Copy link to clipboard
Copied
Hi!
I have an action file that creates a record with a hashed password:
<cfquery datasource="#ds#">
INSERT INTO tbl_User(Email, RoleID, password)
VALUES ('#email#', '#session.UserRoleID#', '#hash(form.Password,'SHA')#');
</cfquery>
The password field in my new database record begins with "2879EA..."
The next file in my registration process invokes a CFC method:
<cfinvoke component="users"
method="get"
Userid="#session.UserID#"
returnvariable="userData">
</cfinvoke>
It sets the password variable using that query's results:
<cfset password=Trim(userData.password)>
And populates the update form:
<tr><td>Password:</td>
<td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr>
When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."
This means I'm hashing my already hashed password. How do I avoid doing this?
Thanks,
John
I guess this in an oops response.
If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.
Copy link to clipboard
Copied
Let me add that if I leave the update form displayed and update it successively, the update action will produce a new value in the password field each time. But the original password, obviously, will not allow the user to log in.
Copy link to clipboard
Copied
I guess this in an oops response.
If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.
Copy link to clipboard
Copied
My perhaps-not-well-thought-out recommendation here is that you create a "standard" password, and if that has the same value after the user submits the form, you know they didn't change the value and can exclude it from your SQL update statement. I think you want to show something in the update form, just because people usually do that, but it doesn't have to be a "real" password.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
As always, thanks, Dave!
Copy link to clipboard
Copied
<tr><td>Password:</td> <td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr>
When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."
This means I'm hashing my already hashed password. How do I avoid doing this?
By @John_Allred
Just to answer that question, though you may no longer need it:
value="#password#"
in the cfinput for password.