Password Encryption

This topic is locked

Password Encryption		9/6/2005 01:36:40
ASPRunnerPro General questions
customcode author How do I set ASP Runner to read and encrypt the passwords when creating them. I noticed the are plain text in the MYSQL Data base. thx <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=question&id=1820&image=1&table=forumtopics' class='bbc_emoticon' alt=':D' />

Mark as Solved Mark as not solved

15 replies


	Sergey Kornilov admin 9/6/2005
	Encrypted password do not mean security. If someone gets access to your ASP code no matter if passwords are encrypted or not. To encrypt passwords in the database you can use MySQL functions encpypt() or md5(). You need to modify files login.asp, register.asp and changepwd.asp to encrypt password before writing to the database and before validating. For example, here is the update password SQL statement on changepwd.asp page (see my chnages in bold): strSQL= "update " & AddWrappers(cLoginTable) & " set " & AddWrappers(cPasswordField) & "= md5(" & passvalue & ") " & sWhere Note: password reminder page won't work anymore because you are not storing actual passwords in the database anymore. You will need to change this page to reset password.


	customcode author 9/7/2005
	Encrypted password do not mean security. If someone gets access to your ASP code no matter if passwords are encrypted or not. To encrypt passwords in the database you can use MySQL functions encpypt() or md5(). You need to modify files login.asp, register.asp and changepwd.asp to encrypt password before writing to the database and before validating. For example, here is the update password SQL statement on changepwd.asp page (see my chnages in bold): Note: password reminder page won't work anymore because you are not storing actual passwords in the database anymore. You will need to change this page to reset password. Hi, I got the change password to save but I can not get login to work strSQL = "select * from " & cLoginTable & " where " & AddWrappers(cUserNameField) & _ "=" & strUsername & " and " & AddWrappers(cPasswordField) & "=md5(" & strPassword & ")"


	Sergey Kornilov admin 9/7/2005
	Replace this line in login.asp: `if request("username")=CStr(rs(cUserNameField)) and request("password")=CStr(rs(cPasswordField)) then` with this: `if request("username")=CStr(rs(cUserNameField)) then`


	501244 9/8/2005
	It worked. thx....


	500314 10/15/2005
	Hi I am using SQL 2000 and I got the pasword to encrypt, but I cant get the user to login with the encrpted pasword. This is what I Did. on changepwd.asp Modified this strSQL= "update " & AddWrappers(cLoginTable) & " set " & AddWrappers(cPasswordField) & "= dbo.MD5(CONVERT(VARBINARY(50), 'passvalue'))" & sWhere dbConnection.Execute strSQL Now the password is getting encrypted in SQL 2000, but I how do I get it compared to the existing encrypted password and allow user to login. I am creating a multiple user access database, and I am one of the ASPRunner Pro customers. Thanks in Advance.


	Sergey Kornilov admin 10/15/2005
	Replace this line in login.asp: if request("username")=CStr(rs(cUserNameField)) and request("password")=CStr(rs(cPasswordField)) then with this: if request("username")=CStr(rs(cUserNameField))Â then and SQL statement should look like this: strSQL = "select * from " & cLoginTable & " where " & AddWrappers(cUserNameField) & _ "=" & strUsername & " and dbo.MD5(CONVERT(VARBINARY(50)," & AddWrappers(cPasswordField) & "))=" & strPassword


	500315 10/15/2005
	Hi, I have tried the modification, but it is till not working, can you please help this is the what I have on login.asp If Not rs.EOF Then while not rs.eof if request("username")=CStr(rs(cUserNameField)) then strSQL = "select * from " & cLoginTable & " where " & AddWrappers(cUserNameField) & _ "=" & strUsername & " and dbo.MD5(CONVERT(VARBINARY(50)," & AddWrappers(cPasswordField) & "))=" & strPassword Session("UserID") = Request("username") Session("AccessLevel") = ACCESS_LEVELUSER if Request("username")=cAdminUserID then Session("AccessLevel") = ACCESS_LEVEL_ADMIN


	500316 10/15/2005
	Can you please tell me what I am doing wrong in the above mentioned code. Thanks.


	500317 10/15/2005
	Hi , The pasword is already encrypted in Password field. I am trying to compare the encrypted password to users password (Needs to be encrypted before comparing), please correct me If I am wrong. I am struggling to encrypt users password and compare it to the md5 already stored in the password field. Initially users password is stored as a plain text. Then user change the password by clicking the change password, and at this stage, it get encrpted with MD5. Thn the user login again with the changed password. At this stage I need to compare the encrypted password field to the users password( I think it needs to be encryted on the fly before comparing) and allow access. Thanks in Advance.


	Sergey Kornilov admin 10/15/2005
	you putting SQL query to the wrong place. New SQL query should replace existing onw before recordset is opened. Replace SQL query that comes before the following two lines: rs.open strSQL, dbConnection,1 Call ReportError


	500318 10/18/2005
	Hi, When I try to login it is displaying invalid login. The password is encrypted. The Users table is ID field User Name Field Password Field. Once the encryption is completed, I can see the password is encrypted. Yet when I incert the correct user name and password it is indicating invalid login. Can you please help. This is the code that after modification. strUsername = Replace(Trim(Request("username")),"'","''") strPassword = Replace(Trim(Request("password")),"'","''") Set rsTemp = server.CreateObject("ADODB.Recordset") rsTemp.open "select from " & cLoginTable & " where 1=0", dbConnection if IfNeedQuotes(rsTemp(cUserNameField).Type)="True" then strUsername = "'" & strUsername & "'" if IfNeedQuotes(rsTemp(cPasswordField).Type)="True" then strPassword = "'" & strPassword & "'" strSQL = "select from " & cLoginTable & " where " & AddWrappers(cUserNameField) & _ "=" & strUsername & " and dbo.MD5(CONVERT(VARBINARY(50)," & AddWrappers(cPasswordField) & "))=" & strPassword rs.open strSQL, dbConnection,1 Call ReportError If Not rs.EOF Then while not rs.eof if request("username")=CStr(rs(cUserNameField)) then Session("UserID") = Request("username") Session("AccessLevel") = ACCESS_LEVELUSER if Request("username")=cAdminUserID then Session("AccessLevel") = ACCESS_LEVEL_ADMIN if RemoveWrappers("##USERSOWNERID##")<>""then Session("OwnerID") = rs("##USERSOWNERID##") end if if Session("MyURL")<>"" then Response.Redirect Session("MyURL") else Response.Redirect Replace("##FIRSTPAGE##", "%20", " ") end if else rs.MoveNext end if wend strMessage = ##SCRIPTMESSAGE(INVALID_LOGIN)## Session.Abandon Else strMessage = ##SCRIPTMESSAGE(INVALID_LOGIN)## Session.Abandon End If end if


	Sergey Kornilov admin 10/18/2005
	You need to print modified SQL statement on ASP page, make sure it looks right. Copy and Paste it to SQL query analyzer, execute it to make sure it returns correct data, tweak it if neccessary and make changes in ASP code.


G	Gaya 10/19/2005
	Hi, Is it possible for you to expand this with a example? Thanks Gaya


	Sergey Kornilov admin 10/19/2005
	I'm not sure what kind of example do you need. To print SQL statement on ASP page use Response.Write strSQL right before this SQL statement is executed.


	500319 10/21/2005
	I am working on this , If I get stuck, I 'll post on this Forum, Thanks for your help.

15 replies

Mark as Solved Reply