close ad
Databridge V2 with MySQLi support IS Now Available!
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Few security questions.

Thread began 6/04/2012 3:00 pm by akstudio | Last modified 6/05/2012 3:38 pm by Jason Byrnes | 545 views | 5 replies |

akstudio

Few security questions.

I am trying to make custom login and forgot_email pages.

So far they kind work.

This is how it all works, so you understand what I have.

1. The admin is the only person who puts users into this private site. On this form, there is a hidden field that inserts a random password, SHA1, every time the form is submitted. This works.

2. At this point I would like to have an email sent to the user that was just entered into the DB... not sure how to do this yet.

3. The login form is email / password, and the password is SHA1. This works.

4. If a user forgets password, I would like to generate a new one and email it. This kinda works.

I followed this tutorial: 07_send_password.swf But I run into an issue, I don't have an option to encrypt the new one. In the Update records Wizard, I only have data types of:
text, numeric, date, date ms access, and various checkbox types.

How can I go about emailing the unencrypted password, and also, at the same time, encrypt it into the DB?

Once I understand how to do this, I can then apply the same functionality for step 2.

thanks

Sign in to reply to this post

akstudio

While I'm at it, I noticed the cookie is not encrypted, it clearly shows the password. This cant be good, huh?

Sign in to reply to this post

Jason ByrnesWebAssist

the way password encryption works is that the plain text password is sent as part of the form post to the server. once at the server, the server converts the plain text password to the encrypted password.


you can include the plain text password in your email by using the binding for the password form element.

for storing the password in the database, you need to use the DataAssist insert or update behaviors, the dreamweaver insert ands update behaviors wont have the encryption formatting options.

  While I'm at it, I noticed the cookie is not encrypted, it clearly shows the password. This cant be good, huh?  



yes, this is the way password encryption works. password encryption is only one part of protecting passwords. It is really only useful to protect the password if someone gains access directly to the database.

the encryption happens on the server.

when the login form posts, the plain text version of the password is sent to the server, once at the server, it is encrypted, then used to compare against what is in the database.

to really protect the passwords, you should be using and SSL Layer on your protected pages.

Sign in to reply to this post

akstudio

ok I am making some progress. I have step 2 working, but my question is, in the email that I get from this, It has every row for the db table listed. Is there a way to only insert specified rows into the email?

For example, when I submit the form, and it sends out an email, in that email I see:

======================
first name: bob
last name: bobinski
company: null
email: myemail@myemail.com
user level: 1
user name: bob
points earned:
points spent:
Insert: Insert
password: aywb5j2
WADAInsertRecordID:
Additional Notes:

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec eget tellus sed justo rhoncus posuere id sit amet arcu. Morbi pretium, enim faucibus facilisis hendrerit, elit. Morbi quis sodales ligula. Pellentesque elementum faucibus elementum. Sed rutrum dui in nisi dapibus molestie. Sed dictum ultricies viverra.
====================

I would like to remove:
company
user level
user name
points spent and earned
insert
WADAInsertRecordID

I've searched around a bit and cant see where the code to pull that is.

Thanks.

Sign in to reply to this post

akstudio

ok, thanks Jason. My project is getting there, thanks for the help

Sign in to reply to this post

Jason ByrnesWebAssist

in the webassist/email/templates fodler, open the tempalte file for your email.


neer the top, edit the remove array to add form elements that should not be included:

change:

php:
$remove = array();

$remove[]  = "";
$remove[]  = "x";
$remove[]  = "y";




to:

php:
$remove = array();

$remove[]  = "";
$remove[]  = "x";
$remove[]  = "y";
$remove[]  = "company";
$remove[]  = "user_level";
$remove[]  = "user_name";
$remove[]  = "points_spent_and_earned";
$remove[]  = "insert";
$remove[]  = "WADAInsertRecordID";
Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...