Inspiring

Answered

How do I avoid rehashing a password field on update?

Forum|Forum|4 years ago
August 4, 2021
3 replies
378 views

Hi!

I have an action file that creates a record with a hashed password:

   <cfquery datasource="#ds#">
    INSERT INTO tbl_User(Email, RoleID, password)
      VALUES ('#email#', '#session.UserRoleID#', '#hash(form.Password,'SHA')#');
      </cfquery>

The password field in my new database record begins with "2879EA..."

The next file in my registration process invokes a CFC method:

    <cfinvoke component="users"
              method="get"
              Userid="#session.UserID#"
              returnvariable="userData">
    </cfinvoke>

It sets the password variable using that query's results:

    <cfset password=Trim(userData.password)>

And populates the update form:

        <tr><td>Password:</td>
            <td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr>

When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."

This means I'm hashing my already hashed password. How do I avoid doing this?

Thanks,

John

This topic has been closed for replies.

Correct answer John_Allred

I guess this in an oops response.

If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.

BKBK

Community Expert

        <tr><td>Password:</td>
            <td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr> 
When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."

This means I'm hashing my already hashed password. How do I avoid doing this?

By @John_Allred

Just to answer that question, though you may no longer need it:

value="#password#"

in the cfinput for password.

John_AllredAuthorCorrect answer

Inspiring

I guess this in an oops response.

If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.

D

Dave Watts

Community Expert

My perhaps-not-well-thought-out recommendation here is that you create a "standard" password, and if that has the same value after the user submits the form, you know they didn't change the value and can exclude it from your SQL update statement. I think you want to show something in the update form, just because people usually do that, but it doesn't have to be a "real" password.

Dave Watts, Eidolon LLC

John_AllredAuthor

Inspiring

As always, thanks, Dave!

John_AllredAuthor

Inspiring

Let me add that if I leave the update form displayed and update it successively, the update action will produce a new value in the password field each time. But the original password, obviously, will not allow the user to log in.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded