark in '/index.cfm', '/here/there/index.cfm' or '/asghsjhgsdgsd'. -- Tom Chiverton Advanced ColdFusion Programmer ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219857 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting Link Information
This idea will be used for our private company website, alot of the users are bookmarking pages but we want them to use the main page as the a portal (rather than lots of portals). >Why not have it always say index.cfm, but encrypt the query string? That way >you don't have to bother with determining what the file name is? > >andy matthews >web developer >ICGLink, Inc. >[EMAIL PROTECTED] >615.370.1530 x737 >--//-> > >-Original Message- >From: David Reeves [mailto:[EMAIL PROTECTED] >Sent: Thursday, September 29, 2005 1:36 PM >To: CF-Talk >Subject: Encrypting Link Information > > >I would like to encrypt the link information that is shown when browsing one >of my webpages. For instance instead of showing index.cfm i would like it >to show 3227k2725626 or something like that. I hope this makes sence to >you. > >Thanks in advance! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219681 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting Link Information
Why not have it always say index.cfm, but encrypt the query string? That way you don't have to bother with determining what the file name is? -Original Message- From: David Reeves [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 1:36 PM To: CF-Talk Subject: Encrypting Link Information I would like to encrypt the link information that is shown when browsing one of my webpages. For instance instead of showing index.cfm i would like it to show 3227k2725626 or something like that. I hope this makes sence to you. Thanks in advance! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219679 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting Link Information
Not sure about getting rid of the name of the file, you could probably do something in IIS or apache to get that working, but if all you need to do is encrypt the url variables I wrote a pair udfs for this a while ago. They should be up on www.cflib.org as urlEncrypt() and urlDecrypt(). If you're in Fusebox 4 I am going to convert it to a plugin, email me off list and I will send it to you when I am done. Tim Heald Senior Web Developer TeraTech, Inc. 2003 Winner CFDJ awards Best Consulting Service Email: [EMAIL PROTECTED] Voice: 1-301-424-3903 x111 Web: http://www.teratech.com > -Original Message- > From: David Reeves [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 29, 2005 2:36 PM > To: CF-Talk > Subject: Encrypting Link Information > > I would like to encrypt the link information that is shown > when browsing one of my webpages. For instance instead of > showing index.cfm i would like it to show 3227k2725626 or > something like that. I hope this makes sence to you. > > Thanks in advance! > > ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219678 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting email with CF5.0
Not in CF 5, in CF 6 there's a Java wrapper for GPG at http://swem.wm.edu/blogs/waynegraham On 5/6/05, Jim Louis <[EMAIL PROTECTED]> wrote: > Is there any way to do this with out cfexecute. I am on a shared server and > the do not allow cfexecute. > > Jim Louis > > > >We use the gdata Outlook plugin (uses gpg encryption) > > > >http://www3.gdata.de/gpg/download.html > > > >You could encrypt the contents of the mail with cfexecute and gpg, open it > >in Outlook, voila. (Maybe) :-) > > > >Ian > > > >> > > ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting email with CF5.0
Is there any way to do this with out cfexecute. I am on a shared server and the do not allow cfexecute. Jim Louis >We use the gdata Outlook plugin (uses gpg encryption) > >http://www3.gdata.de/gpg/download.html > >You could encrypt the contents of the mail with cfexecute and gpg, open it >in Outlook, voila. (Maybe) :-) > >Ian > >> ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205871 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting email with CF5.0
We use the gdata Outlook plugin (uses gpg encryption) http://www3.gdata.de/gpg/download.html You could encrypt the contents of the mail with cfexecute and gpg, open it in Outlook, voila. (Maybe) :-) Ian > -Original Message- > From: Jim Louis [mailto:[EMAIL PROTECTED] > Sent: 06 May 2005 17:21 > To: CF-Talk > Subject: Encrypting email with CF5.0 > > This is what I am trying to do > > 1. customer submits registration form and is processed. > 2. an encrypted email is made and then I recieve it into > Outlook, which is then decrypted. > > Any one have any idea if this is possible? > > Jim Louis > Best Meetings Inc > 952.858.8875 > > ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205864 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting JDBC
Thanks everyone for the suggestions. --Nathan On 5/4/05, Dave Watts <[EMAIL PROTECTED]> wrote: > > Is it possible to encrypt the JDBC connection between > > ColdFusion and the database server? > > > > I'm using CFMX 7 Standard and MS SQL Server 2000. > > Yes. Microsoft recommends using SSL for encrypting database connections; > this is supported within MS SQL Server 2000. However, I don't think the > DataDirect driver supports SSL - most JDBC Type 4 drivers don't, for various > reasons. At least, according to the DataDirect site, they don't support it > yet: > > http://knowledgebase2.datadirect.com/kbase.nsf/26536a530e20a22b85256e550079a > fc2/b3be2051e6ca6cdb85256ec100500d22?OpenDocument&Highlight=0,ssl > > The free jTDS driver (http://jtds.sourceforge.net/) does, according to its > documentation, but I haven't worked much with jTDS yet. > > Alternatively, you might use a VPN or IPSec tunnel, as Damien suggested. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205599 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting JDBC
> Is it possible to encrypt the JDBC connection between > ColdFusion and the database server? > > I'm using CFMX 7 Standard and MS SQL Server 2000. Yes. Microsoft recommends using SSL for encrypting database connections; this is supported within MS SQL Server 2000. However, I don't think the DataDirect driver supports SSL - most JDBC Type 4 drivers don't, for various reasons. At least, according to the DataDirect site, they don't support it yet: http://knowledgebase2.datadirect.com/kbase.nsf/26536a530e20a22b85256e550079a fc2/b3be2051e6ca6cdb85256ec100500d22?OpenDocument&Highlight=0,ssl The free jTDS driver (http://jtds.sourceforge.net/) does, according to its documentation, but I haven't worked much with jTDS yet. Alternatively, you might use a VPN or IPSec tunnel, as Damien suggested. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205589 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting JDBC
I would suggest doing a VPN instead, if possible. Windows includes its own VPN system or you might want to try http://www.openvpn.net/ which is multi-platform. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include > -Original Message- > From: Nathan Mische [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 04, 2005 2:58 PM > To: CF-Talk > Subject: Encrypting JDBC > > Is it possible to encrypt the JDBC connection between ColdFusion and > the database server? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205573 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting JDBC
http://www.google.com/search?q=jdbc+encryption Looks like it's probably doable, but not a built-in feature that you can just click a checkbox for. cheers, barneyb On 5/4/05, Nathan Mische <[EMAIL PROTECTED]> wrote: > Is it possible to encrypt the JDBC connection between ColdFusion and > the database server? > > I'm using CFMX 7 Standard and MS SQL Server 2000. > > Thanks, > > --Nathan -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/ Got Gmail? I have 50 invites. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205571 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting strings
A salted hash would be best if you can do it. Depends on whether you need to get the numbers back out again, or if you are using it for something like a password. Otherwise, as Matt says all someone has to do is find your encryption key on your server and they own your data. The only way to stop that is to use a public/private key and make people paste it in to access the decrypted data. cflib.org has other encryption algorthms, and there are several that you can buy. My favorite is cfx_textcrypt. -- --Matt Robertson-- MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
Actually, cfusion_encrypt() uses extremely weak encryption. It's more like encoding than encryption. >From memory, it loops over the string performing an XOR on each character in the string with the corresponding character in the key. When it reaches the end of the key it starts again. The resulting character from the XOR is converted to base64 or HEX or some such. Essentially it is very easy to reverse engineer if you know anything at all about the key, the string, or the encrypted string. If you can possibly use it, hash() will provide the most secure method of storage, but you can never get back to the original string. If that won't work for you, you might consider using some of the native functionality available in the CFMX internals, or an external class file. Spike Stephen Milligan Code poet for hire http://www.spike.org.uk Do you cfeclipse? http://cfeclipse.tigris.org >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Dawson, Michael >Sent: Wednesday, July 07, 2004 12:38 PM >To: CF-Talk >Subject: RE: Encrypting strings > >How about using CFusion_Encrypt() to encrypt your information? I think >it's a bit "stronger". > >Also, can't you Hash() the string and then compare it to another hashed >value when needed? > > _ > >From: Austin Govella [mailto:[EMAIL PROTECTED] >Sent: Wednesday, July 07, 2004 2:29 PM >To: CF-Talk >Subject: Encrypting strings > > >I need to encrypt SSNs. > >I'm looking for something more powerful than encrypt(). > >Also, does the length of my encryption key affect the >difficulty for people trying to decrypt? > >For example, is using "canine" for a key more secure than >using "dog" just because it's longer? > >Thanks, >-- >Austin > _ > > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
Are you sure you need to encrypt SSNs? Unless your setup is more sophisticated than most, encryption will only provide a placebo in terms of security. -Matt > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Austin Govella > Sent: Wednesday, July 07, 2004 3:29 PM > To: CF-Talk > Subject: Encrypting strings > > I need to encrypt SSNs. > > I'm looking for something more powerful than encrypt(). > > Also, does the length of my encryption key affect the > difficulty for people trying to decrypt? > > For example, is using "canine" for a key more secure than > using "dog" just because it's longer? > > Thanks, > -- > Austin > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
How about using CFusion_Encrypt() to encrypt your information? I think it's a bit "stronger". Also, can't you Hash() the string and then compare it to another hashed value when needed? _ From: Austin Govella [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 2:29 PM To: CF-Talk Subject: Encrypting strings I need to encrypt SSNs. I'm looking for something more powerful than encrypt(). Also, does the length of my encryption key affect the difficulty for people trying to decrypt? For example, is using "canine" for a key more secure than using "dog" just because it's longer? Thanks, -- Austin _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting URLs
As Jim said, you need to URLEncodedFormat() the result of Encrypt() before putting it in the url... Sam Blog http://www.rewindlife.com TeamMM http://www.macromedia.com/go/team > -Original Message- > From: Philip Arnold [mailto:[EMAIL PROTECTED] > Sent: Saturday, May 22, 2004 8:54 AM > To: CF-Talk > Subject: RE: Encrypting URLs > > > From: Les Irvin > > > > What's the best way to encrypt URL variables? For example, > > I'm passing an ID number but do not want it recognizable in the URL > > > > The "encrypt" function doesn't seem to work as it creates > > reserved url characters. > > You can't use Encrypt() for URL variables because of the special > characters it creates > > Here's an idea though, as long as you don't mind "long" URLs: > > Have a db table with "lookups", store a UUID with all of the URL > variables, then when you call a UUID, it looks up the equivalent URL > variables and uses them > > How's that? [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting URLs
> From: Les Irvin > > What's the best way to encrypt URL variables? For example, > I'm passing an ID number but do not want it recognizable in the URL > > The "encrypt" function doesn't seem to work as it creates > reserved url characters. You can't use Encrypt() for URL variables because of the special characters it creates Here's an idea though, as long as you don't mind "long" URLs: Have a db table with "lookups", store a UUID with all of the URL variables, then when you call a UUID, it looks up the equivalent URL variables and uses them How's that? [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting URLs
If you're happy with the results of encrypt() (which isn't really that strong of encryption) then all you'd have to do to use it is to URLEncodedFormat() the value before using it on the URL. This will add some length the encrypted value, but if all you're encrypting is an ID number it shouldn't cause problems. Jim Davis _ From: Les Irvin [mailto:[EMAIL PROTECTED] Sent: Saturday, May 22, 2004 12:17 AM To: CF-Talk Subject: Encrypting URLs What's the best way to encrypt URL variables? For example, I'm passing an ID number but do not want it recognizable in the URL The "encrypt" function doesn't seem to work as it creates reserved url characters. Thanks in advance for any help, Les [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: encrypting SQL Server data
Tom Kitta wrote >That is a public key cryptosystem, he needs symmetric key No, the original post didn't say that, and asymmetric key systems work in the scenario he provided. Granted they are more trouble to deal with when used properly (i.e. the decryption key is kept off the server and input -- pasted in -- at the start of each work session), but the sacrifice in convenience is made up for by the increased security. Provided of course the users know not to do things like email someone the private key. -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: encrypting SQL Server data
That is a public key cryptosystem, he needs symmetric key. You can use one of the encryption functions on the http://www.cflib.org Plus functions there are free to use. TK http://www.tomkitta.com [Tom Kitta] -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:29 PM To: CF-Talk Subject: Re: encrypting SQL Server data >Does anybody have any experience or recommendations about what to use >or how to go about doing it? http://developer.perthweb.com.au/textcrypt.html -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: encrypting SQL Server data
>Does anybody have any experience or recommendations about what to use >or how to go about doing it? http://developer.perthweb.com.au/textcrypt.html -- --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting CF code/files
> Thanks much. This is exactly what I needed. This is for a > classified site that will be on a classified network...We > just want it for an extra layer of security. This does not provide a significant layer of security. If someone is capable of accessing your web server's filesystem, a few minutes with Google will let them decrypt your code. Your time would probably be better spent on properly configuring your web server, including the application of filesystem ACLs to prevent users from reading the files in the first place. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Encrypting CF code/files
Thanks much. This is exactly what I needed. This is for a classified site that will be on a classified network...We just want it for an extra layer of security. Brian > What you're after is cfcrypt.exe > > here's a link that explains how to use it: > > http://www.macromedia. com/v1/documents/cf4/Adva> nced_ColdFusion_Development/11_Building_ColdFusion_Extensions/adv11_09. > htm > > And here's one that explains that encrypted templates can easily be > decrypted: > > http://www.macromedia.com/devnet/security/security_zone/asb99-08.html > > Cheers > Bert > > > > > > > > -Original Message- > > From: Brian Yager [mailto:[EMAIL PROTECTED] > > Sent: 22 March 2004 14:48 > > To: CF-Talk > > Subject: Encrypting CF code/files > > > > > > I have been tasked with learning all I can on this. I have > > searched the knowledge base but didn't find what I thought > > was encrypting the code. Can anyone send me a link to where > > this is explained or tell me how you go about doing this? > > > > Thanks, > > > > Brian > > > > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Encrypting CF code/files
I think cfhub.com has a quick tutorial on making a simple app to use cfencrypt.exe And, yes, it is super easy to decrypt, I think it's MOD10 encryption if I remember correctly. As always, locked doors only keep honest people out. So licensing is important in any "boxed" product. ~Guy http://guymcdowell.hopto.org [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: encrypting password
You are correct. MY goal in not sending the password in clear text is to protect the user's OTHER accounts, no so much their account on my server. As I mentioned, intercepting the "change password" email WOULD allow the nefarious person to gain access to their account on my server - but still protects the user's password. As Matt described, the challenge/answer part would add that next layer of protection... > The way I figure, even if the password e-mail is intercepted, the person > intercepting the e-mail also needs to know the username. Sure, they > could guess (probably based on the user's e-mail address). But it seems > to me like your method allows someone intercepting the e-mail to > actually change the password to whatever they want, without needing > anything but the e-mail (since you're also giving them the username). > > Unless I'm missing something there. (Obviously, this is without the > question/answer option.) > > Scott > > Scott Brady > http://www.scottbrady.net/ > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting password
No, you're not missing anything. Thats the reason for the question/answer bit. I designed what I described originally after register.com's user account pwd system. Just cuz they use it doesn't make it golden, but it is self-maintaining, which is a big administrative plus, especially with large user populations on systems where letting the user create a new account and dump the old one on their own isn't an option. The interrogation bit at the end is what protects against what you describe. Dictionary attacks were mentioned in an earlier post. As long as we're on the subject a list of forbidden passwords is a good idea. Then you literally put the dictionary in the forbidden list to protect against dictionary attacks. I've got an 84000+ word list that only takes a few ms to check against. Ideally I would have several languages in there to cover more than just English, as well as variations on English (i.e. American vs. UK English: organization vs. organisation etc.). --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: "Scott Brady" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Wed, 2 Apr 2003 12:56:05 -0700 >-- Original Message -- >From: "Matt Robertson" <[EMAIL PROTECTED]> > >>A big 'me too' on never, ever sending a pwd over email. I use a similar >>system to what Tony described. User enters their email address and I >>send that email acct the username and an encrypted link back to a >>special routine that lets the user change the pwd. > >So, instead of just sending the password over e-mail (which should still require the >person to know their username, which shouldn't be included in the e-mail), you're >sending a link over e-mail which also includes their username? Is that really less >secure? > >The way I figure, even if the password e-mail is intercepted, the person intercepting >the e-mail also needs to know the username. Sure, they could guess (probably based >on the user's e-mail address). But it seems to me like your method allows someone >intercepting the e-mail to actually change the password to whatever they want, >without needing anything but the e-mail (since you're also giving them the username). > > >Unless I'm missing something there. (Obviously, this is without the question/answer >option.) > >Scott > >Scott Brady >http://www.scottbrady.net/ > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting password
-- Original Message -- From: "Matt Robertson" <[EMAIL PROTECTED]> >A big 'me too' on never, ever sending a pwd over email. I use a similar >system to what Tony described. User enters their email address and I >send that email acct the username and an encrypted link back to a >special routine that lets the user change the pwd. So, instead of just sending the password over e-mail (which should still require the person to know their username, which shouldn't be included in the e-mail), you're sending a link over e-mail which also includes their username? Is that really less secure? The way I figure, even if the password e-mail is intercepted, the person intercepting the e-mail also needs to know the username. Sure, they could guess (probably based on the user's e-mail address). But it seems to me like your method allows someone intercepting the e-mail to actually change the password to whatever they want, without needing anything but the e-mail (since you're also giving them the username). Unless I'm missing something there. (Obviously, this is without the question/answer option.) Scott Scott Brady http://www.scottbrady.net/ ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting password
I am simply attempting to protect my users from their own ignorance or dangerous habits. Your example is only further proof that what I described is a real problem. I'm certainly not attempting or claiming to attempt to prevent this from occuring, but I don't want any of my websites to contribute to this problem or more importantly, be the source from which nefarious persons gained access to one of my user's much more "valuable" accounts (banking, bill paying, etc). Storing the passwords encrypted is one way (particularly hashed, so that even the developers, etc. can't access the passwords) is one way to protect your users. Another is by never sending their passwords in clear text. > > I want to be sure that I never, ever, ever, send a user's password to them > > in clear text email. This is important because as many websites as people > > log into they do not always a different password to each one. Their > > password on my site could be the same as their password on their personal > > banking website. Dumb, but frequent. > > > I think your reasoning here is a little flawed. This is an end user > problem, and not sending passwords in a plain text email protects only > against a fraction of the ways this mistake can be exploited. > > I inheritted a site not long ago where the developer stored passwords in > plain text. I noticed that many of the users accounts on the site had > Yahoo and Hotmail email addresses. So just for grins, I went to Yahoo's > webmail Hotmail and tried logging in using those email addresses and > stored password. Probably 1/4 to 1/2 of them worked. > > Imagine how easy it would be for an unscrupulous web site owner or web > developer to collect passwords? The only way around this is to generate > all passwords and not permit users to set their own. > > Jim > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting password
Tony Schreiber wrote: > I want to be sure that I never, ever, ever, send a user's password to them > in clear text email. This is important because as many websites as people > log into they do not always a different password to each one. Their > password on my site could be the same as their password on their personal > banking website. Dumb, but frequent. I think your reasoning here is a little flawed. This is an end user problem, and not sending passwords in a plain text email protects only against a fraction of the ways this mistake can be exploited. I inheritted a site not long ago where the developer stored passwords in plain text. I noticed that many of the users accounts on the site had Yahoo and Hotmail email addresses. So just for grins, I went to Yahoo's webmail Hotmail and tried logging in using those email addresses and stored password. Probably 1/4 to 1/2 of them worked. Imagine how easy it would be for an unscrupulous web site owner or web developer to collect passwords? The only way around this is to generate all passwords and not permit users to set their own. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Are we talking about building Bank of America's Online Banking ;) Seems to me, the user asking the question is not looking for a cure-all. Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: Barney Boisvert [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:35 PM To: CF-Talk Subject: RE: encrypting password You could store it as a single CFSET tag in an encrypted file that only the CF user has permission to read, or put it somewhere that's really secure (offline DB that you have to do some nasty authentication over SSL to get the data from), and then cache it upon app startup. Both are still suceptible to anything that lets a use execute CF code, as they can just dump the application scope variables, but such is life. --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.756.8080 x12 fax : 360.647.5351 www.audiencecentral.com > -Original Message- > From: Tony Schreiber [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 10:23 AM > To: CF-Talk > Subject: RE: encrypting password > > > Ditto. My question though, is since you must store your salt string in the > code (or the db somewhere), access to the db pretty much assumes they have > access to the code as well. How is the salt string secure? > > > Yes but if they have access to your db then you've got > generally a bigger > > problem than a dictionary attack > > > > > > > > -Original Message- > > From: Brandon Stone [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 2, 2003 18:21 > > To: CF-Talk > > Subject: RE: encrypting password > > > > > > One note on security using hash, this still leaves the passwords in the > > database open to dictionary attacks. Its really only slightly > better than > > storing the passwords unencrypted. That is to say, if the > attacker somehow > > gains access to the database, they just need to use a > dictionary file, and > > try a hash of those words one at a time until a match is found. > > > > A generally accepted strategy is to use a salt word as well to > create the > > password. The salt is a string which you know and keep secure, > which the > > attacker hopefully does not. Then they need 2 pieces of information to > > attack the database. The comparison is essentially the same: > > > > > > > > > > > >... > > > > > > when you insert the hashed password, just append the salt to > the end. > hashedPwForDBInsertion = Hash(form.password&salt)> > > > > One more note, using hash() makes lost password retrieval more > difficult in > > that the hash() function is a one way hash. There is no way to > unhash. So > > essentially, if someone loses their password, you need a > mechanism for them > > to reset the password to a new password, rather than just > pulling the old > > one from the db and sending it to them. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 11:51 AM > > To: CF-Talk > > Subject: RE: encrypting password > > > > > > I'd suggest using CFs hash() function. It's a one way > encryption/obfuscation > > method. > > > > Doug > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
You could store it as a single CFSET tag in an encrypted file that only the CF user has permission to read, or put it somewhere that's really secure (offline DB that you have to do some nasty authentication over SSL to get the data from), and then cache it upon app startup. Both are still suceptible to anything that lets a use execute CF code, as they can just dump the application scope variables, but such is life. --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.756.8080 x12 fax : 360.647.5351 www.audiencecentral.com > -Original Message- > From: Tony Schreiber [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 10:23 AM > To: CF-Talk > Subject: RE: encrypting password > > > Ditto. My question though, is since you must store your salt string in the > code (or the db somewhere), access to the db pretty much assumes they have > access to the code as well. How is the salt string secure? > > > Yes but if they have access to your db then you've got > generally a bigger > > problem than a dictionary attack > > > > > > > > -Original Message- > > From: Brandon Stone [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 2, 2003 18:21 > > To: CF-Talk > > Subject: RE: encrypting password > > > > > > One note on security using hash, this still leaves the passwords in the > > database open to dictionary attacks. Its really only slightly > better than > > storing the passwords unencrypted. That is to say, if the > attacker somehow > > gains access to the database, they just need to use a > dictionary file, and > > try a hash of those words one at a time until a match is found. > > > > A generally accepted strategy is to use a salt word as well to > create the > > password. The salt is a string which you know and keep secure, > which the > > attacker hopefully does not. Then they need 2 pieces of information to > > attack the database. The comparison is essentially the same: > > > > > > > > > > > >... > > > > > > when you insert the hashed password, just append the salt to > the end. > hashedPwForDBInsertion = Hash(form.password&salt)> > > > > One more note, using hash() makes lost password retrieval more > difficult in > > that the hash() function is a one way hash. There is no way to > unhash. So > > essentially, if someone loses their password, you need a > mechanism for them > > to reset the password to a new password, rather than just > pulling the old > > one from the db and sending it to them. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 11:51 AM > > To: CF-Talk > > Subject: RE: encrypting password > > > > > > I'd suggest using CFs hash() function. It's a one way > encryption/obfuscation > > method. > > > > Doug > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
I want to be sure that I never, ever, ever, send a user's password to them in clear text email. This is important because as many websites as people log into they do not always a different password to each one. Their password on my site could be the same as their password on their personal banking website. Dumb, but frequent. So, my scheme of retrieving hashed passwords is to send the user an email with a link they can use to change their password. Essentially, I send the hashed string - that's used as the "old password" on the Change your password function. Now, interception of this email can still compromise their account, but only their account on my server... > One small disadvantage, depending on your application (and your user base): If > you want to implement an "I forgot my password" page and email the _current_ > password to the user, you can't do it. You've got to generate a new password > first and email it out before hashing it into the db. > > I've seen the "I forgot my password" done at least three different ways on > site's I've visited: > > 1. Email the user his current password. This obviously means they're storing > the password either in a retrievable encrypted format or else unencrypted. > > 2. Generate a new password and email it to the user. This may indicate the > password is stored using a one way hash. > > 3. Generate a new password and email it to the user, then force them to login > using that password and immediately create a new password of their own choosing. > This adds additional security over #2 in that the password sent via email, which > could theoretically be intercepted, exists only for a short time. > > For most of the applications I do, security, while important, isn't a matter of > life and death, so mostly I use method #1, with some type of > encrytion/decryption. If someone breaks in and has complete access to a > database, the cracking of user passwords is probably not going to be high on > their list of priorities. > > Jim > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Ditto. My question though, is since you must store your salt string in the code (or the db somewhere), access to the db pretty much assumes they have access to the code as well. How is the salt string secure? > Yes but if they have access to your db then you've got generally a bigger > problem than a dictionary attack > > > > -Original Message- > From: Brandon Stone [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 2, 2003 18:21 > To: CF-Talk > Subject: RE: encrypting password > > > One note on security using hash, this still leaves the passwords in the > database open to dictionary attacks. Its really only slightly better than > storing the passwords unencrypted. That is to say, if the attacker somehow > gains access to the database, they just need to use a dictionary file, and > try a hash of those words one at a time until a match is found. > > A generally accepted strategy is to use a salt word as well to create the > password. The salt is a string which you know and keep secure, which the > attacker hopefully does not. Then they need 2 pieces of information to > attack the database. The comparison is essentially the same: > > > > > >... > > > when you insert the hashed password, just append the salt to the end. hashedPwForDBInsertion = Hash(form.password&salt)> > > One more note, using hash() makes lost password retrieval more difficult in > that the hash() function is a one way hash. There is no way to unhash. So > essentially, if someone loses their password, you need a mechanism for them > to reset the password to a new password, rather than just pulling the old > one from the db and sending it to them. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 11:51 AM > To: CF-Talk > Subject: RE: encrypting password > > > I'd suggest using CFs hash() function. It's a one way encryption/obfuscation > method. > > Doug > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
One small disadvantage, depending on your application (and your user base): If you want to implement an "I forgot my password" page and email the _current_ password to the user, you can't do it. You've got to generate a new password first and email it out before hashing it into the db. I've seen the "I forgot my password" done at least three different ways on site's I've visited: 1. Email the user his current password. This obviously means they're storing the password either in a retrievable encrypted format or else unencrypted. 2. Generate a new password and email it to the user. This may indicate the password is stored using a one way hash. 3. Generate a new password and email it to the user, then force them to login using that password and immediately create a new password of their own choosing. This adds additional security over #2 in that the password sent via email, which could theoretically be intercepted, exists only for a short time. For most of the applications I do, security, while important, isn't a matter of life and death, so mostly I use method #1, with some type of encrytion/decryption. If someone breaks in and has complete access to a database, the cracking of user passwords is probably not going to be high on their list of priorities. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Thanks guys for the advice. I'm going to try it out. I'm not looking for a piece of expensive encryption solutions, so this would do well. -Original Message- From: Mike Townend [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 1:35 AM To: CF-Talk Subject: RE: encrypting password Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: ... when you insert the hashed password, just append the salt to the end. One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: ... when you insert the hashed password, just append the salt to the end. One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: ... when you insert the hashed password, just append the salt to the end. One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug >-Original Message- >From: Anthony Wong [mailto:[EMAIL PROTECTED] >Sent: Wednesday, April 02, 2003 11:45 AM >To: CF-Talk >Subject: encrypting password > > >What would be the best method to encrypt password before it is >inserted into >the database? I'm using MySQL database. Would cfencrypt and cfdecrypt >function sufficient in this case? > >TIA > >Anthony > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
You could use the hash() function. Example: below taken from the docs Hash Example SELECT PasswordHash FROM SecureData WHERE UserID = ... Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: Anthony Wong [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:45 AM To: CF-Talk Subject: encrypting password What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Use a Hash() on the password for the insert, then on verification/logon hash() the form variable and compare the 2 hashes. HTH -Original Message- From: Anthony Wong [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 17:45 To: CF-Talk Subject: encrypting password What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: Encrypting password
Displaying in a password field is not secure, because you can just view source and read the password out of the HTML. Much better to fill it in with a series of asterisks, and then on the processing side see if the string is all asterisks, and if it is, ignore it. barneyb --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.671.8708 x12 fax : 360.647.5351 www.audiencecentral.com > -Original Message- > From: Ben Doom [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 26, 2003 10:07 AM > To: CF-Talk > Subject: RE: Encrypting password > > > You could display it in a password form field, or you could just not > query/display it at all. :-) > > > -- Ben Doom > Programmer & General Lackey > Moonbow Software, Inc > > : -Original Message- > : From: FlashGuy [mailto:[EMAIL PROTECTED] > : Sent: Wednesday, March 26, 2003 12:59 PM > : To: CF-Talk > : Subject: Encrypting password > : > : > : HI, > : > : I'm displaying all the fields from my database which also > : contains the users password in plain text. Is there a way to > : encrypt it when I display it to the screen? > : As "***" or just a bunch of gobbly gook? > : > : #GetUsers.Password# > : > : > : > : > : --- > : Colonel Nathan R. Jessop > : Commanding Officer > : Marine Ground Forces > : Guatanamo Bay, Cuba > : --- > : > : > : > : > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting password
All kinds of ways. If you just want garbage then use the built in Hash() function to has it. You could also check it's length using Len() and then output that many asterixs. The big question is...Why display it if it's encrypted garbage and useless to the user? Cheers Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. t. 250.920.8830 e. [EMAIL PROTECTED] - Macromedia Associate Partner www.macromedia.com - Vancouver Island ColdFusion Users Group Founder & Director www.cfug-vancouverisland.com - Original Message - From: "FlashGuy" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, March 26, 2003 9:58 AM Subject: Encrypting password > HI, > > I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? > As "***" or just a bunch of gobbly gook? > > #GetUsers.Password# > > > > > --- > Colonel Nathan R. Jessop > Commanding Officer > Marine Ground Forces > Guatanamo Bay, Cuba > --- > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting password
You could display it in a password form field, or you could just not query/display it at all. :-) -- Ben Doom Programmer & General Lackey Moonbow Software, Inc : -Original Message- : From: FlashGuy [mailto:[EMAIL PROTECTED] : Sent: Wednesday, March 26, 2003 12:59 PM : To: CF-Talk : Subject: Encrypting password : : : HI, : : I'm displaying all the fields from my database which also : contains the users password in plain text. Is there a way to : encrypt it when I display it to the screen? : As "***" or just a bunch of gobbly gook? : : #GetUsers.Password# : : : : : --- : Colonel Nathan R. Jessop : Commanding Officer : Marine Ground Forces : Guatanamo Bay, Cuba : --- : : : : ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting password
Just don't include it on the page, or don't prefill the password text box, then on the server side if Len(Trim(Form.Password)) GT 0 then change the password else don't include the password in the SQL update statement HTH Mikey -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 17:59 To: CF-Talk Subject: Encrypting password HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As "***" or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting password
if you really do not have a valid reason to display the actual pwd, just use * You can use 1 * for each character or just display 10 or so regardless. >>> [EMAIL PROTECTED] 03/26/03 12:58PM >>> HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As "***" or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting stored data
Just need to encrypt some data before inserting it into our database and decrypt it when its retrieved. Dave -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 9:44 AM To: CF-Talk Subject: Re: encrypting stored data Bosky, Dave wrote: > > Has anyone used Blowfish encryption algorithm? We use Blowfish with PostgreSQL. But what is the problem you need to solve? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting stored data
At 09:21 AM 1/30/2003 -0500, you wrote: >What methods are being used by everyone to encrypt data before storing it in >a MS SQL database? >Has anyone used Blowfish encryption algorithm? > >Thank You, > >Dave Bosky >~Sr. Multimedia Web Designer >~HTC Web Services >~[EMAIL PROTECTED] >~office: 843.369.8613 We use an XML-based user profile on one of our web properties, and we use CFENCRYPT to encrypt the data and stuff it in an SQLServer "text" field. Basic encryption, but it does the job. What type of data are you encrypting? -- Alex Sherwood PHS Collection Agency THE COLLECTORS T: 301.215.4200 F: 301.664.6834 W: www.phs-net.com ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting stored data
Yeah used Blowfish/2fish/pgp. Encryption is a very processor intensive operation, so you do run into performance issues. WG > -Original Message- > From: Bosky, Dave [mailto:[EMAIL PROTECTED]] > Sent: 30 January 2003 14:22 > To: CF-Talk > Subject: encrypting stored data > > > What methods are being used by everyone to encrypt data before > storing it in > a MS SQL database? > Has anyone used Blowfish encryption algorithm? > > Thank You, > > Dave Bosky > ~Sr. Multimedia Web Designer > ~HTC Web Services > ~[EMAIL PROTECTED] > ~office: 843.369.8613 > > > > > > HTC Disclaimer: The information contained in this message may be > privileged and confidential and protected from disclosure. If the > reader of this message is not the intended recipient, or an > employee or agent responsible for delivering this message to the > intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in > error, please notify us immediately by replying to the message > and deleting it from your computer. Thank you. > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting stored data
Bosky, Dave wrote: > > Has anyone used Blowfish encryption algorithm? We use Blowfish with PostgreSQL. But what is the problem you need to solve? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting cfquery
Michael Ross wrote: > Just to transfer for right now. It comes from someone being able to sniff the >communication between the two devices so that important info doesn't get passed in >plain text. The easy, fast, simple, reliable, secure and no nonsense solution is to buy 2 NIC's and a cross cable. Else, it depends a lot on what OS etc. you are running, but things that jump to mind are SSL connections (most databases support those), VPN's, IPsec etc. But I would go for the extra NIC's. Jochem __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
You can set up a VPN between the two machines. You can also buy hardware NIC's that can do the encryption for you. Check out: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remo teaccess/vpnoverview.asp - Original Message - From: "Michael Ross" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, September 27, 2002 12:44 PM Subject: Re: Encrypting cfquery > Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. > > Thanks > > Mike > > > >>> [EMAIL PROTECTED] 09/27/02 11:29AM >>> > Michael Ross wrote: > > I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. > > Do you want to encrypt it just while transfered over the network or > while stored on disk as well? > > Jochem > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting cfquery
> Just to transfer for right now. It comes from someone being > able to sniff the communication between the two devices so > that important info doesn't get passed in plain text. You may be able to configure your database client so that all communication is encrypted. SQL Server supports this, for example. Alternatively, you can run your database client connection through IPsec, if you're using Windows 2000 for both the web and database servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 : dream :: design :: develop : MXDC 02 :: Join us at this all day conference for designers & developers to learn tips, tricks, best practices and more for the entire Macromedia MX suite. September 28, 2002 :: http://www.mxdc02.com/ (Register today, seats are limited!) :: __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. Thanks Mike >>> [EMAIL PROTECTED] 09/27/02 11:29AM >>> Michael Ross wrote: > I am looking into encrypting the data that goes from the application server to the >db server. Does anyone have any experience in doing something like this. I am >searching around the net to see whats out there, so anything else I could get here >would be greatly appreciated. Do you want to encrypt it just while transfered over the network or while stored on disk as well? Jochem __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting cfquery
> I am looking into encrypting the data that goes from the > application server to the db server. Does anyone have any > experience in doing something like this. I am searching around > the net to see whats out there, so anything else I could get here > would be greatly appreciated. You could use netcat to pipe the raw data via. ssh, similar to an ssh tunnel for HTTP... Tom Chiverton You don't have to be a mad scientist to believe in ColdFusion __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
Michael Ross wrote: > I am looking into encrypting the data that goes from the application server to the >db server. Does anyone have any experience in doing something like this. I am >searching around the net to see whats out there, so anything else I could get here >would be greatly appreciated. Do you want to encrypt it just while transfered over the network or while stored on disk as well? Jochem __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting a Demo
CFENCRYPT is too weak and too well hacked to be of any real use, IMHO. The answer to how easy this stuff is to get hold of is here in the archives. or go to Google and start searching. You'll hit it within 30 seconds, I bet. I wish we'd get a useful template encryption tool (and, for that matter, better native encryption/decryption functions, preferably with an option for asymmetric keys). I'm heading over to MM now to request same. --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- -- Original Message -- from: "Tangorre, Michael" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Fri, 2 Aug 2002 15:43:00 -0400 yes, it is very easy to decrypt a CF file that has been encrypted within CF (using their encryption). I don't know as if Macromedia would appreciate anyone telling anyone where that is possible however. :-) mike -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 3:39 PM To: CF-Talk Subject: Re: Encrypting a Demo That is what I figured that there isn't really a way around that ... I could compile an archive on the file that was encrypted with an encrypted key that is dated a certain time period. It could work, and it would be alot of fun building! Question for everyone out there .. .I have never seen, but is it pretty easy to find tools to unencrypt a cf file? I am just curious if I want to go through the hassle of encrypting and making our applications available if it is just plain easy and available for developers to unencrypt and fix the checks. Thanks Paul Giesenhagen QuillDesign - Original Message - From: "Douglas Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 2:03 PM Subject: Re: Encrypting a Demo > Well paul, not sure of other encryption methods other than cfencrypt. You > could do the encryption and then use cfregistry to write a key and give it the > date of the first application load and then use it again to check the value in > application.cfm and them to a sorry!!! expired!!! This of course > depends on them having the cfregistry tag enabled. > > > > > Douglas Brown > Email: [EMAIL PROTECTED] > - Original Message - > From: "Paul Giesenhagen" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 11:39 AM > Subject: Encrypting a Demo > > > > We offer our applications as open source, and would like to encrypt so we > can offer a demo for download. > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible way > of encrypting a CF application and then putting a time limit on how long the > demo lasts/works? > > > > Example would be to download the application, and it run for say 14 days and > then it no longer works. > > > > Any suggestions or help would be greatly appreciated. > > > > Paul Giesenhagen > > QuillDesign > > > > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
We are currently doing that, but alot of folks want to install it in their environment and have their hands on thing going. Paul Giesenhagen QuillDesign - Original Message - From: "Alex" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 3:50 PM Subject: Re: Encrypting a Demo > Why don't you put your demo on your own server? > > On Fri, 2 Aug 2002, Paul Giesenhagen wrote: > > > We offer our applications as open source, and would like to encrypt so we can offer a demo for download. > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? > > > > Example would be to download the application, and it run for say 14 days and then it no longer works. > > > > Any suggestions or help would be greatly appreciated. > > > > Paul Giesenhagen > > QuillDesign > > > > > > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Why don't you put your demo on your own server? On Fri, 2 Aug 2002, Paul Giesenhagen wrote: > We offer our applications as open source, and would like to encrypt so we can offer >a demo for download. > > Besides CF's Encrypt, does anyone have any recommendations on a possible way of >encrypting a CF application and then putting a time limit on how long the demo >lasts/works? > > Example would be to download the application, and it run for say 14 days and then it >no longer works. > > Any suggestions or help would be greatly appreciated. > > Paul Giesenhagen > QuillDesign > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Tangorre, Michael wrote: > yes, it is very easy to decrypt a CF file that has been encrypted within CF (using >their encryption). > I don't know as if Macromedia would appreciate anyone telling anyone where that is >possible however. :-) I have a tool called AllCFM Power tools that does this. I only used it once when our dev server crashed leaving the changes of the day only in encrypted CFM on our real server... It can also retrieve or nullify your admin password, but that can be done easilly from a cfm page with cfregistry enabled. It even gives you your comments back... Now, before encrypting anything we first run a tool to remove all comments and line breaks (making the code much harder to interpret would you get your hands on them). __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting a Demo
yes, it is very easy to decrypt a CF file that has been encrypted within CF (using their encryption). I don't know as if Macromedia would appreciate anyone telling anyone where that is possible however. :-) mike -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 3:39 PM To: CF-Talk Subject: Re: Encrypting a Demo That is what I figured that there isn't really a way around that ... I could compile an archive on the file that was encrypted with an encrypted key that is dated a certain time period. It could work, and it would be alot of fun building! Question for everyone out there .. .I have never seen, but is it pretty easy to find tools to unencrypt a cf file? I am just curious if I want to go through the hassle of encrypting and making our applications available if it is just plain easy and available for developers to unencrypt and fix the checks. Thanks Paul Giesenhagen QuillDesign - Original Message - From: "Douglas Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 2:03 PM Subject: Re: Encrypting a Demo > Well paul, not sure of other encryption methods other than cfencrypt. You > could do the encryption and then use cfregistry to write a key and give it the > date of the first application load and then use it again to check the value in > application.cfm and them to a sorry!!! expired!!! This of course > depends on them having the cfregistry tag enabled. > > > > > Douglas Brown > Email: [EMAIL PROTECTED] > - Original Message - > From: "Paul Giesenhagen" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 11:39 AM > Subject: Encrypting a Demo > > > > We offer our applications as open source, and would like to encrypt so we > can offer a demo for download. > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible way > of encrypting a CF application and then putting a time limit on how long the > demo lasts/works? > > > > Example would be to download the application, and it run for say 14 days and > then it no longer works. > > > > Any suggestions or help would be greatly appreciated. > > > > Paul Giesenhagen > > QuillDesign > > > > > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
hmm... that is an interesting thought ... I suppose it would keep the honest not real knowledgable coders honest... I will look into that one! Paul - Original Message - From: "Douglas Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 2:29 PM Subject: Re: Encrypting a Demo > Or I suppose you could use that in your application.cfm > > > > > Douglas Brown > Email: [EMAIL PROTECTED] > - Original Message - > From: "Douglas Brown" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 12:03 PM > Subject: Re: Encrypting a Demo > > > > Well paul, not sure of other encryption methods other than cfencrypt. You > > could do the encryption and then use cfregistry to write a key and give it > the > > date of the first application load and then use it again to check the value > in > > application.cfm and them to a sorry!!! expired!!! This of > course > > depends on them having the cfregistry tag enabled. > > > > > > > > > > Douglas Brown > > Email: [EMAIL PROTECTED] > > - Original Message - > > From: "Paul Giesenhagen" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Friday, August 02, 2002 11:39 AM > > Subject: Encrypting a Demo > > > > > > > We offer our applications as open source, and would like to encrypt so we > > can offer a demo for download. > > > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible > way > > of encrypting a CF application and then putting a time limit on how long the > > demo lasts/works? > > > > > > Example would be to download the application, and it run for say 14 days > and > > then it no longer works. > > > > > > Any suggestions or help would be greatly appreciated. > > > > > > Paul Giesenhagen > > > QuillDesign > > > > > > > > > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
That is what I figured that there isn't really a way around that ... I could compile an archive on the file that was encrypted with an encrypted key that is dated a certain time period. It could work, and it would be alot of fun building! Question for everyone out there .. .I have never seen, but is it pretty easy to find tools to unencrypt a cf file? I am just curious if I want to go through the hassle of encrypting and making our applications available if it is just plain easy and available for developers to unencrypt and fix the checks. Thanks Paul Giesenhagen QuillDesign - Original Message - From: "Douglas Brown" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 2:03 PM Subject: Re: Encrypting a Demo > Well paul, not sure of other encryption methods other than cfencrypt. You > could do the encryption and then use cfregistry to write a key and give it the > date of the first application load and then use it again to check the value in > application.cfm and them to a sorry!!! expired!!! This of course > depends on them having the cfregistry tag enabled. > > > > > Douglas Brown > Email: [EMAIL PROTECTED] > - Original Message - > From: "Paul Giesenhagen" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 11:39 AM > Subject: Encrypting a Demo > > > > We offer our applications as open source, and would like to encrypt so we > can offer a demo for download. > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible way > of encrypting a CF application and then putting a time limit on how long the > demo lasts/works? > > > > Example would be to download the application, and it run for say 14 days and > then it no longer works. > > > > Any suggestions or help would be greatly appreciated. > > > > Paul Giesenhagen > > QuillDesign > > > > > > > __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Or I suppose you could use To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 12:03 PM Subject: Re: Encrypting a Demo > Well paul, not sure of other encryption methods other than cfencrypt. You > could do the encryption and then use cfregistry to write a key and give it the > date of the first application load and then use it again to check the value in > application.cfm and them to a sorry!!! expired!!! This of course > depends on them having the cfregistry tag enabled. > > > > > Douglas Brown > Email: [EMAIL PROTECTED] > - Original Message - > From: "Paul Giesenhagen" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Friday, August 02, 2002 11:39 AM > Subject: Encrypting a Demo > > > > We offer our applications as open source, and would like to encrypt so we > can offer a demo for download. > > > > Besides CF's Encrypt, does anyone have any recommendations on a possible way > of encrypting a CF application and then putting a time limit on how long the > demo lasts/works? > > > > Example would be to download the application, and it run for say 14 days and > then it no longer works. > > > > Any suggestions or help would be greatly appreciated. > > > > Paul Giesenhagen > > QuillDesign > > > > > > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: "Paul Giesenhagen" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo > We offer our applications as open source, and would like to encrypt so we can offer a demo for download. > > Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? > > Example would be to download the application, and it run for say 14 days and then it no longer works. > > Any suggestions or help would be greatly appreciated. > > Paul Giesenhagen > QuillDesign > > > __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting ASP code
> Are there any tools that will encrypt asp code? > I understand it's just an ounce of prevention and > won't stop a determined person from looking at the > code. There's a tool from MS called Script Encoder. I haven't actually used it, so I don't know how well it works. Documentation for Script Encoder: http://msdn.microsoft.com/library/en-us/script56/html/SeconScriptEncoderOver view.asp Script Encoder: http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe Typically, within a well-constructed "classic" ASP 3 application, very little work is done in ASP anyway - most significant tasks are migrated into COM objects. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
Hi,
If you are on CF 5 you can use a UDF I created called urlEncrypt. Here it
is. For directions go to http://loathe.mine.nu, or shoot me an email.
function urlEncrypt(queryString, key){
// encode the string
uue = cfusion_encrypt(queryString, key);
// make a checksum of the endoed string
checksum = left(hash(uue & key),2);
// assemble the URL
queryString = "/" & uue & checksum &"/index.htm";
return queryString;
}
function urlDecrypt(key){
var queryString = cgi.path_info;
var scope = "url";
var stuff = "";
// see if a scope is provided if it is set it otherwise set it to url
if(arrayLen(arguments) gt 1){
scope = arguments[2];
}
if ((right(queryString,3) neq "htm") or (findNoCase("&",queryString)
neq
0) or (findNoCase("=",queryString) neq 0)){
stuff = 'not encrypted, or corrupted
url';
} else {
// remove /index.htm
querystring = replace(queryString, right(queryString,10),'');
// remove the leading slash
querystring = replace(queryString, left(queryString,1),'');
// grab the old checksum
if (len(querystring) GT 2) {
oldcheck = right(querystring, 2);
querystring = rereplace(querystring, "(.*)..", "\1");
} else {
oldcheck = "";
}
// check the checksum
newcheck = left(hash(querystring & key),2);
if (newcheck NEQ oldcheck) {
return querystring;
}
//decrypt the passed value
queryString = cfusion_decrypt(queryString, key);
// set the variables
for(i = 0; i lt listLen(queryString, '&'); i = i + 1){
// Break up the list into seprate name=value
pairs
thisPair = listGetAt(queryString, i + 1, '&');
// Get the name
thisName = listGetAt(thisPair, 1, '=');
// Get the value
thisValue = listGetAt(thisPair, 2, '=');
// Set the name with the scope
thisName = scope & '.' & thisName;
// Set the variable
setVariable(thisName, thisValue);
}
}
return stuff;
}
Tim Heald
ACP/CCFD
Application Development
www.schoollink.net
-Original Message-
From: Dimple Goshar [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 23, 2002 2:15 AM
To: CF-Talk
Subject: RE: RE: Encrypting Numeric ID's
Hi,
Have u tried the DE function?
The help says
"Returns its argument with double quotes wrapped around it and all double
quotes inside it escaped."
Regards,
Dimple
> -Original Message-
> From: Jason Dowdell [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, April 19, 2002 4:59 PM
> To: CF-Talk
> Subject: RE: RE: Encrypting Numeric ID's
>
> My original question was this...
> I need to encrypt a numeric userid that gets
> passed through a url and through a form and
> is used in a query. The urlencodedformat
> string that gets passed through the url and
> set in a form hidden field was messing up the
> page design because it had a double quote in
> it. I was looking for a solution that would
> match all of the above requirements.
>
> 1. pass through a url safely
> 2. pass through a form safely
> 3. be encrypted based on a key (done)
>
> Thanks guys,
> Jason
>
> -Original Message-
> From: Matt Robertson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 19, 2002 2:57 AM
> To: CF-Talk
> Subject: RE: RE: Encrypting Numeric ID's
>
>
> I believe the original post was about how to encrypt and then escape a
> string, not just escape it. 2 functions in and then out seems necessary
> to get that done, but I'd be happy to see a shorter route.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 18, 2002 3:59 PM
> To: CF-Talk
> Subject: Re: RE: Encrypting Numeric ID's
>
>
> Yes, but why bother doing all
RE: RE: Encrypting Numeric ID's
Hi, Have u tried the DE function? The help says "Returns its argument with double quotes wrapped around it and all double quotes inside it escaped." Regards, Dimple > -Original Message- > From: Jason Dowdell [SMTP:[EMAIL PROTECTED]] > Sent: Friday, April 19, 2002 4:59 PM > To: CF-Talk > Subject: RE: RE: Encrypting Numeric ID's > > My original question was this... > I need to encrypt a numeric userid that gets > passed through a url and through a form and > is used in a query. The urlencodedformat > string that gets passed through the url and > set in a form hidden field was messing up the > page design because it had a double quote in > it. I was looking for a solution that would > match all of the above requirements. > > 1. pass through a url safely > 2. pass through a form safely > 3. be encrypted based on a key (done) > > Thanks guys, > Jason > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 19, 2002 2:57 AM > To: CF-Talk > Subject: RE: RE: Encrypting Numeric ID's > > > I believe the original post was about how to encrypt and then escape a > string, not just escape it. 2 functions in and then out seems necessary > to get that done, but I'd be happy to see a shorter route. > > -Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 3:59 PM > To: CF-Talk > Subject: Re: RE: Encrypting Numeric ID's > > > Yes, but why bother doing all this work when htmlEditFormat() does all > this for you? > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
When you encrypt the userid and want to place it on a url, use URLEncodedFormat(). When you want to place it on a form, use HTMLEditFormat(). So something like: On a URL, it'd be like: myPage.cfm?userID=#URLEncodedFormat(myEncryptedString)# It sounds like you're receiving the encrypted string through the url and then want to place it in a hidden field: This will escape any characters that cause problems within form fields, like quotes and brackets. When the form is submitted, the characters will be unescaped automatically. -Original Message- From: Jason Dowdell [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 5:29 AM To: CF-Talk Subject: RE: RE: Encrypting Numeric ID's My original question was this... I need to encrypt a numeric userid that gets passed through a url and through a form and is used in a query. The urlencodedformat string that gets passed through the url and set in a form hidden field was messing up the page design because it had a double quote in it. I was looking for a solution that would match all of the above requirements. 1. pass through a url safely 2. pass through a form safely 3. be encrypted based on a key (done) Thanks guys, Jason -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 2:57 AM To: CF-Talk Subject: RE: RE: Encrypting Numeric ID's I believe the original post was about how to encrypt and then escape a string, not just escape it. 2 functions in and then out seems necessary to get that done, but I'd be happy to see a shorter route. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:59 PM To: CF-Talk Subject: Re: RE: Encrypting Numeric ID's Yes, but why bother doing all this work when htmlEditFormat() does all this for you? __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting Numeric ID's
Use this instead. It's fast and free. http://dev.myownemail.com/coldfusion/CFX_HexEncode.htm Chris -- Original Message From: "Jason Dowdell"<[EMAIL PROTECTED]> Subject: RE: Encrypting Numeric ID's Date: Thu, 18 Apr 2002 18:38:53 -0400 >I tried all of those solutions except the htmleditformat. >Will the htmleditformat remove double quotes? > >~jason > >-Original Message- >From: Matt Robertson [mailto:[EMAIL PROTECTED]] >Sent: Thursday, April 18, 2002 6:07 PM >To: CF-Talk >Subject: Re: Encrypting Numeric ID's > > >How about this: > > > >--- >Matt Robertson[EMAIL PROTECTED] >MSB Designs, Inc., www.mysecretbase.com >--- > > >-- Original Message -- >from: "Jason Dowdell" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >date: Thu, 18 Apr 2002 18:14:51 -0400 > >Hi All, > >I'm encrypting an integer using the encrypt() function >in CF. Sometimes it puts a double quote character in >the encrypted string. So when I put that value in a hidden >form field it looks something like this... > >value="jd0"9em" > >Of course you can see what happens. The browser sees the >second double quote and disregards the rest of the value of >the variable. I don't have the option of storing a hashed >value as the primary key because the db is already designed. > >Does anyone have any workarounds for this? > >Thanks, >Jason >- >Jason Dowdell >Engine Studio Inc. >www.EngineStudio.com >[EMAIL PROTECTED] >- > > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
Hi Jason How have you encrypyed it? I am sure what you are asking is easy... if you contact me off list I will send you the files (save posting them here, unless you want me to?) Neil Neil Team Macromedia Spectra http://www.macromedia.com/go/team __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
My original question was this... I need to encrypt a numeric userid that gets passed through a url and through a form and is used in a query. The urlencodedformat string that gets passed through the url and set in a form hidden field was messing up the page design because it had a double quote in it. I was looking for a solution that would match all of the above requirements. 1. pass through a url safely 2. pass through a form safely 3. be encrypted based on a key (done) Thanks guys, Jason -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Friday, April 19, 2002 2:57 AM To: CF-Talk Subject: RE: RE: Encrypting Numeric ID's I believe the original post was about how to encrypt and then escape a string, not just escape it. 2 functions in and then out seems necessary to get that done, but I'd be happy to see a shorter route. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:59 PM To: CF-Talk Subject: Re: RE: Encrypting Numeric ID's Yes, but why bother doing all this work when htmlEditFormat() does all this for you? __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
I believe the original post was about how to encrypt and then escape a string, not just escape it. 2 functions in and then out seems necessary to get that done, but I'd be happy to see a shorter route. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:59 PM To: CF-Talk Subject: Re: RE: Encrypting Numeric ID's Yes, but why bother doing all this work when htmlEditFormat() does all this for you? __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Encrypting Numeric ID's
Yes, but why bother doing all this work when htmlEditFormat() does all this for you? - Original Message - From: Matt Robertson <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:46 pm Subject: Re: RE: Encrypting Numeric ID's > You'd have to decode it and decrypt it on the next page before you > use it for anything. I don't understand what you mean by it not > working. > those things are pretty big, tho'. One thing you could do is > > > > > encrypting "12345" using the key "blah" generates > > JS4+JCwrPFAgCg== > > and > > JS4%2BJCwrPFAgCg%3D%3D > > which are less unwieldy than the straight urlencoded/encrypted > version pf > > %25%2E%3E%24%2C%2B%3CP%20%0A > > Plain Base64 + encryption should also be db safe? > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > > -- Original Message -- > from: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > date: Thu, 18 Apr 2002 16:32:28 -0600 > > Actually, I just realized that URLEncodedFormat won't work, as a > quote > will be url escaped, and when you submit the form, it won't change > back > to a quote. > > - Original Message - > From: Jason Dowdell <[EMAIL PROTECTED]> > Date: Thursday, April 18, 2002 4:38 pm > Subject: RE: Encrypting Numeric ID's > > > I tried all of those solutions except the htmleditformat. > > Will the htmleditformat remove double quotes? > > > > ~jason > > > > -Original Message- > > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, April 18, 2002 6:07 PM > > To: CF-Talk > > Subject: Re: Encrypting Numeric ID's > > > > > > How about this: > > > > > > > > --- > > Matt Robertson[EMAIL PROTECTED] > > MSB Designs, Inc., www.mysecretbase.com > > --- > > > > > > -- Original Message -- > > from: "Jason Dowdell" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > date: Thu, 18 Apr 2002 18:14:51 -0400 > > > > Hi All, > > > > I'm encrypting an integer using the encrypt() function > > in CF. Sometimes it puts a double quote character in > > the encrypted string. So when I put that value in a hidden > > form field it looks something like this... > > > > value="jd0"9em" > > > > Of course you can see what happens. The browser sees the > > second double quote and disregards the rest of the value of > > the variable. I don't have the option of storing a hashed > > value as the primary key because the db is already designed. > > > > Does anyone have any workarounds for this? > > > > Thanks, > > Jason > > - > > Jason Dowdell > > Engine Studio Inc. > > www.EngineStudio.com > > [EMAIL PROTECTED] > > - > > > > > > > > > > __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Encrypting Numeric ID's
Thanks for the tips, I'll try to explain when I return later tonight. ~Jason -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 6:46 PM To: CF-Talk Subject: Re: RE: Encrypting Numeric ID's You'd have to decode it and decrypt it on the next page before you use it for anything. I don't understand what you mean by it not working. those things are pretty big, tho'. One thing you could do is encrypting "12345" using the key "blah" generates JS4+JCwrPFAgCg== and JS4%2BJCwrPFAgCg%3D%3D which are less unwieldy than the straight urlencoded/encrypted version pf %25%2E%3E%24%2C%2B%3CP%20%0A Plain Base64 + encryption should also be db safe? --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- -- Original Message -- from: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Thu, 18 Apr 2002 16:32:28 -0600 Actually, I just realized that URLEncodedFormat won't work, as a quote will be url escaped, and when you submit the form, it won't change back to a quote. - Original Message - From: Jason Dowdell <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:38 pm Subject: RE: Encrypting Numeric ID's > I tried all of those solutions except the htmleditformat. > Will the htmleditformat remove double quotes? > > ~jason > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 6:07 PM > To: CF-Talk > Subject: Re: Encrypting Numeric ID's > > > How about this: > > > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > > -- Original Message -- > from: "Jason Dowdell" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > date: Thu, 18 Apr 2002 18:14:51 -0400 > > Hi All, > > I'm encrypting an integer using the encrypt() function > in CF. Sometimes it puts a double quote character in > the encrypted string. So when I put that value in a hidden > form field it looks something like this... > > value="jd0"9em" > > Of course you can see what happens. The browser sees the > second double quote and disregards the rest of the value of > the variable. I don't have the option of storing a hashed > value as the primary key because the db is already designed. > > Does anyone have any workarounds for this? > > Thanks, > Jason > - > Jason Dowdell > Engine Studio Inc. > www.EngineStudio.com > [EMAIL PROTECTED] > - > > > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Encrypting Numeric ID's
You'd have to decode it and decrypt it on the next page before you use it for anything. I don't understand what you mean by it not working. those things are pretty big, tho'. One thing you could do is encrypting "12345" using the key "blah" generates JS4+JCwrPFAgCg== and JS4%2BJCwrPFAgCg%3D%3D which are less unwieldy than the straight urlencoded/encrypted version pf %25%2E%3E%24%2C%2B%3CP%20%0A Plain Base64 + encryption should also be db safe? --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- -- Original Message -- from: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Thu, 18 Apr 2002 16:32:28 -0600 Actually, I just realized that URLEncodedFormat won't work, as a quote will be url escaped, and when you submit the form, it won't change back to a quote. - Original Message - From: Jason Dowdell <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:38 pm Subject: RE: Encrypting Numeric ID's > I tried all of those solutions except the htmleditformat. > Will the htmleditformat remove double quotes? > > ~jason > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 6:07 PM > To: CF-Talk > Subject: Re: Encrypting Numeric ID's > > > How about this: > > > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > > -- Original Message -- > from: "Jason Dowdell" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > date: Thu, 18 Apr 2002 18:14:51 -0400 > > Hi All, > > I'm encrypting an integer using the encrypt() function > in CF. Sometimes it puts a double quote character in > the encrypted string. So when I put that value in a hidden > form field it looks something like this... > > value="jd0"9em" > > Of course you can see what happens. The browser sees the > second double quote and disregards the rest of the value of > the variable. I don't have the option of storing a hashed > value as the primary key because the db is already designed. > > Does anyone have any workarounds for this? > > Thanks, > Jason > - > Jason Dowdell > Engine Studio Inc. > www.EngineStudio.com > [EMAIL PROTECTED] > - > > > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Encrypting Numeric ID's
Actually, I just realized that URLEncodedFormat won't work, as a quote will be url escaped, and when you submit the form, it won't change back to a quote. - Original Message - From: Jason Dowdell <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:38 pm Subject: RE: Encrypting Numeric ID's > I tried all of those solutions except the htmleditformat. > Will the htmleditformat remove double quotes? > > ~jason > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 6:07 PM > To: CF-Talk > Subject: Re: Encrypting Numeric ID's > > > How about this: > > > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > > -- Original Message -- > from: "Jason Dowdell" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > date: Thu, 18 Apr 2002 18:14:51 -0400 > > Hi All, > > I'm encrypting an integer using the encrypt() function > in CF. Sometimes it puts a double quote character in > the encrypted string. So when I put that value in a hidden > form field it looks something like this... > > value="jd0"9em" > > Of course you can see what happens. The browser sees the > second double quote and disregards the rest of the value of > the variable. I don't have the option of storing a hashed > value as the primary key because the db is already designed. > > Does anyone have any workarounds for this? > > Thanks, > Jason > - > Jason Dowdell > Engine Studio Inc. > www.EngineStudio.com > [EMAIL PROTECTED] > - > > > > __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Encrypting Numeric ID's
Yes. It will escape the double quote to ". Once you submit the form, it will revert back to a double quote. URLEncodedFormat should have worked as well, although I only use that function for when I'm putting variables on the URL. - Original Message - From: Jason Dowdell <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:38 pm Subject: RE: Encrypting Numeric ID's > I tried all of those solutions except the htmleditformat. > Will the htmleditformat remove double quotes? > > ~jason > > -Original Message- > From: Matt Robertson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 18, 2002 6:07 PM > To: CF-Talk > Subject: Re: Encrypting Numeric ID's > > > How about this: > > > > --- > Matt Robertson[EMAIL PROTECTED] > MSB Designs, Inc., www.mysecretbase.com > --- > > > -- Original Message -- > from: "Jason Dowdell" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > date: Thu, 18 Apr 2002 18:14:51 -0400 > > Hi All, > > I'm encrypting an integer using the encrypt() function > in CF. Sometimes it puts a double quote character in > the encrypted string. So when I put that value in a hidden > form field it looks something like this... > > value="jd0"9em" > > Of course you can see what happens. The browser sees the > second double quote and disregards the rest of the value of > the variable. I don't have the option of storing a hashed > value as the primary key because the db is already designed. > > Does anyone have any workarounds for this? > > Thanks, > Jason > - > Jason Dowdell > Engine Studio Inc. > www.EngineStudio.com > [EMAIL PROTECTED] > - > > > > __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting Numeric ID's
I tried all of those solutions except the htmleditformat. Will the htmleditformat remove double quotes? ~jason -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 6:07 PM To: CF-Talk Subject: Re: Encrypting Numeric ID's How about this: --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- -- Original Message -- from: "Jason Dowdell" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Thu, 18 Apr 2002 18:14:51 -0400 Hi All, I'm encrypting an integer using the encrypt() function in CF. Sometimes it puts a double quote character in the encrypted string. So when I put that value in a hidden form field it looks something like this... value="jd0"9em" Of course you can see what happens. The browser sees the second double quote and disregards the rest of the value of the variable. I don't have the option of storing a hashed value as the primary key because the db is already designed. Does anyone have any workarounds for this? Thanks, Jason - Jason Dowdell Engine Studio Inc. www.EngineStudio.com [EMAIL PROTECTED] - __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting Numeric ID's
How about this: --- Matt Robertson[EMAIL PROTECTED] MSB Designs, Inc., www.mysecretbase.com --- -- Original Message -- from: "Jason Dowdell" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Thu, 18 Apr 2002 18:14:51 -0400 Hi All, I'm encrypting an integer using the encrypt() function in CF. Sometimes it puts a double quote character in the encrypted string. So when I put that value in a hidden form field it looks something like this... value="jd0"9em" Of course you can see what happens. The browser sees the second double quote and disregards the rest of the value of the variable. I don't have the option of storing a hashed value as the primary key because the db is already designed. Does anyone have any workarounds for this? Thanks, Jason - Jason Dowdell Engine Studio Inc. www.EngineStudio.com [EMAIL PROTECTED] - __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting Numeric ID's
You could always URLEncode it. This works for hidden form fields. --Paul Paul W. Wille [EMAIL PROTECTED] --- Certified Advanced ColdFusion 5 Developer --- ISITE Design, Inc. -- Solutions Architect www.isitedesign.com 615 SW Broadway, Suite 200 Portland, OR 97205 503.221.9860 x110 503.221.9865 -Original Message- From: Jason Dowdell [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 18, 2002 3:15 PM To: CF-Talk Subject: Encrypting Numeric ID's Hi All, I'm encrypting an integer using the encrypt() function in CF. Sometimes it puts a double quote character in the encrypted string. So when I put that value in a hidden form field it looks something like this... value="jd0"9em" Of course you can see what happens. The browser sees the second double quote and disregards the rest of the value of the variable. I don't have the option of storing a hashed value as the primary key because the db is already designed. Does anyone have any workarounds for this? Thanks, Jason - Jason Dowdell Engine Studio Inc. www.EngineStudio.com [EMAIL PROTECTED] - __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting Numeric ID's
use htmlEditFormat() - Original Message - From: Jason Dowdell <[EMAIL PROTECTED]> Date: Thursday, April 18, 2002 4:14 pm Subject: Encrypting Numeric ID's > Hi All, > > I'm encrypting an integer using the encrypt() function > in CF. Sometimes it puts a double quote character in > the encrypted string. So when I put that value in a hidden > form field it looks something like this... > > value="jd0"9em" > > Of course you can see what happens. The browser sees the > second double quote and disregards the rest of the value of > the variable. I don't have the option of storing a hashed > value as the primary key because the db is already designed. > > Does anyone have any workarounds for this? > > Thanks, > Jason > - > Jason Dowdell > Engine Studio Inc. > www.EngineStudio.com > [EMAIL PROTECTED] > - > > __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting
Doug - the "/2" switch is not a valid switch. If you are trying to do the mandatory version switch its [ /v "2" ] -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 12:10 PM To: CF-Talk Subject: Re: Encrypting I keep getting an invalid switch error. I am doing this C:\CFUSION\BIN>cfencode /r /2 c:\testfiles There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence. Doug Brown - Original Message - From: "Steve Oliver" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, February 07, 2002 11:22 AM Subject: RE: Encrypting > Use cfencode with the /r flag, which means recursive, which will encrypt > all files in a folder, including subdirectories. > > __ > steve oliver > atnet solutions, inc. > http://www.atnetsolutions.com > > > -Original Message- > From: Douglas Brown [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 07, 2002 2:28 PM > To: CF-Talk > Subject: Encrypting > > > What is the best way to encrypt a entire application? > > > > > > > There are two major products that come out of Berkeley: LSD and [Unix] > BSD. We don't believe this to be a coincidence. > > > > Doug Brown > > > __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting
I keep getting an invalid switch error. I am doing this C:\CFUSION\BIN>cfencode /r /2 c:\testfiles There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence. Doug Brown - Original Message - From: "Steve Oliver" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, February 07, 2002 11:22 AM Subject: RE: Encrypting > Use cfencode with the /r flag, which means recursive, which will encrypt > all files in a folder, including subdirectories. > > __ > steve oliver > atnet solutions, inc. > http://www.atnetsolutions.com > > > -Original Message- > From: Douglas Brown [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 07, 2002 2:28 PM > To: CF-Talk > Subject: Encrypting > > > What is the best way to encrypt a entire application? > > > > > > > There are two major products that come out of Berkeley: LSD and [Unix] > BSD. We don't believe this to be a coincidence. > > > > Doug Brown > > > __ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting
Use cfencode with the /r flag, which means recursive, which will encrypt all files in a folder, including subdirectories. __ steve oliver atnet solutions, inc. http://www.atnetsolutions.com -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 2:28 PM To: CF-Talk Subject: Encrypting What is the best way to encrypt a entire application? There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence. Doug Brown __ Why Share? Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: encrypting/decrypting...
I'm telling ya, I ran the _exact_ same code you had. Here is my version:
function Encodify(encodeThis){
var encodedString = "";
encodedString = URLEncodedFormat(Encrypt(encodeThis, KeyName));
return encodedString;
}
function Decodify(decodeThis){
var decodedString = "";
decodedString = Decrypt(URLDecode(decodeThis), KeyName);
return decodedString;
}
Original myID: 1
myid=#myid#
decoded #myid2#
The only difference is that I used the name, myid2 in the last line of
code.
===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email: [EMAIL PROTECTED]
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: Tyler Silcox [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 18, 2001 10:27 AM
> To: CF-Talk
> Subject: Re: encrypting/decrypting...
>
>
> Did you run it as a UDF? Because that's where the problem
> starts...if you
> did, then something's screwy here (MS 2000 advanced server,
> CF5 (duh.)) I
> just added cfusion_encrypt and cfusion_decrypt into the mix
> between the
> encrypt and url functions in the UDFs and it seems to work
> fine now...thanks
> for checking it out->
> Tyler
>
> - Original Message -
> From: "Raymond Camden" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Tuesday, December 18, 2001 10:13 AM
> Subject: RE: encrypting/decrypting...
>
>
> Tyler, I ran your code exactly as you have it, and didn't get any
> errors.
>
> ==
> =
> Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
>
> Email: [EMAIL PROTECTED]
> Yahoo IM : morpheus
>
> "My ally is the Force, and a powerful ally it is." - Yoda
>
> > -Original Message-
> > From: Tyler Silcox [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, December 18, 2001 9:58 AM
> > To: CF-Talk
> > Subject: encrypting/decrypting...
> >
> >
> > I remember a discussion a little while back about
> > encrypting/decrypting
> > variables etc and now I'm starting to encrypt some passed
> > variables and was
> > wondering if y'all could remember some of the finer points of the
> > discussion, because I sure don't, and now I'm having some
> > problems. I think
> > my problems are associated with the way cfscript is running,
> > but I could be
> > going about the encryption process the wrong way in the
> first place...
> >
> > What I'm trying to do is:
> >
> > I want to encrypt all cookie, url and form values when passed
> > or written to.
> > I wrote a couple UDFs that combines the Encrypt and URLEncodedFormat
> > functions, along with their counter functions.
> >
> >
> >
> > function Encodify(encodeThis){
> > var encodedString = "";
> > encodedString = URLEncodedFormat(Encrypt(encodeThis, KeyName));
> > return encodedString;
> > }
> >
> >
> > function Decodify(decodeThis){
> > var decodedString = "";
> > decodedString = Decrypt(URLDecode(decodeThis), KeyName);
> > return decodedString;
> > }
> >
> >
> > Simple enough, but I'm getting an error when I just try to
> > encode certain
> > numbers (in this case: 1)
> >
> >
> > Original myID: 1
> >
> >
> > Encoded myid: %21%23%40%24%23%0A
> >
> >
> > An error occurred while evaluating the expression:
> > myid=Decodify(myid)
> > The value to be decrypted is not valid
> >
> > Which is wacked, because if I just take the "Encodified" value
> > (%21%23%40%24%23%0A) and write out the functions, instead of
> > using the UDF,
> > it works:
> >
> >
> > URLDecoded myid: !#@$#
> >
> > Decrypted myid: 1
> >
> > It looks like the pound signs in the encrypted value is what
> > it creating the
> > error, but I can't figure out why/how cfscript can't handle it.
> >
> > Can anyone shed some light on what I'm trying to do here? Is
> > this a bug in
> > the UDF/cfscript implementation? Is this a waste of a UDF?
> > Should I be
> > using CFusion_Encrypt() or Hash() functions instead? So many
> > questions...
> >
> > Tyler
> > __
> > __
> > Get the mailse
Re: encrypting/decrypting...
Did you run it as a UDF? Because that's where the problem starts...if you
did, then something's screwy here (MS 2000 advanced server, CF5 (duh.)) I
just added cfusion_encrypt and cfusion_decrypt into the mix between the
encrypt and url functions in the UDFs and it seems to work fine now...thanks
for checking it out->
Tyler
- Original Message -
From: "Raymond Camden" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, December 18, 2001 10:13 AM
Subject: RE: encrypting/decrypting...
Tyler, I ran your code exactly as you have it, and didn't get any
errors.
===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email: [EMAIL PROTECTED]
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
> -Original Message-
> From: Tyler Silcox [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 18, 2001 9:58 AM
> To: CF-Talk
> Subject: encrypting/decrypting...
>
>
> I remember a discussion a little while back about
> encrypting/decrypting
> variables etc and now I'm starting to encrypt some passed
> variables and was
> wondering if y'all could remember some of the finer points of the
> discussion, because I sure don't, and now I'm having some
> problems. I think
> my problems are associated with the way cfscript is running,
> but I could be
> going about the encryption process the wrong way in the first place...
>
> What I'm trying to do is:
>
> I want to encrypt all cookie, url and form values when passed
> or written to.
> I wrote a couple UDFs that combines the Encrypt and URLEncodedFormat
> functions, along with their counter functions.
>
>
>
> function Encodify(encodeThis){
> var encodedString = "";
> encodedString = URLEncodedFormat(Encrypt(encodeThis, KeyName));
> return encodedString;
> }
>
>
> function Decodify(decodeThis){
> var decodedString = "";
> decodedString = Decrypt(URLDecode(decodeThis), KeyName);
> return decodedString;
> }
>
>
> Simple enough, but I'm getting an error when I just try to
> encode certain
> numbers (in this case: 1)
>
>
> Original myID: 1
>
>
> Encoded myid: %21%23%40%24%23%0A
>
>
> An error occurred while evaluating the expression:
> myid=Decodify(myid)
> The value to be decrypted is not valid
>
> Which is wacked, because if I just take the "Encodified" value
> (%21%23%40%24%23%0A) and write out the functions, instead of
> using the UDF,
> it works:
>
>
> URLDecoded myid: !#@$#
>
> Decrypted myid: 1
>
> It looks like the pound signs in the encrypted value is what
> it creating the
> error, but I can't figure out why/how cfscript can't handle it.
>
> Can anyone shed some light on what I'm trying to do here? Is
> this a bug in
> the UDF/cfscript implementation? Is this a waste of a UDF?
> Should I be
> using CFusion_Encrypt() or Hash() functions instead? So many
> questions...
>
> Tyler
> __
> __
> Get the mailserver that powers this list at http://www.coolfusion.com
> FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
>
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
