That is what I will do. Thanks for the tip! Erik
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marc Campeau Sent: Wednesday, May 15, 2002 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [CFTALKTor] Decrypting A form variable > I would like to use the hash() function but my queries cannot decipher the > hash() value. Why would you need to decypher the data? You could just store in the database the hash result (ex.: for passwords) or you should already know what the content of the hash is, hence you don't need to decypher the hashed data. Remember that the hash() always yields the same result for any given input. Marc > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Marc Campeau > Sent: Tuesday, May 14, 2002 5:44 PM > To: [EMAIL PROTECTED] > Subject: RE: [CFTALKTor] Decrypting A form variable > > > I think all you're missing is to encode your encrypted values using the > URLEncodedFormat() function. Remember that encryption yields some > un-printable characters that are not acceptable by the HTTP protocol, this > is why you need to encode your encrypted values. > > If I may suggest something, rather than encrypting some data you would be > better off (well in my opinion) using the hash() function to hash a string > which only the server knows the content of, and obviously enables you to > check the validity of the content of the form. The difference between > hashing and encrypting is that when hashing you can't back get to the > original data like encrypt/decrypt do. Remember that a malicious > user might > have CFServer installed and encrypt/decrypt his own data to submit it to > your server, hence by-passing your encryption security. > > HASH() example: > > For example, let's say you have a CF Session to track your user > Sessions on > the server and a Form X which as two unmodified fields itemID and > itemPrice. > All you do is for FORM submit you stick an arbitrary value in > SESSION.hashKey. (ex.: SESSION.hashKey = hash(itemPrice + ":" + itemID) ) > > You could add a hidden field called checksum that would hold the result of > hash( SESSION.hashKey ). Then on the receiving end of the form you check > that the hash of FORM.itemPrice + ":" FORM.itemID EQ SESSION.hashKey. > > You can run the attached template to see an example of both the encrypted > and hash methods at work. > > Hope this helps. > > Marc Campeau > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > Behalf Of Erik Fenkell > > Sent: Tuesday, May 14, 2002 4:32 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [CFTALKTor] Decrypting A form variable > > > > > > Well, I'll just leave my form variables unencrypted for the time > > being. But > > after those CFNORTH security sessions I am a little freaked. > > > > Erik > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > Behalf Of A. Karl Zarudny > > Sent: Tuesday, May 14, 2002 4:19 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [CFTALKTor] Decrypting A form variable > > > > > > I thought maybe trimming before encryption. I did a search on google for > > this error and didn't turn up much - at least nothing actually relevant. > > > > > From: "Erik Fenkell" <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > Date: Tue, 14 May 2002 16:06:02 -0400 > > > To: <[EMAIL PROTECTED]> > > > Subject: RE: [CFTALKTor] Decrypting A form variable > > > > > > Trimming does not fix the problem. Should I trim when I encrypt the > > variable > > > or Decrypt? Tried both but to no avail. > > > > > > > > > Erik > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > > Behalf Of A. Karl Zarudny > > > Sent: Tuesday, May 14, 2002 3:56 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [CFTALKTor] Decrypting A form variable > > > > > > > > > Arrgh! I got this one too. Have you tried a trimming the > > variable? I never > > > managed (or bothered) to try and figure it out. But it's good > to know it > > > wasn't just me :-) It seems like CF throws in some special invisible > > > characters when encrypting the value, that mess things up > when trying to > > > decrypt. > > > > > > Karl > > > > > >> From: "Erik Fenkell" <[EMAIL PROTECTED]> > > >> Reply-To: [EMAIL PROTECTED] > > >> Date: Tue, 14 May 2002 15:17:01 -0400 > > >> To: <[EMAIL PROTECTED]> > > >> Subject: [CFTALKTor] Decrypting A form variable > > >> > > >> I am having a helluva time decrypting a form variable that I have > > > encrypted. > > >> I have no problem with an encrypted url variable just the form > > variable. > > >> > > >> Here is some code to explain. > > >> > > >> > > >> ---------------------------------------------- > > >> <cfif IsDefined('url.variable')> > > >> <cfset decrypted_url_variable = #Decrypt(url.variable,8)#> > > >> <cfset url.variable = #decrypted_url_variable#> > > >> <cfelse> > > >> <!--- ::: DO NOTHING ---> > > >> </cfif> > > >> > > >> <cfif IsDefined('form.variable)> > > >> <cfset decrypted_form_variable = #Decrypt(form.variable,8)#> > > >> <cfset form.variable = #decrypted_form_variable#> > > >> <cfelse> > > >> <!--- ::: DO NOTHING ---> > > >> </cfif> > > >> ---------------------------------------------- > > >> > > >> Yes, both variables have the same name. But they are > different types. I > > >> thought this might cause a problem but even when I give > > >> the variables different names the error is thrown. Here is the error: > > >> > > >> ---------------------------------------------- > > >> Error Diagnostic Information > > >> > > >> An error occurred while evaluating the expression: > > >> > > >> > > >> decrypted_form_variable = #Decrypt(form.variable,8)# > > >> The value to be decrypted is not valid > > >> ---------------------------------------------- > > >> I am at a serious loss. Thanks for any advice. > > >> Best, > > >> Erik > > >> > > >> > > >> > > >> > > > > > > - > > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > > This message has been posted by: "A. Karl Zarudny" > > > <[EMAIL PROTECTED]> > > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > > Manager: Kevin Towes ([EMAIL PROTECTED]) > > http://www.CFUGToronto.org/ > > > This System has been donated by Infopreneur, Inc. > > > (http://www.infopreneur.net) > > > > > > - > > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > > This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> > > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > > Manager: Kevin Towes ([EMAIL PROTECTED]) > > http://www.CFUGToronto.org/ > > > This System has been donated by Infopreneur, Inc. > > > (http://www.infopreneur.net) > > > > - > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > This message has been posted by: "A. Karl Zarudny" > > <[EMAIL PROTECTED]> > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > Manager: Kevin Towes ([EMAIL PROTECTED]) > > http://www.CFUGToronto.org/ > > This System has been donated by Infopreneur, Inc. > > (http://www.infopreneur.net) > > > > - > > You are subscribed to the CFUGToronto CFTALK ListSRV. > > This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> > > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > > Manager: Kevin Towes ([EMAIL PROTECTED]) > > http://www.CFUGToronto.org/ > > This System has been donated by Infopreneur, Inc. > > (http://www.infopreneur.net) > > > > > > - > You are subscribed to the CFUGToronto CFTALK ListSRV. > This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> > To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ > Manager: Kevin Towes ([EMAIL PROTECTED]) > http://www.CFUGToronto.org/ > This System has been donated by Infopreneur, Inc. > (http://www.infopreneur.net) > - You are subscribed to the CFUGToronto CFTALK ListSRV. This message has been posted by: "Marc Campeau" <[EMAIL PROTECTED]> To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ Manager: Kevin Towes ([EMAIL PROTECTED]) http://www.CFUGToronto.org/ This System has been donated by Infopreneur, Inc. (http://www.infopreneur.net) - You are subscribed to the CFUGToronto CFTALK ListSRV. This message has been posted by: "Erik Fenkell" <[EMAIL PROTECTED]> To Unsubscribe, Please Visit and Login to http://www.CFUGToronto.org/ Manager: Kevin Towes ([EMAIL PROTECTED]) http://www.CFUGToronto.org/ This System has been donated by Infopreneur, Inc. (http://www.infopreneur.net)
