I would like to use the hash() function but my queries cannot decipher the hash() value.
Erik -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marc Campeau Sent: Tuesday, May 14, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: RE: [CFTALKTor] Decrypting A form variable I think all you're missing is to encode your encrypted values using the URLEncodedFormat() function. Remember that encryption yields some un-printable characters that are not acceptable by the HTTP protocol, this is why you need to encode your encrypted values. If I may suggest something, rather than encrypting some data you would be better off (well in my opinion) using the hash() function to hash a string which only the server knows the content of, and obviously enables you to check the validity of the content of the form. The difference between hashing and encrypting is that when hashing you can't back get to the original data like encrypt/decrypt do. Remember that a malicious user might have CFServer installed and encrypt/decrypt his own data to submit it to your server, hence by-passing your encryption security. HASH() example: For example, let's say you have a CF Session to track your user Sessions on the server and a Form X which as two unmodified fields itemID and itemPrice. All you do is for FORM submit you stick an arbitrary value in SESSION.hashKey. (ex.: SESSION.hashKey = hash(itemPrice + ":" + itemID) ) You could add a hidden field called checksum that would hold the result of hash( SESSION.hashKey ). Then on the receiving end of the form you check that the hash of FORM.itemPrice + ":" FORM.itemID EQ SESSION.hashKey. You can run the attached template to see an example of both the encrypted and hash methods at work. Hope this helps. Marc Campeau > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Erik Fenkell > Sent: Tuesday, May 14, 2002 4:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [CFTALKTor] Decrypting A form variable > > > Well, I'll just leave my form variables unencrypted for the time > being. But > after those CFNORTH security sessions I am a little freaked. > > Erik > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of A. Karl Zarudny > Sent: Tuesday, May 14, 2002 4:19 PM > To: [EMAIL PROTECTED] > Subject: Re: [CFTALKTor] Decrypting A form variable > > > I thought maybe trimming before encryption. I did a search on google for > this error and didn't turn up much - at least nothing actually relevant. > > > From: "Erik Fenkell" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > Date: Tue, 14 May 2002 16:06:02 -0400 > > To: <[EMAIL PROTECTED]> > > Subject: RE: [CFTALKTor] Decrypting A form variable > > > > Trimming does not fix the problem. Should I trim when I encrypt the > variable > > or Decrypt? Tried both but to no avail. > > > > > > Erik > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > Behalf Of A. Karl Zarudny > > Sent: Tuesday, May 14, 2002 3:56 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [CFTALKTor] Decrypting A form variable > > > > > > Arrgh! I got this one too. Have you tried a trimming the > variable? I never > > managed (or bothered) to try and figure it out. But it's good to know it > > wasn't just me :-) It seems like CF throws in some special invisible > > characters when encrypting the value, that mess things up when trying to > > decrypt. > > > > Karl > > > >> From: "Erik Fenkell" <[EMAIL PROTECTED]> > >> Reply-To: [EMAIL PROTECTED] > >> Date: Tue, 14 May 2002 15:17:01 -0400 > >> To: <[EMAIL PROTECTED]> > >> Subject: [CFTALKTor] Decrypting A form variable > >> > >> I am having a helluva time decrypting a form variable that I have > > encrypted. > >> I have no problem with an encrypted url variable just the form > variable. > >> > >> Here is some code to explain. > >> > >> > >> ---------------------------------------------- > >> <cfif IsDefined('url.variable')> > >> <cfset decrypted_url_variable = #Decrypt(url.variable,8)#> > >> <cfset url.variable = #decrypted_url_variable#> > >> <cfelse> > >> <!--- ::: DO NOTHING ---> > >> </cfif> > >> > >> <cfif IsDefined('form.variable)> > >> <cfset decrypted_form_variable = #Decrypt(form.variable,8)#> > >> <cfset form.variable = #decrypted_form_variable#> > >> <cfelse> > >> <!--- ::: DO NOTHING ---> > >> </cfif> > >> ---------------------------------------------- > >> > >> Yes, both variables have the same name. But they are different types. I > >> thought this might cause a problem but even when I give > >> the variables different names the error is thrown. Here is the error: > >> > >> ---------------------------------------------- > >> Error Diagnostic Information > >> > >> An error occurred while evaluating the expression: > >> > >> > >> decrypted_form_variable = #Decrypt(form.variable,8)# > >> The value to be decrypted is not valid > >> ---------------------------------------------- > >> I am at a serious loss. Thanks for any advice. > >> Best, > >> Erik > >> > >> > >> > >> > > > > - > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > This message has been posted by: "A. Karl Zarudny" > > <[EMAIL PROTECTED]> > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > Manager: Kevin Towes ([EMAIL PROTECTED]) > http://www.CFUGToronto.org/ > > This System has been donated by Infopreneur, Inc. > > (http://www.infopreneur.net) > > > > - > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > Manager: Kevin Towes ([EMAIL PROTECTED]) > http://www.CFUGToronto.org/ > > This System has been donated by Infopreneur, Inc. > > (http://www.infopreneur.net) > > - > You are subscribed to the CFUGToronto CFTALK ListSRV. > This message has been posted by: "A. Karl Zarudny" > <[EMAIL PROTECTED]> > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > Manager: Kevin Towes ([EMAIL PROTECTED]) > http://www.CFUGToronto.org/ > This System has been donated by Infopreneur, Inc. > (http://www.infopreneur.net) > > - > You are subscribed to the CFUGToronto CFTALK ListSRV. > This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > Manager: Kevin Towes ([EMAIL PROTECTED]) > http://www.CFUGToronto.org/ > This System has been donated by Infopreneur, Inc. > (http://www.infopreneur.net) > > - You are subscribed to the CFUGToronto CFTALK ListSRV. This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ Manager: Kevin Towes ([EMAIL PROTECTED]) http://www.CFUGToronto.org/ This System has been donated by Infopreneur, Inc. (http://www.infopreneur.net)
