Without seeing your queries, it’s
hard to guess what’s going on. Are you sure there’s not a
trim statement inside the queries that store the data either?
Also, as an alternative, you might want to
try hashing the password so that it is completely unrecoverable anyway.
Storing recoverable passwords in the database – even when they’re
encrypted – is a big no no in my world. The method described here
is much more secure: http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000503.htm.
Roland
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Rawlinson
Sent: Tuesday, February 14, 2006
5:30 PM
To: CFCDev@cfczone.org
Subject: [CFCDev] OT: coldfusion
encrypt
I know this isn't specifically a CFC question and I should probably
pose this to the CF-Talk message board - but please bear with me.
I am using ColdFusion Server Developer 7,0,1,116466 and am noticing extremely
odd behaviour with encrypt and one word.. buskirk
<cfset testkey = "l9jfs9jk34r9dfjkd">
<cfoutput>
<cfset pwd = encrypt("buskirk",testkey) />
#pwd#END<br />
<cfloop from="1" to="#len(pwd)#"
index="i">#ASC(mid(pwd,i,1))#-</cfloop>
<br />
<cfset pwd2 = encrypt("buskirj",testkey) />
#pwd2#END<br />
<cfloop from="1" to="#len(pwd2)#"
index="a">#ASC(mid(pwd2,a,1))#-</cfloop>
<br />
#decrypt("'<:FL4KX+) ",testkey)#<br />
#decrypt("'<:FL4KX+)",testkey)#
</cfoutput>
If you run the above code you will notice that when I encrypt buskirk it
displays as: '<:FL4KX+) END the ' and the space are
both part of the encrypted result. The END was put there to make sure I
could see the result clearly.
you will also see that buskirj is encrypted as '<:FL4KX+)0 END - you
will notice it too has the ' and the space.
However, in the decrypt statement see what happens with the second one - it has
no 0 or space at the end. It decrypts back as buskirj
So, I then went back and put those loop statements in to examine the characters
being generated by the encryption - and it turns out they are identical except
for the fifth to last character.
I am storing this encrypted string in an Oracle database. I encrypt
buskirk and store it - then when I pull it out and decrypt it and compare it
against buskirk it fails because CF thinks the decryption is buskirj due
to the fact that buskirj can be resolved from either:
'<:FL4KX+)0 END OR
'<:FL4KX+)END
if you remoe the END from both lines.
NOTE: I am not doing a trim at any time on the encrypted password.
what's going on? What other words are going to cause me trouble?
I have tried different encryption keys and the problem occurs with some - but
not others..
for instance the problem persists with the above key, and with
[EMAIL PROTECTED] But it doesn't with the key: fasjf9e3rjlaf
in fact with fasjf9e3rjlaf - i can trim the space off the end of the encrypted
buskirk and it decrypts back to buskirk without a problem.
Is this a known problem? Am I just crazy? Unlucky that someone's name is
Buskirk?
thanks for your time at considering this,
Bill
--
[EMAIL PROTECTED]
http://blog.rawlinson.us
If you want Gmail - just ask. ----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------