George L.
|
Posted: 01/02/2002, 8:20 AM |
|
I am trying to find out the best method of encrypting a password upon creating a user in a record form. The below method is what I am using in my Before Insert Event:
$fldUSER_PASS = crypt($fldUSER_PASS,substr($fldUSER_NAME,0,2));
In order to decrypt correctly upon login, I put this in my Custom Login Event:
$sPassword = crypt($sPassword,substr($sLogin,0,2));
Here is the problem. These two methods do exactly what I want them to do, since the SALT for this encrytion type is the same, it comes back true every time. But, when I want to go and modify existing user info, it shows the encrypted password everytime. That means that if for example I am only needing to change the user's phone number, then I must also change the user's password as well, or else the password will be set to the encrypted string, then encrypted again. ?!?
If I am making sense, here is what I want to do: I want to be able to show a user's DECRYPTED password when changing his/her user info. I am not able to do this with the crypt function, since it is a one-way hash algorithm.
Anybody know of an easier/better way to encrypt/decrypt passwords in database?
-George
|
|
|
Alex Alexapolsky
|
Posted: 01/03/2002, 2:37 AM |
|
You should show crypted password from db ,
then crypt the second password in Before Update event ,
and compare both crypted ones in Validation event.
|
|
|
George L.
|
Posted: 01/03/2002, 7:39 AM |
|
Yes, but is there a way to de-crypt a password that is already encrypted. I know the crypt function in PHP cannot, because it is a one-way algorithm. Is there an alternate way to encrypt and decrypt>?
|
|
|
Jer
|
Posted: 01/03/2002, 7:09 PM |
|
George, I had the same problem.
what I did was create a form that included all the fields including the encrypted password. I made a special note for the password field, that this was the end result of encrypting the password.
Then, I created a separate form to change the password if necessary. It contained the same custom login event that you had.
A bit of a pain, but it didn't require me to do any manual coding.
Jer
|
|
|
Mark Andrews
|
Posted: 01/04/2002, 2:45 AM |
|
I use a hidden field for the encrypted password and two non-database fields for password and password verification. These have a caption saying "leave blank to retain current password".
If password1 is non blank I compare with password2 and throw an error if they are different. If they are the same then I update the hidden encrypted field with the new password.
Only problem with this approach is that there is no provision for a "Lost Password" facility other then a password reset by admin.
You could keep a copy of the non-encrypted password in another field that is just used for the password update screen, but I decided against this approach for my sites.
Regards,
Mark
|
|
|
|