Announcement

Collapse
No announcement yet.

Problem with MD5

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Hi Gerd
    that don't solve the problem when creating new users.
    And why all events doesn't seems to work ?
    And for aka, may be he's shouting so loud because SC doesn't seems to hear problems (bugs) we are facing. Or, if they hear us, they don't answer...... Read about the frustation of many customers here......

    Comment


    • #17
      i know, that it doesn't solve the problem.
      My greater problem right now is: i can not reproduce this error. i can define and delete fields in my DB, the form works. Also every event i define is working !

      btw. aka should meenwhile know that SC is usually deaf on both ears !

      Comment


      • #18
        hi guys
        just to add small comment, i got that error which is in aka's screenshot above in the shouting post, in many occasions, one of them was when playing with db fields and returning back to application and tried to run it... i think it is kind of "fake" error, because once you refresh or move on it will all work ok

        possible scenario is maybe having momentary crush while you change something in the values due to SC internal validations or something.. then once you save it, it "resets" the application functions and it works ok

        btw. aka should meenwhile know that SC is usually deaf on both ears !
        agree

        Comment


        • #19
          Originally posted by MikeDE View Post
          hi guys
          just to add small comment, i got that error which is in aka's screenshot above in the shouting post, in many occasions, one of them was when playing with db fields and returning back to application and tried to run it... i think it is kind of "fake" error, because once you refresh or move on it will all work ok

          possible scenario is maybe having momentary crush while you change something in the values due to SC internal validations or something.. then once you save it, it "resets" the application functions and it works ok


          agree
          well it works for me only if I close and reopen SC, otherwise I get all kind of other junk and errors in other procedures as well. I do not know what it is but it is very annoying!


          ooohhhh! DID I ALREADY SAY - I WANT THE BUGS FIXED ?
          -----------------------------------------
          Arthur Klisiewicz
          dATA POINT SOFTWARE
          www.datapointsoftware.com

          Comment


          • #20
            Originally posted by Gerd Dietrich View Post
            aka,

            crying so loud will not save the problem !!

            BTW i never had this problem and i added fields in my user table after the first creation as my customer wants more fields.

            What i did to prevent the md5 problem was, that in the edit mode, the user password could not be changed, i made a new form only for password updates.


            Gerd
            so why the password cannot be changed in EDIT MODE ?
            There is nothing special about that. If I would want to read the password from existing record then decrypt it it will not work of course because MD5 is "one way street" although changing the password and overriding existing string with new encryption should not be a problem, so I see not reason for your statement (enlighten me if I'm wrong).

            the MD5 method should work independent of any other conditions and when valled should result new string with encrypted password - PERIOD!
            -----------------------------------------
            Arthur Klisiewicz
            dATA POINT SOFTWARE
            www.datapointsoftware.com

            Comment


            • #21
              Originally posted by aka View Post
              the MD5 method should work independent of any other conditions and when valled should result new string with encrypted password - PERIOD!
              it should, but it doesn't. one more small comment, why in the change password application that user is using, works fine!?

              Comment


              • #22
                exactly, this is what I was going to point out as well! that means there is something preventing using this method in a regular form edit mode. I just tested this today again (after few SC8 updated from the net) but still having the same issue. I'm basically stuck with uploading the project to the server because I have no way to control/change user passwords *unless I skip using MD5 method).
                There is definitely some bug and this must be resolved with NetMake ASAP, because it basically prevents us from using project security features.

                Arthur
                -----------------------------------------
                Arthur Klisiewicz
                dATA POINT SOFTWARE
                www.datapointsoftware.com

                Comment


                • #23
                  ok a workaround could be to remove the user and recreate it, tested and works ok, but that still an issue needs to be resolved ASAP, John is around, hopefully he notice this post and take an action

                  Comment


                  • #24
                    Arthur,

                    here is the code onBeforeInsert of edit_users (form)

                    Code:
                    if({pswd} != {confirm_pswd})
                    {
                    	sc_error_message({lang_error_pswd});
                    	sc_error_exit();
                    }
                    {pswd} = md5({pswd});
                    but in user_change_password (which is working ok) (control)

                    onValidate

                    Code:
                    if( (!isset({old_pswd}) || empty({old_pswd}) ) && (!isset([act_code]) || empty([act_code]) ) )
                    {
                    	sc_error_message({lang_error_old_pswd});
                    	sc_error_exit();	
                    }
                    if({pswd} != {confirm_pswd})
                    {
                    	sc_error_message({lang_error_pswd});
                    	sc_error_exit();
                    }
                    
                    $spswd = sc_sql_injection(md5({pswd}));
                    $sold_pswd = ( isset([act_code]) && !empty([act_code]) ) ? "activation_code= ". sc_sql_injection([act_code]) : " pswd = ". sc_sql_injection(md5({old_pswd}));
                    unset([act_code]);
                    
                    
                    $sql = "SELECT count(*) FROM sec_users WHERE ". $sold_pswd ." AND login = '". [usr_login] . "'";
                    sc_lookup(rs, $sql);
                    
                    if({rs} === FALSE || {rs}[0][0] == 0)
                    {
                    	sc_error_message({lang_error_old_pswd});
                    	sc_error_exit();	
                    }
                    and onValidateSuccess

                    Code:
                    	$sql = "UPDATE sec_users SET pswd = ".($spswd).", activation_code = '' WHERE login = '". [usr_login] . "'";
                    	sc_exec_sql($sql);
                    	sc_log_add('Change Password', [usr_login] ." ". {lang_change_pswd});
                    	[act_code] = '';
                    	sc_redir('sec_login', "", "_parent");
                    there is something wrong in the first form of admin edit_users! should it be onBeforeInsert?! where is the command to sql to make it updated in db!?

                    Comment


                    • #25
                      Hi,
                      as I can see, MD5 works.
                      The problem is that events in the form seems to be "disabled", so, all your MD5 instruction are never executed.

                      Try that in the onBeforeInsert of the app_form_add_users

                      if({pswd} != {confirm_pswd})
                      {
                      sc_error_message({lang_error_pswd});
                      sc_error_exit();
                      }
                      {pswd} = md5({pswd});
                      {confirm_pswd}=md5({confirm_pswd});
                      sc_error_message({psw});
                      Last line never executed and if you put different passwords, no messages also.

                      Sylvain

                      Comment


                      • #26
                        Just a comment aside:

                        You are not supposed to use MD5 to secure passwords anymore (ik ik... then why netmake still uses it. bla bla bla) i can recommend to you to use the ones authorized by NIST

                        http://csrc.nist.gov/groups/ST/toolk...e_hashing.html

                        tho SHA-1 is not longer accepted =P.

                        try to use the php implementation of SHA512

                        PHP Code:
                        hash('SHA512','The password you just got from the user') ; 
                        Just remember that this means you will have to change the size of your password field... 256 is an accepted standard.

                        Regards

                        Comment


                        • #27
                          hi sempai, wish you are doing well
                          i am not sure you read all the discussion before, see, this works fine in adding user, works fine with control (when user changes the password from his screen) but problem is when editing and updating the user password from the security module app it doesn't actually change!

                          also i'm very interested in the SHA512, did you try it yourself!? is it that simple!? should be added to the project in the beginning or you can apply it to existing project

                          you are the man kafaecadm, hitting critical spots

                          Comment


                          • #28
                            Originally posted by kafecadm View Post
                            Just a comment aside:

                            You are not supposed to use MD5 to secure passwords anymore (ik ik... then why netmake still uses it. bla bla bla) i can recommend to you to use the ones authorized by NIST

                            http://csrc.nist.gov/groups/ST/toolk...e_hashing.html

                            tho SHA-1 is not longer accepted =P.

                            try to use the php implementation of SHA512

                            PHP Code:
                            hash('SHA512','The password you just got from the user') ; 
                            Just remember that this means you will have to change the size of your password field... 256 is an accepted standard.

                            Regards
                            this thread is not about SHA or which encryption method should be used. If you would like to discuss it, feel free to start another topic. This is about making MD5 working in SC in general. If you have any valuable input I will be happy to see it, otherwise please do not streer this discussion into another avenue. Thank you
                            -----------------------------------------
                            Arthur Klisiewicz
                            dATA POINT SOFTWARE
                            www.datapointsoftware.com

                            Comment


                            • #29
                              [QUOTE=MikeDE;34808]Arthur,

                              here is the code onBeforeInsert of edit_users (form)

                              Code:
                              if({pswd} != {confirm_pswd})
                              {
                              	sc_error_message({lang_error_pswd});
                              	sc_error_exit();
                              }
                              {pswd} = md5({pswd});


                              yes, this obviously is missing writing to the database SQL statement
                              -----------------------------------------
                              Arthur Klisiewicz
                              dATA POINT SOFTWARE
                              www.datapointsoftware.com

                              Comment


                              • #30
                                [QUOTE=aka;34825]
                                Originally posted by MikeDE View Post
                                Arthur,

                                here is the code onBeforeInsert of edit_users (form)

                                Code:
                                if({pswd} != {confirm_pswd})
                                {
                                	sc_error_message({lang_error_pswd});
                                	sc_error_exit();
                                }
                                {pswd} = md5({pswd});


                                yes, this obviously is missing writing to the database SQL statement
                                that is what i said, perhaps this is the issue of not updating the password when accessed from admin_security apps! can anybody confirm this?

                                Comment

                                Working...
                                X