Encrypting password on form submit?

Hi there, I’m trying to use a form to create a user for a site. All the
information from the form is currently submitted to the database as is.
I want the password to be encrypted in the database, but I have no idea
how to do this. I have read a bit about WD5, but have no clue how to do
it really, could anybody help me out with this?

Here is my form:

<% form_for :user do |f| %>

Name <%= f.text_field :name, {:class => 'text'} %>

Username<%=f.text_field :username, {:class => 'text' } %>

Password<%=f.text_field :password, {:class => 'text' } %>

<%=submit_tag ‘Save’, {:class => ‘submit’ } %>

<% end %>

Any explanations would be awesome, thanks in advance!

I have a plugin called has_password that abstracts away the
SHA1-encryption.

ruby script/plugin install git://github.com/jcoglan/has_password.git

There’s information in the README on how to use it, it’s pretty
straightforward and just handles the password encryption, and has a hook
to
notify you when an object’s password changes so you can send emails etc.
There are other more complex plugins like acts_as_authenticated that do
a
lot more than this, so see which suits you best.

2008/8/27 Amanda … [email protected]

<% end %>

Any explanations would be awesome, thanks in advance!

Posted via http://www.ruby-forum.com/.


James C.

Lead JavaScript Developer
theOTHERmedia
http://ojay.othermedia.org
+44 (0) 7771512510

Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.

James C. wrote:

I have a plugin called has_password that abstracts away the
SHA1-encryption.

ruby script/plugin install git://github.com/jcoglan/has_password.git

There’s information in the README on how to use it, it’s pretty
straightforward and just handles the password encryption, and has a hook
to
notify you when an object’s password changes so you can send emails etc.
There are other more complex plugins like acts_as_authenticated that do
a
lot more than this, so see which suits you best.

2008/8/27 Amanda … [email protected]

Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.

To encrypt a string:

require ‘digest/sha1’
encrypted = Digest::SHA1.hexdigest(string)

Fred P. wrote:

This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.

okay well, since I haven’t used much javascript, particularly with Ruby,
could you help me out with how I would use Javascript for this? I’m
guessing I would have to call a method when I submit the form and get
the string from the password box and encrypt it?

No idea how to do this really…any guidance would be great :slight_smile:

On Thu Aug 28 01:04:24 2008, Amanda … wrote:

Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.

This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.

2008/8/27 Fred P. [email protected]

On Thu Aug 28 01:04:24 2008, Amanda … wrote:

Thanks for your response, but do you know of a way to just encrypt the
password when the form is submitted? (ie encrypt the string in the text
field before it gets stored into the database) I really just need to
know how to do this with the type of form I have above.

This will have to be done with client‐side scripting such as
Javascript, not server‐side Ruby.

Doing it in JavaScript is a bad idea – not all users will have it
enabled,
you’ll need to use your own hashing function, etc. If you’re really
concerned about sending passwords over the network, serve the page on an
https:// URL – consult an Apache tutorial for setting that up, and use
the
ssl_requirement Rails plugin.

On Wed, Aug 27, 2008 at 10:31 AM, Amanda … [email protected]
wrote:

<% end %>

I haven’t used Rails in a while, but what happens in between the form
submission and the submission to the database. Surely, you have some
control over that?

Todd

Todd B. wrote:

I haven’t used Rails in a while, but what happens in between the form
submission and the submission to the database. Surely, you have some
control over that?

Todd

Thats what I’m not sure about/don’t know how to do…I was hoping for
some simple way to submit WD5(:password) to the database or something
like that…I’m not very experienced with RoR or databases, so that’s
why I’m having a hard time with this

Why? Has Amanda chosen to not use SSL to secure the client to server
communication ?

Kevin B. wrote:

Why? Has Amanda chosen to not use SSL to secure the client to server
communication ?

and I don’t even know what ssl is lol, I will go look into it.

Amanda … wrote:

Thats what I’m not sure about/don’t know how to do…I was hoping for
some simple way to submit WD5(:password) to the database or something
like that…I’m not very experienced with RoR or databases, so that’s
why I’m having a hard time with this

I was hoping for something like what’s outlined here:

http://www.bluehostforum.com/showthread.php?t=176

but that I can do in Ruby instead of PHP

I wouldn’t attempt to even do encryption in Javascript. You could, but
there would be no point. Learn how to use SSL (should be easy,
actually). Or Google for HTTPS; exact same thing, but may get you new
pages.

Then the client’s connection to the server is encrypted. From there, do
your SHA1 encryption (or whatever you want to use) before sending it to
the database. That should be all you need. :slight_smile:

Em Wednesday 27 August 2008, Amanda … escreveu:

Kevin B. wrote:

Why? Has Amanda chosen to not use SSL to secure the client to server
communication ?

and I don’t even know what ssl is lol, I will go look into it.

A-m-a-z-i-n-g.

You can’t work with web development without know what SSL is. Neither
you
could speak that you work with web development.

http://en.wikipedia.org/wiki/Secure_Sockets_Layer

HTH,

Davi V.

E-mail: [email protected]
MSN : [email protected]
GTalk : [email protected]
Skype : davi vidal
YIM : davi_vidal
ICQ : 138815296

Em Wednesday 27 August 2008, Amanda … escreveu:

why I’m having a hard time with this
You mean “md5”?

You should go to [email protected] and buy your copy
of “Agile Web D. With Rails”.

Enjoy.


Davi V.

E-mail: [email protected]
MSN : [email protected]
GTalk : [email protected]
Skype : davi vidal
YIM : davi_vidal
ICQ : 138815296

Davi V. wrote:

Em Wednesday 27 August 2008, Amanda … escreveu:

Kevin B. wrote:

Why? Has Amanda chosen to not use SSL to secure the client to server
communication ?

and I don’t even know what ssl is lol, I will go look into it.

A-m-a-z-i-n-g.

You can’t work with web development without know what SSL is. Neither
you
could speak that you work with web development.

http://en.wikipedia.org/wiki/Secure_Sockets_Layer

okay, so I know that I need to learn about SSL, but I don’t think that’s
what I’m after for this…

Maybe this will clarify:

We have a database where users/passwords/all their info is stored (this
database is not just for our site and contains way more entries than
would ever be required of our site). It is secure and uses SSL, I don’t
really know how it works, I don’t really need to.

What we’re doing is using that database to to check if a user exists.
Once a username and password are entered into the login for the first
time, that user’s information is then stored in a different database,
one specifically for our site so we can use their information on our
site. The problem is that we can’t have any users that are not stored
in the larger database. In order to do this, I’ve set up a form (the
code is above) where an admin for the site can create a user…it all
works, except I want the password to be altered before it’s actually
sent to the database.

What I need is a way to stop the password text_field from sending the
text directly to the database, then alter the text, and finally store it
in the database. In the “Agile Web D. With Rails” book, they
give an example of encryption, but I’m not sure how to use that with my
form.

I haven’t even been web developing for 4 months, so I definitely don’t
know all that I should, and I haven’t had much success in searching
google or this rails development book for help with intercepting the
form’s information before it gets sent to the database.

Amanda … wrote:

Maybe this will clarify:

form’s information before it gets sent to the database.
If you are building a Rails app you would do better to ask your
questions on the Rails mailing list.

It should be listed at rubyonrails.org


James B.

www.happycamperstudios.com - Wicked Cool Coding
www.jamesbritt.com - Playing with Better Toys
www.ruby-doc.org - Ruby Help & Documentation
www.rubystuff.com - The Ruby Store for Ruby Stuff

On Thu Aug 28 01:19:07 2008, Amanda … wrote:

No idea how to do this really…any guidance would be great :slight_smile:
Even if I could, I wouldn’t. As it has been said, encrypting like this
is a bad idea. You really need to encrypt after the form has been
sent using Ruby server‐side, before it is put into the database. Take
a look at this[1] module for secure password encryption in Ruby.

[1] http://www.zacharyfox.com/blog/ruby-on-rails/password-hashing

Hi Amanda

If you want to save a MD5 hash of your password in the database, James
has suggested

require ‘digest/sha1’
encrypted_password = Digest::SHA1.hexdigest(password)

That’s all you need. You may also want to read up on authentication in
Rails and look at the plugin acts_as_authenticated
(http://wiki.rubyonrails.com/rails/pages/Acts_as_authenticated).

Neuman Vong
Ext: 6036

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs