quicky tip
Mike Schrag
If you use wonder (ERXApplication, etc), you're already using it even
though you might not realize it, but if you've ever used
WOPasswordField, you may have noticed it happily dumps the plain text
of the password into the HTML. Even though you are SSL'd, someone
could view source and potentially see a password they shouldn't
have. ERXWOPasswordField instead replaces the real password with a
stub string ("~@secret@~" or something along those lines). The user
sees the "dots" as if there's a secret password there, but if they
view source, all they see is the bogus string. If the user types in
a new string, you will get the value bound back out to you via the
"value" binding as always, but if they just submit without messing w/
the password, no binding happens (i.e. you don't get the fake stub
value bound back to you). Wonder actually patches this in
automagically for you in place of WOPasswordField, so you get the
added security without doing anything.
Also, if you end up just storing a hash of a password instead of the
actual password, ERXWOPasswordField can do that for you -- set
hashValue = true and instead of the password bound back, you'll get
the md5 of the password.
And ERXWOPasswordField has nothing to do with crazy database revision
management. That is all.
ms