close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

DataAssist & Password Encryption

Thread began 1/21/2013 1:28 am by Codesnap | Last modified 1/23/2013 10:07 pm by Jason Byrnes | 578 views | 7 replies |

Codesnap

DataAssist & Password Encryption

I'm setting up a Content Management System for a website. The website is fairly straight forward but we have multiple administrators. I'm setting it up so my login to the CMS allows me to manage those administrators. I'd also like to take the opportunity to utilise password encryption. I'm quite advanced with this now in that I've been able to secure the CMS, manage administrators, encrypting their passwords in the database.

However I'm having trouble when it comes time to updating an administrator. The default update page that I created using DataAssist's Wizard decks out the Password and Password Confirm field with an encrypted password. Because that password is already encrypted it gets encrypted again and subsequently the password would be changed if it was processed. The password field is limited to 6 to 12 characters with a minimum of 2 letters and 2 numbers to encourage better passwords so by the time it encrypts an already encrypted password it blows out that limit and won't process the update anyway.

I get what I need to do. I need to not pre-fill the password and confirm fields with the encrypted password value, but if it does get filled to update the password using the usual validation settings. What's the easiest way to do this?

Is there anything I could have done in the Wizard to prevent doing anything else after the files were made? As far as I can see if you make a field a password, encrypt it, select the confirm field option and set validations for it it automatically determines that it is required. This is fine for an Insert page, but not for an Update page.

Sign in to reply to this post

Jason ByrnesWebAssist

I will log a bug for this, it was corrected in the security assist update user b=page, but not for pages created by data assist.

remove the required validation for the password filed, and remove the initial value for it.

then in the update record wizard, the code for the password binding may look like this:

php:
<?php echo ((isset($_POST["UserPassword"]))?WA_SHA1Encryption($_POST["UserPassword"]):""); ?>




this is a ternary expression that will check to see if the password element has a value, the second parameter is set to pass a blank if it does not have a value, change that to use the recordset column if the password is left blank:

php:
<?php echo ((isset($_POST["UserPassword"]))?WA_SHA1Encryption($_POST["UserPassword"]):$row_WADApcms2_users["UserPassword"]); ?>
Sign in to reply to this post

Codesnap

Better, but ...

That's working better now, Jason. I changed the following ...

<?php echo ((isset($_POST["administratorPassword"]))?WA_CryptEncryption($_POST["administratorPassword"]):""); ?>

... to ...

<?php echo ((isset($_POST["administratorPassword"]))?WA_CryptEncryption($_POST["administratorPassword"]):$row_WADAadministrators["administratorPassword"]); ?>

However, if I process this form without a password it ends up at administrators_update.php?invalid=true&administratorID=1. I can't find out where to switch this off. There's a line of code (line 7) that is as follows ...

$WAFV_Redirect = "".(htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)) ."?invalid=true";

What do I need to do to fix this?

Sign in to reply to this post

Jason ByrnesWebAssist

send a copy of the page please

Sign in to reply to this post

Codesnap

Update Page

I've attached the administrators_update.php file.

Attached Files
administrators_update.php.zip
Sign in to reply to this post

Jason ByrnesWebAssist

move the code for the recordsets form line 33 - 82:

php:
<?php
if (!function_exists("GetSQLValueString")) {
function 
GetSQLValueString($theValue$theType$theDefinedValue ""$theNotDefinedValue ""
{
  if (
PHP_VERSION 6) {
    
$theValue get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  
$theValue function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch (
$theType) {
    case 
"text":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;    
    case 
"long":
    case 
"int":
      
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case 
"double":
      
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case 
"date":
      
$theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
      break;
    case 
"defined":
      
$theValue = ($theValue != "") ? $theDefinedValue $theNotDefinedValue;
      break;
  }
  return 
$theValue;
}
}
?>
<?php
$ParamadministratorID_WADAadministrators 
"-1";
if (isset(
$_GET['administratorID'])) {
  
$ParamadministratorID_WADAadministrators $_GET['administratorID'];
}
mysql_select_db($database_dbConnection$dbConnection);
$query_WADAadministrators sprintf("SELECT administratorID, administratorKey, administratorEmail, administratorPassword, administratorFirstName, administratorLastName, administratorMobile, administratorLevel, administratorActive FROM administrators WHERE administratorID = %s"GetSQLValueString($ParamadministratorID_WADAadministrators"int"));
$WADAadministrators mysql_query($query_WADAadministrators$dbConnection) or die(mysql_error());
$row_WADAadministrators mysql_fetch_assoc($WADAadministrators);
$totalRows_WADAadministrators mysql_num_rows($WADAadministrators);
?>
<?php
mysql_select_db
($database_dbConnection$dbConnection);
$query_WADAMenuadministratorLevel "SELECT administratorLevelLabel, administratorLevelValue FROM administratorsLevels";
$WADAMenuadministratorLevel mysql_query($query_WADAMenuadministratorLevel$dbConnection) or die(mysql_error());
$row_WADAMenuadministratorLevel mysql_fetch_assoc($WADAMenuadministratorLevel);
$totalRows_WADAMenuadministratorLevel mysql_num_rows($WADAMenuadministratorLevel);
?>




to line 5 so it is before the validation.

in the validation, change line 15 - 17 to validate the password:

php:
$WAFV_Errors .= WAValidateRQ((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:"") . "",true,3);
  $WAFV_Errors .= WAValidateEL((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:"") . "",6,12,true,4);
  $WAFV_Errors .= WAValidateLE((isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:"") . "",(isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:"") . "",true,5);



to:

php:
$WAFV_Errors .= WAValidateRQ((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",true,3);
  $WAFV_Errors .= WAValidateEL((isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",6,12,true,4);
  $WAFV_Errors .= WAValidateLE((isset($_POST["administratorPassword_Confirm"])?$_POST["administratorPassword_Confirm"]:$row_WADAadministrators["administratorPassword"]) . "",(isset($_POST["administratorPassword"])?$_POST["administratorPassword"]:$row_WADAadministrators["administratorPassword"]) . "",true,5);
Sign in to reply to this post

Codesnap

Still doing it ...

Still doing it, Jason. I've attached the update with the changes you suggested.

Just regarding those changes, this page was created via the wizard. Is it normal for the wizard to create the page with problems like that?

Attached Files
administrators_update.php.zip
Sign in to reply to this post

Jason ByrnesWebAssist

  Just regarding those changes, this page was created via the wizard. Is it normal for the wizard to create the page with problems like that?  



i did mention in my initial reply that this was a bug.


I have created a support ticket so we can look into this issue further.

To view and edit your support ticket, please log into your support history:
supporthistory.php

If anyone else is experiencing this same issue, please append to this thread.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...