Highlighted

having issues replacing cfusion_encrypt with encrypt()

Participant ,
Jul 17, 2014

Copy link to clipboard

Copied

we have a series of applications that use cfusion_encrypt() to encrypt query strings passed between and with in  applications.  We are currently running CF10 and are not experiencing any problems.  We are looking at upgrading to CF11 and are now experiencing a plethora of errors related to encrypt/decrypt.

the issue i am currently working on is related to encrypt a url.  no matter how I code the key,algorythm, or encoding, The encrypted portion of the url shows up as part of the link.

example:

<cfset theURL ="method=c.login&pid=validateLoginObj&vid=0&datasource=foo">

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?encrypt(theURL, '123','CFMX_COMPAT','UU')">

<a class="nav_link" href="#encryptedUURL#">Inventory</a>

when the page is displayed, the user sees:

"WL.5KP1EY"3\'?=KH1* target="blank"> Inventory " as the link

(yes I shortened the encrypted string for demo purposes)

this sort of thing is through out 8 major applications

any suggestions on how to prevent this?

Message was edited by: john birdsell

Use HEX encoding so you only get alpha numeric characters in the encrypt result.  Also, you realize that the CFXM_COMPAT is a  weak encryption right?

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?#encrypt(theURL, '123','CFMX_COMPAT','HEX')#">


Views

857

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

having issues replacing cfusion_encrypt with encrypt()

Participant ,
Jul 17, 2014

Copy link to clipboard

Copied

we have a series of applications that use cfusion_encrypt() to encrypt query strings passed between and with in  applications.  We are currently running CF10 and are not experiencing any problems.  We are looking at upgrading to CF11 and are now experiencing a plethora of errors related to encrypt/decrypt.

the issue i am currently working on is related to encrypt a url.  no matter how I code the key,algorythm, or encoding, The encrypted portion of the url shows up as part of the link.

example:

<cfset theURL ="method=c.login&pid=validateLoginObj&vid=0&datasource=foo">

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?encrypt(theURL, '123','CFMX_COMPAT','UU')">

<a class="nav_link" href="#encryptedUURL#">Inventory</a>

when the page is displayed, the user sees:

"WL.5KP1EY"3\'?=KH1* target="blank"> Inventory " as the link

(yes I shortened the encrypted string for demo purposes)

this sort of thing is through out 8 major applications

any suggestions on how to prevent this?

Message was edited by: john birdsell

Use HEX encoding so you only get alpha numeric characters in the encrypt result.  Also, you realize that the CFXM_COMPAT is a  weak encryption right?

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?#encrypt(theURL, '123','CFMX_COMPAT','HEX')#">


Views

858

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jul 17, 2014 0
Engaged ,
Jul 17, 2014

Copy link to clipboard

Copied

Use HEX encoding so you only get alpha numeric characters in the encrypt result.  Also, you realize that the CFXM_COMPAT is a  weak encryption right?

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?#encrypt(theURL, '123','CFMX_COMPAT','HEX')#">


Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 17, 2014 0
Engaged ,
Jul 17, 2014

Copy link to clipboard

Copied

As @fergusondj correctly shows, your URL is incorrect because you encrypt all of it, so the http://localhost  part is not even working and the URL cannot even resolve. You need to tag on the encrypted part to the unencrypted URL prefix, otherwise the link won't work at all. That is the crux of the problem, so this is what the code should really look like:

<cfset theURL ="method=c.login&pid=validateLoginObj&vid=0&datasource=foo">

<cfset encryptedUURL = encrypt(theURL, '123', 'CFMX_COMPAT', 'UU')>

<a class="nav_link" href="http://localhost/1/2/inventory/index.cfm?<cfoutput>#URLEncodedFormat(encryptedUURL)#</cfoutput>">Inventory</a>

To ensure that the URL has all valid characters you can use URLEncodedFormat(). You can URLDecode() the other way around when you process the link.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 17, 2014 0
Engaged ,
Jul 18, 2014

Copy link to clipboard

Copied

It doesn't look to me like he's trying to encrypt the full URL including the domain:

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?encrypt(theURL, '123','CFMX_COMPAT','UU')">

I think the code in the question is just missing the # # around the encrypted part, probably due to how it's been put into the question rather than the actual code being used:

<cfset encryptedUURL ="http://localhost/1/2/inventory/index.cfm?#encrypt(theURL, '123','CFMX_COMPAT','UU')#">

I think Ferguson's answer is probably more on the money.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 18, 2014 0
Engaged ,
Jul 18, 2014

Copy link to clipboard

Copied

Ah yes, I stand corrected. Definitely missing #'s there too as you say.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 18, 2014 0
jbird5k LATEST
Participant ,
Jul 18, 2014

Copy link to clipboard

Copied

Well it turns out that using 'UU' was causing my issue.  I switched the encoding to HEX and the link displays correctly.

thank you

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 18, 2014 0