Hi JonL No not production, just trying to work out the process before I get there. In the database itself the Password is sha256 salted by a random string.
That is not very secure either 
Better use Argon. It was implemented recently.
1 Like
Yep.
Thanks! Once I get the other bits to work I will look at swapping it out.
1 Like
HI Teodor I am completely stumped!
It appears that the server action is not showing any of the data, been trying for days and nothing 
I can see that one session variable I added is being picked up âYESâ and I have simplified the condition to make sure that its not the way it is pulling the parameters and it would show the session variable as YES unless the condition was passed.
What on earth am i doing wrong here?
work space
hI @Teodor I think I found the issue or why it was not doing what it was supposed to do.
In the above provided setup I did not have anything on the page âblank pageâ however, i put on this page the âhashok: âYesââ session value and everything started to work.
I added the input Parameters in the page server connect like this
And it worked.
Is this the step I was missing from the process??
Sorry, i am not sure I understand what you put where that fixed the issue
Also from your last couple of posts I don really understand what are you doing and what session variables are you referring to âŚ
Also you are using GET variables in your conditions? I really lost your whole idea for this server action here.
Thanks @Teodor
Basically itâs working now (two days of frustration) and I think I have figured out why and also I have been able to update the database which was my original objective.
After trying what must have been hundreds of combinations and I think I figured out when to use a Set Value and where to use a Session Value and what can be used from within a repeat and what canât without exposing sensitive data.
I was basically doing a variation on what was described here:
but after following the process it did not work, so was trying to fix it and include a database update in the process. Which I have now done successfully.
HY @JonL I updated the password encryption to Argon and it works, but my automated processes donât seem to.
So I had a email address check condition which uses {{email.sha256(password == $GET.hash)}} but this no longer appears to work - so assume it is the encryption method wonât let me do this anymore?
You need to use verify hash method inside the crypto formatters.
Thanks @JonL thatâs a bit foreign to me at this stage. Is this different to hash method checkbox on the security manager? It sounds like inside the hash method there is an additional setting I should be using?
Are you able to point me in the right direction.
Sure.
And some literature about the formatter(php method).
1 Like
You can learn how to do this here:
2 Likes
Also I donât know what your intentions are with that. It seems you are trying to hash the email value using TRUE/FALSE value as string salt. Weird stuff it you ask me 
It is in one of the tutorials in how to create a verifiable hash, such as password reset, so was following this process.
Condition being if the email encrypted 256 salted with password = the ?hash Then do x
Itâs in a Wappler tutorial.
Ah the link is very useful, thanks.
So much to learn. But given myself 12 months to get there 
1 Like
Are you referring to this?
Thatâs adding the user password as salt which creates a bit of entropy as passwords tend to be different although not as much as one would think. You could use a dictionary of passwords to test salts.
But in your example you are actually comparing two values which will return TRUE or FALSE and using that as a salt.
{{email.sha256(password == $GET.hash)}}
So in PHP you are doing something similar to:
hash('sha256', (1 == 0)."johndoe@mail.com");
or
hash('sha256', (1 == 1)."johndoe@mail.com");
Which will return only two hashes for the string johndoe@mail.com
e2f8f4e178bed5f1aa77e3e0f8caa1b541fada114ebf878e8d0b324c43e65ddf
or
730835d3ddafd8eba385f64d5172a8182bfd6c587174eedebdf435a64fd63113
Which defeats the purpose of salting a hash.
Reset links should be protected as much as a password. If I manage to decypher how you are building them you might as well store passwords in plain text in the database
And as I always mention, take into account that Wappler tutorials are just examples on how to build things. They usually take the simple route so they are newbie friendly. And they intend them that way. But you need to do your due diligence when it comes to securing the app.
@JonL So what I understand you are saying about hashes and passwords is that a hash should be compared to the password to verify it matches?
I am still a little lost here!
How in Wappler do you create a hash that can be then added to the link and then when you GET that hash from the ?hash= how in Wappler do you validate the hash?
I am sure that are lots who would benefit in know how this should be done properly!
Many Thanks!!