Skip to main content
A
Anonymous
February 17, 2010
Question

View Source - Encrypting form fields.

  • February 17, 2010
  • 4 replies
  • 2821 views

Hi,

We have a "Change password" screen, that will be populated with the old passwords (in a textbox), my client says that during displaying the same, one should not able to goto view source and see it.

I tried Encrypt function like Encrypt(form.txtpassword,......) but when submit the form, the encrypted values gets updated in the db (rather than the actual ones).

So, All I need is to prevent my users from view the password through "View Source", but they should be given a way to change it and update it in the databse.

How to accomplish this?. Any ideas?.

    This topic has been closed for replies.

    4 replies

    A
    A***
    Inspiring
    February 18, 2010

    I tried Encrypt function like Encrypt(form.txtpassword,......) but when submit the form, the encrypted values gets updated in the db (rather than the actual ones).

    If you are satisfied with this initial approach all you need to do is decrpyt the password before it is passed into the database.

    <cfoutput>

          <cfset form.password = "testing" />

          Original password: <strong>#form.password#</strong><br />

          If desired, choose your algorithm (let's say DES) and generate your key:<br />

          <cfset myAlgorithm = "DES" /><cfset myKey=generateSecretKey("#myAlgorithm#") />

          On your login page you encrpyt your password:

          <cfset form.password = encrypt("#form.password#", "#myKey#", "#myAlgorithm#")><br />

          Encrpyted password: <strong>#form.password#</strong><br />

          Then on your action page, before you pass the data into your database, you just decrypt:

          <cfset pwdReadyForDatabase = decrypt(#form.password#,"#myKey#", "#myAlgorithm#")><br />

          You end up with your old password in the database: <strong>#pwdReadyForDatabase#</strong>

    </cfoutput>


    A
    Anonymous
    February 18, 2010

    @ Ian Skinner @ OwainNorth,

    Guys,

    I understand this is not a proper requirement, and whatever you suggests seems valid for me.

    But understand, I cant go and suggest these things to my business. I have to see for a viable solution within the resources I've got.

    And when we come to forums, we expect some answers / suggestions. But I hope answers like, "You write your own browsers"  and "Nonsensical Question"  can be avoided, because it will certainly discourage the newcomers / learners like me.

    Appreciate all your help!..

    ilssac
    ilssac
    Inspiring
    February 18, 2010

    S C O R P I O N wrote:

    And when we come to forums, we expect some answers / suggestions. But I hope answers like, "You write your own browsers"  and "Nonsensical Question"  can be avoided, because it will certainly discourage the newcomers / learners like me.

    Appreciate all your help!..

    But sometimes newbies ask questions for which that answer is "If you are asking to do that, then you do not understand the technology you are working with, becuase that is impossible do to the way that things work".

    Now seeing you respond faverable to the above situation where you can display an encrypted password, that begs the question, why display anything at all.  Since you are displaying the password in a form no human is going to understand, what purpose is there in doing so.

    This may be a case where what you really need to do is store the old password in a session variable or some other server resource like that to be used later on during the form action processing.  And not bother delivereing or displaying it to the user.

    That's the way I would approach what I now think your are trying.

    But I am going to close here with the statement that I am still very unsure I understand what you are really trying to accomplish.

    D
    Dan_Bracuk
    Inspiring
    February 17, 2010

    Run your page without encrypting anything.  Look at the html source code in your browser.  Is the password there?

    ilssac
    ilssac
    Inspiring
    February 17, 2010

    If something is one the screen then it is in the source?  I just don't picture what you are trying to accomplish here.  The little dots or stars that a browser puts into a password field are for people looking over your shoulder while you type passwords.  They don't protect the data from the system in any way.

    T
    tooMuchTrouble
    Inspiring
    February 17, 2010

    why show the password at all?

    A
    Anonymous
    February 17, 2010

    Hi Paul,

    Thanks for the answer.

    I agree with you.. But unfortunately they won't allow us to change the existing system/screen design.

    Any other ideas?.

    T
    tooMuchTrouble
    Inspiring
    February 17, 2010

    if you're displaying the old password as clear text, then i can't see why

    they're worried, it's already too late. if it's obscured somehow, then

    substitute ***'s or whatever for the old password when you drag it out of the db.

    also if they're not letting the system be modified in any way, then all of this

    is kind of moot anyway.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices