{$jConfig_secret} placeholder

davboh · Nov 26, 2019

Hi there, it seems {$jConfig_secret} placeholder is not replaced within calc and databasejoin (concat label) element.
I use one one the lastest release code (github)
Can anyone have a look please ?

Thanks

troester · Nov 26, 2019

Because of security reasons Fabrik doesn't replace all params per default (maybe WIKI needs an update)

"...which we only want to use for stricty internal use that won't ever get shown to the user..."

davboh · Nov 26, 2019

I understand but now, how can I get a field that was encrypted thought Fabrik?

cheesegrits · Nov 26, 2019

Define "get"?

If you are trying to read it directly from the database yourself ...

Code:

$config   = JFactory::getConfig();
$secret = $config->get('secret');
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select('AES_DECRYPT(encrypted_field, ' . $db->quote($secret) . ')')
   ->from('mytable')
   ->where('something = "whatever"');
$db->setQuery($query);
$encryptedField = $db->loadResult();

Obiously replace most of that query with your own. It's just the AES_DECRYPT() part which is relevant.

But yes, there are certain placeholders we only use when running "trusted" code (our own), and not when running user supplied code.

-- hugh

davboh · Nov 26, 2019

Tee code you provide is good for the calc element but not usable into the databasejoin concat label option. Do you have a solution for that?

By "get" I meant get the records from the db

troester · Nov 27, 2019

Have a look at the Advanced/"Eval options".

Or maybe using a dropdown element with Advanced/"Eval populate" would be an option.

davboh · Nov 27, 2019

Unless I can use AES_DECRYPT in php, I cannot see how to use "Advanced/"Eval options" because the function comes from MYSQL and not php

troester · Nov 27, 2019

http://fabrikar.com/forums/index.php?wiki/php-common-tasks/#select

cheesegrits · Nov 27, 2019

I'll look at enabling the "unsafe" placeholders in the CONCAT label option.

WHen I initially added that feature, I erred on the side of safety to make sure the secret never got accidentally exposed, and only enabled 'unsafe' in a few places. I'm gradually adding it to more places, as we find the need.

Watch this >>> <<< space.

-- hugh

cheesegrits · Nov 28, 2019

Hmm, the CONCAT label should already be able to use {$jConfig_secret} ...

https://github.com/Fabrik/fabrik/bl...k_element/databasejoin/databasejoin.php#L1188

... which sets $unsafe (the last arg) to false in parseMessageForPlaceholder(), which should then process the secret ...

https://github.com/Fabrik/fabrik/blob/master/libraries/fabrik/fabrik/Helpers/Worker.php#L821

So you should be able to do an AES_DECRYPT(yourfield, '{$jConfig_secret}')

-- hugh

troester · Nov 28, 2019

Yup, it's working in CONCAT label (I only tested in calc).

{$jConfig_secret} placeholder

davboh

New Member

troester

Administrator

davboh

New Member

cheesegrits

Support Gopher

davboh

New Member

troester

Administrator

davboh

New Member

troester

Administrator

cheesegrits

Support Gopher

cheesegrits

Support Gopher

troester

Administrator

Useful links

Members online