Problem with password field - value on database is not encrypted as expected

giovannino · May 7, 2020, 7:54pm

Hi all,

I’ve defined a form with user and password definition. The form is the resources form of prj management SC sample.
When I save the form and user the password field save its value on database in clear as text not encrypted.
The password field is a text type and then when I am in the form definition I flag as needed the password radio box to say that field has to be interpeted as password.
Where is my mystake ? Need I to make something different ?
When I try later to do the login inserting user and password , the following code do not work probably for the problem above described.

sc_reset_apl_status();
sc_lookup(dataset, "select resourceid, pwd from resources where login = ‘{usuario}’ ");

if(!isset({dataset[0][0]}))
{
sc_error_message(“Utente/Password non validi”);
sc_error_exit();
}else
{
$senha_teste = md5({senha});
if ($senha_teste != {dataset[0][1]})
{
sc_error_message(“Utente/Password non validi”);
sc_error_exit();
}

//updateTaskDaysOverdue();
sc_redir(‘menu.php’, v_resource={dataset[0][0]});
}

aducom · May 7, 2020, 8:34pm

I’m not sure if I get your question right. If you set the password field option it only means that you cannot see the password while typing. It has nothing to do with the storage. If you don’t do anything the field is treated as an ordinary textfield. If you want to store it encrypted you need to use the php MD5 function. You say that you store as text, but in the password check you use the MD5, so - your don’t encrypt and omit this function - or - you use MD5 to store and use MD5 on the input to test the values.

Don’t forget to escape the input to prevent security issues. A good start to look at is to generate a login form from the security.