0

Because of the huge help from 3dgoo here Store Sensitive Data in Silverstripe I was able to create this Dataobject to store ClientPasswords -> http://www.sspaste.com/paste/show/5257a5ccdf990

The Problem is, after creating the fields with getCMSFields the de/and encryption doesn't work anymore and the password is stored as plaintext in the database :/

Can someone help me to fix it? Where is the bug?

Community
  • 1
  • 1
invictus
  • 825
  • 1
  • 9
  • 33

1 Answers1

1

I can't spot a bug per se there as you have none, if you don't call an ideological one that.

You arent actually rewriting the password anywhere to the hashed version when you use the text field.

this relates to the actual field to the db element:

new TextField('Password', _t('Dict.PASSWORD', 'Password'))

So you aren't catching the write or read to feature the crypting or decrypting.

One way to make it work is to bound the textfield to a custom getter/setter that is not the db relation directly and then on get and set the actual db field.

The sample for that is:

1) add the field as this way

$fields->addFieldToTab("Root.Main", new TextField('CusotomgetterSetter', "Set the password")

2) create the setters to the class:

public function setCusotomgetterSetter($value){
    if(!$this->Salt){
        $this->Salt = uniqid(mt_rand());
    }
    $test = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($this->Salt), $value, MCRYPT_MODE_CBC, md5(md5($this->Salt))));
    $this->Password = $test;
}

public function getCusotomgetterSetter(){
    return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($this->Salt), base64_decode($this->Password), MCRYPT_MODE_CBC, md5(md5($this->Salt))), "\0");
}

3) add new salt field to the db, remember to run /dev/build

static $db = array (
    'Type' => 'Text', 
    'Username' => 'Text', 
    'Password' => 'Text',
    'URL' => 'Text',
    'Webadmin' => 'Text',
    'Editable' => 'Text',
"Salt" => "Text"
);

I amended the get and set fields to use the salt created here. Not the one found in the member as there is a possibility that on that point we dont actually now the member relation so $this->Member() might be null.

A "working" sample http://www.sspaste.com/paste/show/5257f7743cf0b

Olli Tyynelä
  • 586
  • 3
  • 14
  • I tried It like this. But the result is an empty field ` public function onBeforeWrite() { $this->Password=rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($this->Member()->Salt), base64_decode($this->Password), MCRYPT_MODE_CBC, md5(md5($this->Member()->Salt))), "\0"); parent::onBeforeWrite(); }` – invictus Oct 11 '13 at 09:06
  • You could use onbefore write, but there is a much simpler way, ill post it as an answer :) – Olli Tyynelä Oct 11 '13 at 11:03
  • 1
    Amended the original answer to include a sample. – Olli Tyynelä Oct 11 '13 at 11:10
  • http://www.sspaste.com/paste/show/5257de08cc048 i think i'm doing it wrong :/ i receive an empty field after adding the decryption – invictus Oct 11 '13 at 11:23
  • That is a different thing all to geather :) – Olli Tyynelä Oct 11 '13 at 11:26
  • Sorry.. I keep on pressing the enter here: you might want to Debug::log() key values on the logic, for example Debug::log($this->Member()->Salt), does that give out correct values? also the Debug::log($value) etc to find the remaining issue. – Olli Tyynelä Oct 11 '13 at 11:27
  • so it's completely wrong? :D Damn :/ http://www.sspaste.com/paste/show/5257df15dc258 what's the right solution? – invictus Oct 11 '13 at 11:28
  • Ah.. you arent reading what you were typing there :) the bit base64_decode($this->value) .. what is the $this->value? this doesnt have that! just use $value – Olli Tyynelä Oct 11 '13 at 11:30
  • so amend the base64_decode($this->value) to base64_decode($value) the scope of the $value passed to the function isn't $this->value, that would mean that the object would have it stored.. its just $value – Olli Tyynelä Oct 11 '13 at 11:32
  • ah ok. i changed it (here's the whole code http://www.sspaste.com/paste/show/5257e141336f2) but it stil doesn't work. still an empty field. The de and encryptfunction worked until i used getCMSFields to generate the fields. So I think the Problem shouldn't be there? But where should i put the debug code and where can i see the output? Or is ther another mistake in the code? – invictus Oct 11 '13 at 11:38
  • 1
    Cant seem to spot any errors and i need to continue on my work now so at the moment i leave you with these tips: you should debug what happens in the set function and see are the correct variablems to generate the password has there. First test is of course does my suggestion work for you right: if you amend the function to do $this->Password = $value . "sweet"; does that get stored right. Then you should debug the remaingin values that are they available: Debug::log($this->Member()->Salt) etc.. Debug::log writes a line to a log file the site root.. or should at least. – Olli Tyynelä Oct 11 '13 at 11:52
  • I did notice something weird on your script again.. you are using the decrypt function where you should be using encryption :D. Amending my answer in a moment. Also theres something funky in the member bit that you are doing so your not probalby getting the required salt right. Im not going to fix that bit but ill amend the answer so you will be able the store and view the passwords. – Olli Tyynelä Oct 11 '13 at 12:59
  • Amended the answer to work: my proof of concept is here http://www.sspaste.com/paste/show/5257f7743cf0b – Olli Tyynelä Oct 11 '13 at 13:11