Hi there, I'm trying to use a form to create a user for a site. All the
information from the form is currently submitted to the database as is.
I want the password to be encrypted in the database, but I have no idea
how to do this. I have read a bit about WD5, but have no clue how to do
it really, could anybody help me out with this?
There's information in the README on how to use it, it's pretty
straightforward and just handles the password encryption, and has a hook to
notify you when an object's password changes so you can send emails etc.
There are other more complex plugins like acts_as_authenticated that do a
lot more than this, so see which suits you best.
···
2008/8/27 Amanda .. <a.etherton@hotmail.com>
Hi there, I'm trying to use a form to create a user for a site. All the
information from the form is currently submitted to the database as is.
I want the password to be encrypted in the database, but I have no idea
how to do this. I have read a bit about WD5, but have no clue how to do
it really, could anybody help me out with this?
I haven't used Rails in a while, but what happens in between the form
submission and the submission to the database. Surely, you have some
control over that?
Todd
···
On Wed, Aug 27, 2008 at 10:31 AM, Amanda .. <a.etherton@hotmail.com> wrote:
Hi there, I'm trying to use a form to create a user for a site. All the
information from the form is currently submitted to the database as is.
I want the password to be encrypted in the database, but I have no idea
how to do this. I have read a bit about WD5, but have no clue how to do
it really, could anybody help me out with this?
Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.
James Coglan wrote:
···
I have a plugin called has_password that abstracts away the
SHA1-encryption.
There's information in the README on how to use it, it's pretty
straightforward and just handles the password encryption, and has a hook
to
notify you when an object's password changes so you can send emails etc.
There are other more complex plugins like acts_as_authenticated that do
a
lot more than this, so see which suits you best.
I haven't used Rails in a while, but what happens in between the form
submission and the submission to the database. Surely, you have some
control over that?
Todd
Thats what I'm not sure about/don't know how to do...I was hoping for
some simple way to submit WD5(:password) to the database or something
like that...I'm not very experienced with RoR or databases, so that's
why I'm having a hard time with this
Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.
This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.
···
On Thu Aug 28 01:04:24 2008, Amanda .. wrote:
Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.
Thats what I'm not sure about/don't know how to do...I was hoping for
some simple way to submit WD5(:password) to the database or something
like that...I'm not very experienced with RoR or databases, so that's
why I'm having a hard time with this
I was hoping for something like what's outlined here:
You should go to rubyonrails-talk@googlegroups.com and buy your copy
of "Agile Web Development With Rails".
Enjoy.
···
Em Wednesday 27 August 2008, Amanda .. escreveu:
Todd Benson wrote:
> I haven't used Rails in a while, but what happens in between the form
> submission and the submission to the database. Surely, you have some
> control over that?
>
> Todd
Thats what I'm not sure about/don't know how to do...I was hoping for
some simple way to submit WD5(:password) to the database or something
like that...I'm not very experienced with RoR or databases, so that's
why I'm having a hard time with this
This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.
okay well, since I haven't used much javascript, particularly with Ruby,
could you help me out with how I would use Javascript for this? I'm
guessing I would have to call a method when I submit the form and get
the string from the password box and encrypt it?
No idea how to do this really..any guidance would be great
Doing it in JavaScript is a bad idea -- not all users will have it enabled,
you'll need to use your own hashing function, etc. If you're really
concerned about sending passwords over the network, serve the page on an
https:// URL -- consult an Apache tutorial for setting that up, and use the
ssl_requirement Rails plugin.
···
2008/8/27 Fred Phillips <fophillips@fophillips.org>
On Thu Aug 28 01:04:24 2008, Amanda .. wrote:
> Thanks for your response, but do you know of a way to just encrypt the
> password when the form is submitted? (ie encrypt the string in the text
> field before it gets stored into the database) I really just need to
> know how to do this with the type of form I have above.
This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.
Why? Has Amanda chosen to not use SSL to secure the client to server communication ?
···
-----Original Message-----
From: Fred Phillips [mailto:fophillips@fophillips.org]
Sent: Wed 8/27/2008 12:13 PM
To: ruby-talk ML; a.etherton@hotmail.com
Cc: ruby-talk@ruby-lang.org
Subject: Re: encrypting password on form submit?
On Thu Aug 28 01:04:24 2008, Amanda .. wrote:
Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.
This will have to be done with client-side scripting such as
Javascript, not server-side Ruby.
I wouldn't attempt to even do encryption in Javascript. You could, but there would be no point. Learn how to use SSL (should be easy, actually). Or Google for HTTPS; exact same thing, but may get you new pages.
Then the client's connection to the server is encrypted. From there, do your SHA1 encryption (or whatever you want to use) before sending it to the database. That should be all you need.
···
-----Original Message-----
From: a.etherton@hotmail.com [mailto:a.etherton@hotmail.com]
Sent: Wednesday, August 27, 2008 2:05 PM
To: ruby-talk ML
Subject: Re: encrypting password on form submit?
Amanda .. wrote:
Thats what I'm not sure about/don't know how to do...I was hoping for
some simple way to submit WD5(:password) to the database or something
like that...I'm not very experienced with RoR or databases, so that's
why I'm having a hard time with this
I was hoping for something like what's outlined here:
-----Original Message-----
From: a.etherton@hotmail.com [mailto:a.etherton@hotmail.com]
Sent: Thursday, 28 August 2008 4:05 AM
To: ruby-talk ML
Subject: Re: encrypting password on form submit?
Amanda .. wrote:
Thats what I'm not sure about/don't know how to do...I was hoping for
some simple way to submit WD5(:password) to the database or something
like that...I'm not very experienced with RoR or databases, so that's
why I'm having a hard time with this
I was hoping for something like what's outlined here:
Information contained in this communication (including any attachments) is confidential and may be privileged or subject to copyright. If you have received this communication in error you are not authorised to use the information in any way and Optiver requests that you notify the sender by return email, destroy all copies and delete the information from your system. Optiver does not represent, warrant or guarantee that this communication is free from computer viruses or other defects or that the integrity of this communication has been maintained. Any views expressed in this communication are those of the individual sender. Optiver does not accept liability for any loss or damage caused directly or indirectly by this communication or its use.
Please consider the environment before printing this email.
Even if I could, I wouldn’t. As it has been said, encrypting like this
is a _bad_ idea. You really need to encrypt _after_ the form has been
sent using Ruby server‐side, before it is put into the database. Take
a look at this[1] module for secure password encryption in Ruby.
Fred Phillips wrote:
> This will have to be done with client‐side scripting such as
> Javascript, not server‐side Ruby.
okay well, since I haven't used much javascript, particularly with Ruby,
could you help me out with how I would use Javascript for this? I'm
guessing I would have to call a method when I submit the form and get
the string from the password box and encrypt it?
No idea how to do this really..any guidance would be great
okay, so I know that I need to learn about SSL, but I don't think that's
what I'm after for this...
Maybe this will clarify:
We have a database where users/passwords/all their info is stored (this
database is not just for our site and contains way more entries than
would ever be required of our site). It is secure and uses SSL, I don't
really know how it works, I don't really need to.
What we're doing is using that database to to check if a user exists.
Once a username and password are entered into the login for the first
time, that user's information is then stored in a different database,
one specifically for our site so we can use their information on our
site. The problem is that we can't have any users that are not stored
in the larger database. In order to do this, I've set up a form (the
code is above) where an admin for the site can create a user...it all
works, except I want the password to be altered before it's actually
sent to the database.
What I need is a way to stop the password text_field from sending the
text directly to the database, then alter the text, and finally store it
in the database. In the "Agile Web Development With Rails" book, they
give an example of encryption, but I'm not sure how to use that with my
form.
I haven't even been web developing for 4 months, so I definitely don't
know all that I should, and I haven't had much success in searching
google or this rails development book for help with intercepting the
form's information before it gets sent to the database.
What I need is a way to stop the password text_field from sending the text directly to the database, then alter the text, and finally store it in the database. In the "Agile Web Development With Rails" book, they give an example of encryption, but I'm not sure how to use that with my form.
I haven't even been web developing for 4 months, so I definitely don't know all that I should, and I haven't had much success in searching google or this rails development book for help with intercepting the form's information before it gets sent to the database.
If you are building a Rails app you would do better to ask your questions on the Rails mailing list.
