0

I have a form in a .cfm page that uses jquery to validate the form and pass the values on to a ColdFusion cfc via .ajax. That all works. The following is my component code stripped down to show just the pertinent issue. 

<cfcomponent displayName="2014 Registration">
 <cfset this.encryptionKey = generateSecretKey('AES') />

 <cffunction name="confregistration" output="false" access="remote" returnType="string">

 <cfargument name="cc" required="true" type="string"/>
 <cfargument name="cvv" required="true" type="string"/>

<cfquery datasource="#application.datasource#">
       INSERT INTO  table_name(cc,cvv)
         values(<cfqueryparam cfsqltype="cf_sql_varchar" value="#encrypt(arguments.cc, THIS.encryptionKey)#"/>,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#encrypt(arguments.cvv, this.encryptionKey)#"/>) 
     </cfquery>


 <cfset message = 'Thank you ' & #encrypt(arguments.cc, THIS.encryptionKey)# />
 <cfreturn #message# />

 </cffunction>
</cfcomponent>

This makes the insert fail completely. In testing if I remove the encryption line the query does it's job and posts to the db. If I also remove the query but return a message containing just: encrypt(arguments.cc, THIS.encryptionKey) I can see the encrypted string.

I'm new to coldfusion but have been using it for several months. I've found some quirks with variables and using the #'s around variables. They are required in some cases but not in others? My form works and the component function passes the arguments.cc value if it is not encrypted. So I'm close but there seems to be some weirdness going on. Any hints as to what might cause the cfparam with the encrypted value to fail?

Matt Busche
  • 14,216
  • 5
  • 36
  • 61
TheRanch
  • 23
  • 7
  • 2
    Are you sure that it isn't an error in the database, maybe the field is too short? Can you post the error from your application log? – Brian Hoover Apr 17 '14 at 13:06
  • Good question @Brian Hoover. I'm developing using Brackets with a coldfusion extension. I have Coldfusion 10 running on my local machine so...where should I look for this application log? – TheRanch Apr 17 '14 at 13:13
  • you can also wrap your query in a `` tag and dump out the error. – Matt Busche Apr 17 '14 at 13:14
  • No luck with a try and catch. Still fails. – TheRanch Apr 17 '14 at 13:27
  • I'm not familiar with Brackets, but you should have access to the Cold Fusion admin web page. If so, you can access the application log from there. – Brian Hoover Apr 17 '14 at 13:27
  • 3
    _"table_name(cc,cvv)"_ - **you must not store cvv numbers!** – Peter Boughton Apr 17 '14 at 13:40
  • If "fails" means that an error was thrown, does an error message not display on your screen? – Dan Bracuk Apr 17 '14 at 13:49
  • OK...weirdness. I don't see any error messages and now my form is working with encrypted cc info on my local db but on the live site it still fails. – TheRanch Apr 17 '14 at 14:00
  • @DanBracuk No errors on the screen. I'm using Brackets (open source Adobe software) to develop. – TheRanch Apr 17 '14 at 14:03
  • Put a `` around the query and use `` to log the message. `` – haxtbh Apr 17 '14 at 14:06
  • 3
    You should not be storing CC or CVV information in your DB, especially when it is not hashed ('encrypted' data is meant to be 'decrypted', hashing is one way). That is a HUGE mistake and opens up your company/client to liability issues. – Scott Stroz Apr 17 '14 at 14:13
  • 3
    You will have a PCI compliance nightmare and be liable to heavy fines. – haxtbh Apr 17 '14 at 14:22
  • My local application log file has stopped logging messages for an hour now. @haxtbh I understand the PCI compliance issue. We're not going to store this info I'm testing with. – TheRanch Apr 17 '14 at 14:43
  • Do you get the same result if you specifiy encoding and algorithm? I.e. `#encrypt(arguments.cc, THIS.encryptionKey, "AES", "Base64")#` – haxtbh Apr 17 '14 at 14:54
  • 1
    The one thing missing in your answer is the actual message thrown. I'm going to guess (wildly) that your column in the DB is just long enough for the CC and / or the CVV, but when encrypted they are longer throwing a data truncation error. Tell me the length of the columns in the DB and the length of the encrypted strings vs the non-encrypted strings. – Mark A Kruger Apr 17 '14 at 16:26
  • @MarkAKruger Someone suggested checking the length of the col in the db and I set it to the length of the encrypted string which was 40 I believe for the cc. – TheRanch Apr 17 '14 at 17:36
  • @haxtbh when I tack 'AES', 'Base64' into it it fails. – TheRanch Apr 17 '14 at 17:39
  • Create a query in your query tool and paste the encrypted string into it and try a manual insert without CF in the mix. let's see what the DB tells us is wrong. – Mark A Kruger Apr 17 '14 at 19:21
  • @MarkAKruger When I try the following in my local db I get no errors. INSERT INTO tablename(User_cc) values(0#ZG*W<7;Q>[OA2[#Y<3]_) – TheRanch Apr 17 '14 at 19:39
  • @MarkAKruger When I try the following in my local db I get an error. INSERT INTO tablename(user_cc,FirstName,LastName) values(0#ZG*W<7;Q>[OA2[#Y<3]_,JOhn, Smith); Error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 – TheRanch Apr 17 '14 at 19:48
  • 1
    *RE: When I try the following in my local db I get no errors* That is unlikely. String literals must be enclosed in single quotes... *RE:We're not going to store this info I'm testing with* Hope not. Just my $0.02 .. unless you are extremely familiar with encryption, the requirements, regulations and liabilities *you assume* when storing personal information like CC's, you should not store it. It is not worth it. – Leigh Apr 17 '14 at 20:44
  • Ditto Leigh's statement. Make sure you understand your liability. Meanwile your values should be values ('0#ZG*W<7;Q>[OA2[#Y<3]_','John','Smith') ... it has to have single ticks although some MySQL installs allow for double quotes. That would give you a different error. >> Also since you are using MySQL make sure that the table names are correct for case. (CC is not the same as cc). It's possible that your local instaall of mysql is case _in_sensitive while your prod install is case sensitive. – Mark A Kruger Apr 17 '14 at 20:59
  • We wound up using a stored procedure to handle my issue. I wound up with a cfc with a cfquery that called the stored proc. One problem was I have CF10 server on my local machine and the live server is CF8. – TheRanch Apr 18 '14 at 20:47

0 Answers0