Re: encryption madness

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 47115
interpreted = N
texte = In my experience, there is no problem with the encrypt/decrypt contexts themselves, only confusion regarding how to properly apply them in conjunction with URL / UNURL. Here's some sample code:[text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] [tIn]
[tEn]
[tDe]
[if [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ else][/if]
Feel free to try any value you want to as the tIn value. Regardless of what you feed it, it should spit out the original value, the URL'ed encrypted value, the decrypted value, and the word Good. If you get the word Bad instead, then something is wrong with WebDNA. All my tests work fine (4.5.0 / OSX).The only time that a double-URL is required is when you are writing the data out - to a db, an order file, a cookie, whatever -and it is needed because you want to actually store %20 for spaces, along with the URL escape sequences for the more dangerous characters like returns, ampersands, tabs, control characters and high-ASCII characters.WebDNA always performs an implied UNURL on the parameters you pass in to its contexts, then works with the resulting data. By performing the second URL, you are converting %20 to %2520 - that is, the % in the %20 is converted to %25 - so that the implied UNURL will result in the %20 that you want to write.So, general rules of encryption that I follow are...Encrypt into a text variable - URL once, outside the ENCRYPT context:[text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text]Writing the encrypted value to a DB - URL the already once-URL'ed value so it gets written out URL'ed:[append ...]encField=[url][tEn][/url][/append]The same as above applies to SETCOOKIE or storing in an order file...Decrypting a once-URL'ed encrypyted value - which includes the text variable I created, or any value retrieved from a DB, COOKIE or ORDER FILE - use UNURL INSIDE the DECRYPT:[text]tDe=[decrypt seed=ABC123][unurl][encField][/unurl][/decrypt][/text]At this point, [tDe] contains exactly the same data that was originally passed in to the ENCRYPT.- brianOn Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote:> Yes. 99.9% accuracy isn't really good enough when dealing with somebody > elses money. > > it wouldn't take too long to write a script that tested > encrypt/decrypt in > an endless loop with random seeds to see if there are any > inconsistencies. > but i agree, this should have already been done by SMSI and > documented... > > Its an important part of an ecomerce engine for people to be able to > pay for > products securely... > > > > ----- Original Message ----- > From: Tim Robinson > To: WebCatalog Talk > Sent: Thursday, January 23, 2003 11:46 AM > Subject: Re: encryption madness > > >> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >> testing to see it one [url] or two does the job. You should just be >> able > to >> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that > should >> work. You know it makes sense! ;-) >> >> Regards, >> Tim >> -- >> Tim Robinson >> IDFK Web Developments >> tim@idfk.com.au >> 114a/40 Yeo Street >> Neutral Bay 2089 >> Australia >> Phone +612 9908 2134 >> Fax +612 9908 4837 >> >>> From: Glenn Busbin >>> Reply-To: (WebCatalog Talk) >>> Date: Wed, 22 Jan 2003 17:42:12 >>> To: (WebCatalog Talk) >>> Subject: Re: encryption madness >>> >>>> FOR THE ARCHIVES... >>>> >>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>> when >>>> writing to the dbase and it seems to work just fine in the >>>> orderfile. >>>> HOWEVER... in this case the orderfile is not being processed by > WebMerchant. >>>> >>>> Solution based on about 10 tests at this point. >>>> >>> >>> >>> I use >>> [URL][URL][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>> and >>> [Decrypt Seed=abc123][UnURL][Stuff][/UnURL][/Decrypt] >>> >>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>> >>> Experiment. >>> >>> A lot. >>> >>> A 99.99% success rate indicates that something is wrong. >>> >>> Glenn >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > >> Web Archive of this list is at: http://webdna.smithmicro.com/ > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > -- Brian Fries, BrainScan Software -- http://www.brainscansoftware.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: encryption madness ( Thierry Almy 2004)
  2. Re: encryption madness ( "Scott Anderson" 2004)
  3. Re: encryption madness ( Thierry Almy 2004)
  4. Re: encryption madness ( Squaredancer@t-online.de (Squaredancer) 2004)
  5. encryption madness ( Thierry Almy 2004)
  6. Re: encryption madness (John Hill 2003)
  7. Re: encryption madness (Kimberly D. Walls 2003)
  8. Re: encryption madness (Brian Fries 2003)
  9. Re: encryption madness (Kenneth Grome 2003)
  10. Re: encryption madness (John Hill 2003)
  11. Re: encryption madness (Kimberly D. Walls 2003)
  12. Re: encryption madness (Kenneth Grome 2003)
  13. Re: encryption madness (Kimberly D. Walls 2003)
  14. Re: encryption madness (Kimberly D. Walls 2003)
  15. Re: encryption madness (Kimberly D. Walls 2003)
  16. Re: encryption madness (Stuart Tremain 2003)
  17. Re: encryption madness (Brian Fries 2003)
  18. Re: encryption madness (Kenneth Grome 2003)
  19. Re: encryption madness (Stuart Tremain 2003)
  20. Re: encryption madness (Kenneth Grome 2003)
  21. Re: encryption madness (Donovan 2003)
  22. Re: encryption madness (Glenn Busbin 2003)
  23. Re: encryption madness (Andrew Simpson 2003)
  24. Re: encryption madness (Stuart Tremain 2003)
  25. Re: encryption madness (Tim Robinson 2003)
  26. Re: encryption madness (Andrew Simpson 2003)
  27. Re: encryption madness (Kimberly D. Walls 2003)
  28. Re: encryption madness (Glenn Busbin 2003)
  29. Re: encryption madness (Stuart Tremain 2003)
  30. Re: encryption madness (Rob Marquardt 2003)
  31. Re: encryption madness (Kimberly D. Walls 2003)
  32. Re: encryption madness (Kimberly D. Walls 2003)
  33. Re: encryption madness (Glenn Busbin 2003)
  34. Re: encryption madness (Bob Minor 2003)
  35. encryption madness (Kimberly D. Walls 2003)
In my experience, there is no problem with the encrypt/decrypt contexts themselves, only confusion regarding how to properly apply them in conjunction with URL / UNURL. Here's some sample code:[text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] [tIn]
[tEn]
[tDe]
[if [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ else][/if]
Feel free to try any value you want to as the tIn value. Regardless of what you feed it, it should spit out the original value, the URL'ed encrypted value, the decrypted value, and the word Good. If you get the word Bad instead, then something is wrong with WebDNA. All my tests work fine (4.5.0 / OSX).The only time that a double-URL is required is when you are writing the data out - to a db, an order file, a cookie, whatever -and it is needed because you want to actually store %20 for spaces, along with the URL escape sequences for the more dangerous characters like returns, ampersands, tabs, control characters and high-ASCII characters.WebDNA always performs an implied UNURL on the parameters you pass in to its contexts, then works with the resulting data. By performing the second URL, you are converting %20 to %2520 - that is, the % in the %20 is converted to %25 - so that the implied UNURL will result in the %20 that you want to write.So, general rules of encryption that I follow are...Encrypt into a text variable - URL once, outside the ENCRYPT context:[text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text]Writing the encrypted value to a DB - URL the already once-URL'ed value so it gets written out URL'ed:[append ...]encField=[url][tEn][/url][/append]The same as above applies to SETCOOKIE or storing in an order file...Decrypting a once-URL'ed encrypyted value - which includes the text variable I created, or any value retrieved from a DB, COOKIE or ORDER FILE - use UNURL INSIDE the DECRYPT:[text]tDe=[decrypt seed=ABC123][unurl][encField][/unurl][/decrypt][/text]At this point, [tDe] contains exactly the same data that was originally passed in to the ENCRYPT.- brianOn Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote:> Yes. 99.9% accuracy isn't really good enough when dealing with somebody > elses money. > > it wouldn't take too long to write a script that tested > encrypt/decrypt in > an endless loop with random seeds to see if there are any > inconsistencies. > but i agree, this should have already been done by SMSI and > documented... > > Its an important part of an ecomerce engine for people to be able to > pay for > products securely... > > > > ----- Original Message ----- > From: Tim Robinson > To: WebCatalog Talk > Sent: Thursday, January 23, 2003 11:46 AM > Subject: Re: encryption madness > > >> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >> testing to see it one [url] or two does the job. You should just be >> able > to >> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that > should >> work. You know it makes sense! ;-) >> >> Regards, >> Tim >> -- >> Tim Robinson >> IDFK Web Developments >> tim@idfk.com.au >> 114a/40 Yeo Street >> Neutral Bay 2089 >> Australia >> Phone +612 9908 2134 >> Fax +612 9908 4837 >> >>> From: Glenn Busbin >>> Reply-To: (WebCatalog Talk) >>> Date: Wed, 22 Jan 2003 17:42:12 >>> To: (WebCatalog Talk) >>> Subject: Re: encryption madness >>> >>>> FOR THE ARCHIVES... >>>> >>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>> when >>>> writing to the dbase and it seems to work just fine in the >>>> orderfile. >>>> HOWEVER... in this case the orderfile is not being processed by > WebMerchant. >>>> >>>> Solution based on about 10 tests at this point. >>>> >>> >>> >>> I use >>> [url][url][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>> and >>> [Decrypt Seed=abc123][unurl][Stuff][/UnURL][/Decrypt] >>> >>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>> >>> Experiment. >>> >>> A lot. >>> >>> A 99.99% success rate indicates that something is wrong. >>> >>> Glenn >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>> >> >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to > >> Web Archive of this list is at: http://webdna.smithmicro.com/ > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > -- Brian Fries, BrainScan Software -- http://www.brainscansoftware.com -- ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Brian Fries

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Letters as SKU (1998) Need relative path explanation (1997) Emailer help....! (1997) Public beta 5 of WebCatalog 4.0 is now available (2000) WebCat2 - Getting to the browser's username/password data (1997) Internal server error (2004) WebCat2 Append problem (B14Macacgi) (1997) Authorize.Net stopped working for me (2003) [TaxableTotal] - not working with AOL and IE (1997) File dates in WebCatalog .tmpl/.inc (1997) WebCat2 Append problem (B14Macacgi) (1997) off topic - dna snipets (1997) Forms Search Questions (1997) [shownext] and descending order (1997) oops private message leaked into talk list (1997) Emailer choke (1997) Was cart limit-- Limits (2002) [searchString] (1997) Install Webcatalog under NT4.0 and Microsoft IIS 2.0 (1997) Looking For WebCatalog Migration Assistance (2003)