• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

How do I avoid rehashing a password field on update?

Contributor ,
Aug 04, 2021 Aug 04, 2021

Copy link to clipboard

Copied

Hi!

I have an action file that creates a record with a hashed password:

   <cfquery datasource="#ds#">
    INSERT INTO tbl_User(Email, RoleID, password)
      VALUES ('#email#', '#session.UserRoleID#', '#hash(form.Password,'SHA')#');
      </cfquery>

The password field in my new database record begins with "2879EA..."

The next file in my registration process invokes a CFC method:

    <cfinvoke component="users"
              method="get"
              Userid="#session.UserID#"
              returnvariable="userData">
    </cfinvoke>

It sets the password variable using that query's results:

    <cfset password=Trim(userData.password)>

And populates the update form:

        <tr><td>Password:</td>
            <td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr> 

When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."

 

This means I'm hashing my already hashed password. How do I avoid doing this?

 

Thanks,

John

Views

187

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Contributor , Aug 04, 2021 Aug 04, 2021

I guess this in an oops response.

 

If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.

Votes

Translate

Translate
Contributor ,
Aug 04, 2021 Aug 04, 2021

Copy link to clipboard

Copied

Let me add that if I leave the update form displayed and update it successively, the update action will produce a new value in the password field each time. But the original password, obviously, will not allow the user to log in.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Aug 04, 2021 Aug 04, 2021

Copy link to clipboard

Copied

I guess this in an oops response.

 

If I leave the password field out of the update form, it doesn't get hashed again on save. I don't know where I got the notion that the PW field needed to be displayed on the update form.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 04, 2021 Aug 04, 2021

Copy link to clipboard

Copied

My perhaps-not-well-thought-out recommendation here is that you create a "standard" password, and if that has the same value after the user submits the form, you know they didn't change the value and can exclude it from your SQL update statement. I think you want to show something in the update form, just because people usually do that, but it doesn't have to be a "real" password.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Aug 04, 2021 Aug 04, 2021

Copy link to clipboard

Copied

As always, thanks, Dave!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 05, 2021 Aug 05, 2021

Copy link to clipboard

Copied

LATEST
quote

 

        <tr><td>Password:</td>
            <td><cfinput type="password" name="Password" size="17" maxlength="50" required="Yes" value="#hash(Password,'SHA')# " message="You must enter a password." style="font-size: 83%;"> </td></tr> 

When I click the update button, my form redisplays with all the updated fields, but the password field in the database now begins with "1490BE..."

 

This means I'm hashing my already hashed password. How do I avoid doing this?


By @John_Allred

 

Just to answer that question, though you may no longer need it:

 

value="#password#"

 

in the cfinput for password.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation