Re: encryption madness

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 47121
interpreted = N
texte = BrianGreat explanation :) On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code: > > [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] > [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] > [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] > [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
> > Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX). > > The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters. > > WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write. > > So, general rules of encryption that I follow are... > > Encrypt into a text variable - URL once, outside the ENCRYPT context: > > [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text] > > Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed: > > [append ...]encField=[url][tEn][/url][/append] > > The same as above applies to SETCOOKIE or storing in an order file... > > Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT: > > [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text] > > At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT. > > - brian > > On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote: > >> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody >> elses money. >> >> it wouldn't take too long to write a script that tested >> encrypt/decrypt in >> an endless loop with random seeds to see if there are any >> inconsistencies. >> but i agree, this should have already been done by SMSI and >> documented... >> >> Its an important part of an ecomerce engine for people to be able to >> pay for >> products securely... >> >> >> >> ----- Original Message ----- >> From: Tim Robinson >> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM >> Subject: Re: encryption madness >> >> >>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >>> testing to see it one [url] or two does the job. You should just be >>> able >> to >>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that >> should >>> work. You know it makes sense! ;-) >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk) >>>> Date: Wed, 22 Jan 2003 17:42:12 >>>> To: (WebCatalog Talk) >>>> Subject: Re: encryption madness >>>> >>>>> FOR THE ARCHIVES... >>>>> >>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when >>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile. >>>>> HOWEVER... in this case the orderfile is not being processed by >> WebMerchant. >>>>> >>>>> Solution based on about 10 tests at this point. >>>>> >>>> >>>> >>>> I use >>>> [URL][URL][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>>> and >>>> [Decrypt Seed=abc123][UnURL][Stuff][/UnURL][/Decrypt] >>>> >>>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>>> >>>> Experiment. >>>> >>>> A lot. >>>> >>>> A 99.99% success rate indicates that something is wrong. >>>> >>>> Glenn >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> > -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -- > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > RegardsStuart Tremain idfk web developments 114a/40 yeo street neutral bay 2089 australia t +612 9908 2134 f +612 9908 4837------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: encryption madness ( Thierry Almy 2004)
  2. Re: encryption madness ( "Scott Anderson" 2004)
  3. Re: encryption madness ( Thierry Almy 2004)
  4. Re: encryption madness ( Squaredancer@t-online.de (Squaredancer) 2004)
  5. encryption madness ( Thierry Almy 2004)
  6. Re: encryption madness (John Hill 2003)
  7. Re: encryption madness (Kimberly D. Walls 2003)
  8. Re: encryption madness (Brian Fries 2003)
  9. Re: encryption madness (Kenneth Grome 2003)
  10. Re: encryption madness (John Hill 2003)
  11. Re: encryption madness (Kimberly D. Walls 2003)
  12. Re: encryption madness (Kenneth Grome 2003)
  13. Re: encryption madness (Kimberly D. Walls 2003)
  14. Re: encryption madness (Kimberly D. Walls 2003)
  15. Re: encryption madness (Kimberly D. Walls 2003)
  16. Re: encryption madness (Stuart Tremain 2003)
  17. Re: encryption madness (Brian Fries 2003)
  18. Re: encryption madness (Kenneth Grome 2003)
  19. Re: encryption madness (Stuart Tremain 2003)
  20. Re: encryption madness (Kenneth Grome 2003)
  21. Re: encryption madness (Donovan 2003)
  22. Re: encryption madness (Glenn Busbin 2003)
  23. Re: encryption madness (Andrew Simpson 2003)
  24. Re: encryption madness (Stuart Tremain 2003)
  25. Re: encryption madness (Tim Robinson 2003)
  26. Re: encryption madness (Andrew Simpson 2003)
  27. Re: encryption madness (Kimberly D. Walls 2003)
  28. Re: encryption madness (Glenn Busbin 2003)
  29. Re: encryption madness (Stuart Tremain 2003)
  30. Re: encryption madness (Rob Marquardt 2003)
  31. Re: encryption madness (Kimberly D. Walls 2003)
  32. Re: encryption madness (Kimberly D. Walls 2003)
  33. Re: encryption madness (Glenn Busbin 2003)
  34. Re: encryption madness (Bob Minor 2003)
  35. encryption madness (Kimberly D. Walls 2003)
BrianGreat explanation :) On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code: > > [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] > [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] > [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] > [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
> > Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX). > > The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters. > > WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write. > > So, general rules of encryption that I follow are... > > Encrypt into a text variable - URL once, outside the ENCRYPT context: > > [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text] > > Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed: > > [append ...]encField=[url][tEn][/url][/append] > > The same as above applies to SETCOOKIE or storing in an order file... > > Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT: > > [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text] > > At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT. > > - brian > > On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote: > >> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody >> elses money. >> >> it wouldn't take too long to write a script that tested >> encrypt/decrypt in >> an endless loop with random seeds to see if there are any >> inconsistencies. >> but i agree, this should have already been done by SMSI and >> documented... >> >> Its an important part of an ecomerce engine for people to be able to >> pay for >> products securely... >> >> >> >> ----- Original Message ----- >> From: Tim Robinson >> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM >> Subject: Re: encryption madness >> >> >>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >>> testing to see it one [url] or two does the job. You should just be >>> able >> to >>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that >> should >>> work. You know it makes sense! ;-) >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk) >>>> Date: Wed, 22 Jan 2003 17:42:12 >>>> To: (WebCatalog Talk) >>>> Subject: Re: encryption madness >>>> >>>>> FOR THE ARCHIVES... >>>>> >>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when >>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile. >>>>> HOWEVER... in this case the orderfile is not being processed by >> WebMerchant. >>>>> >>>>> Solution based on about 10 tests at this point. >>>>> >>>> >>>> >>>> I use >>>> [url][url][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>>> and >>>> [Decrypt Seed=abc123][unurl][Stuff][/UnURL][/Decrypt] >>>> >>>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>>> >>>> Experiment. >>>> >>>> A lot. >>>> >>>> A 99.99% success rate indicates that something is wrong. >>>> >>>> Glenn >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> > -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -- > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > RegardsStuart Tremain idfk web developments 114a/40 yeo street neutral bay 2089 australia t +612 9908 2134 f +612 9908 4837------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

searching multiple databases (1997) notification solutions (1997) docs for WebCatalog2 (1997) How Many SKU's is enough? (1997) Emailer help....! (1997) UPS QuickCost and More (2000) [isfile] ? (1997) emailer (1997) WC1.6 to WC2 date formatting (1997) formula??? (2000) Replacing entry (1998) WebCat2b15MacPlugIn - [authenticate] not [protect] (1997) BIG PROBLEMS with Checkboxes!!! (1998) unique ascending numbers (2003) Emailer setup (1997) Still having install problems (2000) WebCat2 - Getting to the browser's username/password data (1997) Frames and WebCat (1997) Webcatalog quitting (1997) WebCat2: Items xx to xx shown, etc. (1997)