DataAssist & Password Encryption

I'm setting up a Content Management System for a website. The website is fairly straight forward but we have multiple administrators. I'm setting it up so my login to the CMS allows me to manage those administrators. I'd also like to take the opportunity to utilise password encryption. I'm quite advanced with this now in that I've been able to secure the CMS, manage administrators, encrypting their passwords in the database.

However I'm having trouble when it comes time to updating an administrator. The default update page that I created using DataAssist's Wizard decks out the Password and Password Confirm field with an encrypted password. Because that password is already encrypted it gets encrypted again and subsequently the password would be changed if it was processed. The password field is limited to 6 to 12 characters with a minimum of 2 letters and 2 numbers to encourage better passwords so by the time it encrypts an already encrypted password it blows out that limit and won't process the update anyway.

I get what I need to do. I need to not pre-fill the password and confirm fields with the encrypted password value, but if it does get filled to update the password using the usual validation settings. What's the easiest way to do this?

Is there anything I could have done in the Wizard to prevent doing anything else after the files were made? As far as I can see if you make a field a password, encrypt it, select the confirm field option and set validations for it it automatically determines that it is required. This is fine for an Insert page, but not for an Update page.

I will log a bug for this, it was corrected in the security assist update user b=page, but not for pages created by data assist.

remove the required validation for the password filed, and remove the initial value for it.

then in the update record wizard, the code for the password binding may look like this:

<?php echo ((isset($_POST["UserPassword"]))?WA_SHA1Encryption($_POST["UserPassword"]):""); ?>

this is a ternary expression that will check to see if the password element has a value, the second parameter is set to pass a blank if it does not have a value, change that to use the recordset column if the password is left blank:

<?php echo ((isset($_POST["UserPassword"]))?WA_SHA1Encryption($_POST["UserPassword"]):$row_WADApcms2_users["UserPassword"]); ?>

That's working better now, Jason. I changed the following ...

<?php echo ((isset($_POST["administratorPassword"]))?WA_CryptEncryption($_POST["administratorPassword"]):""); ?>

... to ...

<?php echo ((isset($_POST["administratorPassword"]))?WA_CryptEncryption($_POST["administratorPassword"]):$row_WADAadministrators["administratorPassword"]); ?>

However, if I process this form without a password it ends up at administrators_update.php?invalid=true&administratorID=1. I can't find out where to switch this off. There's a line of code (line 7) that is as follows ...

$WAFV_Redirect = "".(htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)) ."?invalid=true";

What do I need to do to fix this?

send a copy of the page please

I've attached the administrators_update.php file.

move the code for the recordsets form line 33 - 82:

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
$ParamadministratorID_WADAadministrators = "-1";
if (isset($_GET['administratorID'])) {
  $ParamadministratorID_WADAadministrators = $_GET['administratorID'];
}
mysql_select_db($database_dbConnection, $dbConnection);
$query_WADAadministrators = sprintf("SELECT administratorID, administratorKey, administratorEmail, administratorPassword, administratorFirstName, administratorLastName, administratorMobile, administratorLevel, administratorActive FROM administrators WHERE administratorID = %s", GetSQLValueString($ParamadministratorID_WADAadministrators, "int"));
$WADAadministrators = mysql_query($query_WADAadministrators, $dbConnection) or die(mysql_error());
$row_WADAadministrators = mysql_fetch_assoc($WADAadministrators);
$totalRows_WADAadministrators = mysql_num_rows($WADAadministrators);
?>
<?php
mysql_select_db($database_dbConnection, $dbConnection);
$query_WADAMenuadministratorLevel = "SELECT administratorLevelLabel, administratorLevelValue FROM administratorsLevels";
$WADAMenuadministratorLevel = mysql_query($query_WADAMenuadministratorLevel, $dbConnection) or die(mysql_error());
$row_WADAMenuadministratorLevel = mysql_fetch_assoc($WADAMenuadministratorLevel);
$totalRows_WADAMenuadministratorLevel = mysql_num_rows($WADAMenuadministratorLevel);
?>

to line 5 so it is before the validation.

in the validation, change line 15 - 17 to validate the password:

$WAFV_Errors .= WAValidateRQ((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:"") . "",true,3);
  $WAFV_Errors .= WAValidateEL((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:"") . "",6,12,true,4);
  $WAFV_Errors .= WAValidateLE((isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:"") . "",(isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:"") . "",true,5);

to:

$WAFV_Errors .= WAValidateRQ((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",true,3);
  $WAFV_Errors .= WAValidateEL((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",6,12,true,4);
  $WAFV_Errors .= WAValidateLE((isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:$row_WADAadministrators["administratorPassword"]) . "",(isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",true,5);

Still doing it, Jason. I've attached the update with the changes you suggested.

Just regarding those changes, this page was created via the wizard. Is it normal for the wizard to create the page with problems like that?

  Just regarding those changes, this page was created via the wizard. Is it normal for the wizard to create the page with problems like that?  

i did mention in my initial reply that this was a bug.


I have created a support ticket so we can look into this issue further.

To view and edit your support ticket, please log into your support history:
supporthistory.php

If anyone else is experiencing this same issue, please append to this thread.