pathans
Posts: 46
|
| Posted: 04/29/2013, 5:43 PM |
|
I finally decided to encrypt password and i am having problem making it work.
In my current setup i have everything working find users are able to login using password not encrypted.
i changed my project setting to use code expression.
I updated and converted my existing password in database to MD5.
now when i try to login i get login/password incorrect.
I tried some of the suggestions posted before nothing works. I can login if i type the whole string.
is there some example of how to setup encryption step by step.
|
 |
 |
MichaelMcDonald
Posts: 640
|
| Posted: 04/29/2013, 8:05 PM |
|
Find the Do_Login event in index_events.php or default_events.php file or whatever your login page is called and try adding this line of custom code:
$Container->password->SetValue(md5($Container->password->GetValue()));
Before the code similar to this....
if ( !CCLoginUser( $Container->login->Value, $Container->password->Value)) {
$Container->Errors->addError($CCSLocales->GetText("CCS_LoginError"));
$Container->password->SetValue("");
$Login_Button_DoLogin_OnClick = 0;
_________________
Central Coast, NSW, Australia.
|
|
|
|
pathans
Posts: 46
|
| Posted: 04/29/2013, 8:12 PM |
|
tried that already here is my snippet. I get incorrect passoword or login. i also tried changing encryption to DB in project setting
//Login @24-BAF3F8A0
global $CCSLocales;
$Container->password->SetValue(md5($Container->password->Getvalue()));
global $Redirect;
if ( !CCLoginUser( $Container->login1->Value, $Container->password->Value)) {
$Container->Errors->addError($CCSLocales->GetText("CCS_LoginError"));
$Container->password->SetValue("");
$Login_Button_DoLogin_OnClick = 0;
} else {
global $Redirect;
$Redirect = CCGetParam("ret_link", $Redirect);
$Login_Button_DoLogin_OnClick = 1;
}
//End Login
|
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 04/29/2013, 8:19 PM |
|
How did you encrypt the password in the database?
_________________
Central Coast, NSW, Australia.
|
|
|
|
pathans
Posts: 46
|
| Posted: 04/29/2013, 8:25 PM |
|
using this command in sql
UPDATE users SET user_pass=PASSWORD(user_pass);
|
|
|
|
kawuat
Posts: 13
|
| Posted: 04/29/2013, 8:36 PM |
|
MichaelMcDonald, you contribute a lot but I think in this case the approach is not the best.
When you enable password encryption on CCS either as DB function or Code Expression you expect it wrap the password variable automatically in the function named.
The reality is that you get this in your login function located in common.php
"SELECT USER, GROUP FROM users WHERE USER_NAME =" . $db->ToSQL($login, ccsText) . " AND USER_PASS=" . $db->ToSQL(encyptFunction, ccsText);
so what you need to do is enter the encryption function like this:
For code expression
encyptFunction($passwordVariable)
which generates
"SELECT USER, GROUP FROM users WHERE USER_NAME =" . $db->ToSQL($login, ccsText) . " AND USER_PASS=" . $db->ToSQL(encyptFunction($password), ccsText);
or
For DB Function
MD5({passwordVariable})
which generates
"SELECT USER, GROUP FROM users WHERE USER_NAME =" . $db->ToSQL($login, ccsText) . " AND USER_PASS=MD5(" . $db->ToSQL($password), ccsText).")";
|
|
|
|
pathans
Posts: 46
|
| Posted: 04/29/2013, 8:39 PM |
|
sorry for NB question kawuat
so what should i do in my common.php?
|
|
|
|
kawuat
Posts: 13
|
| Posted: 04/29/2013, 8:45 PM |
|
pathans don't mess with common.php.
you used the DB function option PASSWORD to encrypt so the set that in project settings
PASSWORD({passwordVariable})
CCS will generate the proper SQL to hash you password when it evaluates the login
|
|
|
|
kawuat
Posts: 13
|
| Posted: 04/29/2013, 8:56 PM |
|
Well that escalated quickly ....
I meant no offence and made what I though was a respectful comment but I was obviously wrong ...
I take my leave sir, it was my mistake.
Parthans ... please ignore my comment and do as MichaelMcDonald has instructed.
|
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 04/29/2013, 9:04 PM |
|
From a technical perspective, there is nothing wrong with taking kawuat's advice and trying kawaut's suggestions and posting the feedback so everyone can learn from it....
Everyone can work these threads together to effect a supportive outcome.
_________________
Central Coast, NSW, Australia.
|
|
|
|
pathans
Posts: 46
|
| Posted: 04/29/2013, 9:08 PM |
|
thanks guys.
let me try both approach. what i can do is write a howto (step by step) at the end with both ways so everyone can benefit
Michael,
please let me know what you want me to do next i provide you the snippet on how i updated password in db.
kawuat,
I will try your option and post the outcome shortly.
Update :
I just tried Kawuat suggestion and it worked.
Michael,
please let me know what you want me to test. I will start a new thread and post both solutions step by step.
again guys thanks for you help. I think intention here in both cases to provide a solution not to disrespect. there are more then one way to peal a banana
|
|
|
|
MichaelMcDonald
Posts: 640
|
| Posted: 04/29/2013, 9:22 PM |
|
Pathans,
Just wait and see if any part of CCS password generation / management breaks somewhere down the line.
If it does, it may be necessary to manage the whole password scenario differently.
_________________
Central Coast, NSW, Australia.
|
|
|
|
DataDoIT
|
| Posted: 04/30/2013, 1:15 AM |
|
Some things to note...
1. MD5() and PASSWORD() are two completely different hashes in MySQL.
If you went and changed all of the passwords in your database using
PASSWORD(), and hopefully that column is 41 bytes in length, then you
should set in CodeCharge to use the Database function
PASSWORD({password}), not MD5, and not Code expression since there is no
equivalent PHP function to MySQL's PASSWORD function.
2. When you make changes in your project settings, the next time the
project is regenerated (F9), the appropriate code will be updated in
your Common.php file. As instructed, don't fiddle around in Common.php,
unless it's something added at the very top or very bottom of the file,
such as a call to another include, or defining a constant that you'd
like to use everywhere.
So unless you have mucked around in Common.php, then you should be able
to regenerate the project and publish and all should be well. You can
even open Common.php, delete the entire contents of the file, close,
then reopen it and you'll see your new code. No edits are necessary on
your login form.
I reemphasize... MD5 (32 bytes) and PASSWORD (41 bytes) are NOT the same
hashes. I suspect your issues lie in the possible confusion of the two.
|
|
|
|
bannedone
Posts: 273
|
| Posted: 05/01/2013, 11:30 AM |
|
Hi
CCS will generate the code for you if you use the settings for password encryption in the IDE.
One thing you must remember is your database field needs to be big enough to hold the encrypted password. I generally set my password database fields to 64 or 128 in size.
Just a thought.
Have fun
John
_________________
John Real
CodeCharge Studio Support, Training, Consulting, Development, Web based solutions
http://realsites.biz
http://ccselite.com
Other Banned IDs on this Forum. jjrjr1, jjrjr2 |
|
|
|
pathans
Posts: 46
|
| Posted: 05/01/2013, 5:53 PM |
|
I made it varchar100
|
|
|
|
jamtc
Posts: 18
|
| Posted: 11/16/2013, 6:49 AM |
|
The "bannedone" is right.
I was facing this problem and his advice solve it.
Thanks...
_________________
JamTC
 |
|
|
|
Lucius
Posts: 220
|
| Posted: 11/17/2013, 9:34 AM |
|
Sorry to add to almost a year old post...
One thing you should be aware is that the MD5 is very weak and insecure way of storing passwords. These days it is as strong as storing passwords plain text...
password() MySQL function is just slightly better, but still vulnerable, especially to rainbow table attacks. Also MySQL documentation clearly states, that this is internal MySQL function and should not be used for application development: http://dev.mysql.com/doc/refman/5.7/en/encryption-funct...nction_password
If you wish to have your passwords having a good security, use bcrypt or similar functions of producing hash values (that include salt in the hashing algorithm).
|
|
|
|
eratech
Posts: 513
|
| Posted: 11/17/2013, 4:15 PM |
|
I'm agreeing with others a lot today - Lucius is correct, and I'm adding to this topic as this is one of my pet-peeves with CCS (and a lot of password tutorials online) - the examples still mention MD5 or PASSWORD() for hashing.
At the very least, you can put a common-salted hash into CCS Project Settings > Security > Advanced > Encrypt Passwords using > Code Expression) that makes your password harder to break, and is simple to do in CCS (PHP):
hash('sha256', 'randomtext'.{password})
(to get the hash for the admin login manually, before I've added the user, I wrote a 3 line PHP file that takes my hardcoded password and outputs the hash, above)
This is certainly not the best method, but it is quick to do and better than most. For best use bcrypt, but it's harder to implement.
Outline of coding bcrypt using openwall PHPpass library: http://webdevelopingcat.com/encrypt-passwords-using-phpass/
Possibly-too-detailed explanation of why bcrypt is better: http://codahale.com/how-to-safely-store-a-password/
I think I will put a simple CCS-able bcrypt implementation together.
Cheers
E
_________________
CCS 3/4/5 ASP Classic, VB.NET, PHP
Melbourne, Victoria, Australia |
|
|
|
|
