I’m currently using MD5 for password storage, but I’m now looking to convert to the more secure AES. What makes it easy to use MD5 is that the encryption can be done within PHP. So for example when I’m saving a new user record I normally just do:
Could you try to see the SQL created by activating CWebLogRoute?
If you cannot see anything wrong with the SQL
Try with
User::model()->findBySQL(‘SELECT * FROM {{user}} WHERE {{user}}.email=:email AND {{user}}.password=AES_ENCRYPT(:password,:secret_key)’,array(’:password’=>$this->password,’:secret_key’=>1234567890));
[21:43:54.878][trace][system.db.CDbCommand] Querying SQL: SELECT * FROM `user` `t` WHERE `t`.`email`=:yp0 AND `t`.`password`=:yp1 LIMIT 1.
Bind with parameter :yp0='admin@mysite.com', :yp1=CDbExpression::__set_state(array( 'expression' => 'AES_ENCRYPT(:password, :secret_key)',
'params' =>array ( ':password' => 'password', ':secret_key' => 1234567890, ), '_e' => NULL, '_m' => NULL, ))
I can’t figure out why it won’t work. But this works:
$user=User::model()->findBySQL('SELECT * FROM user WHERE user.email=:email AND user.password=AES_ENCRYPT(:password, :secret_key)', array(':email'=>$this->username, ':password'=>$this->password, ':secret_key'=>1234567890));
I remember having a discussing on a new feature with CDbCommand and I was saying that sometimes is better to maintain SQL clearance in the code. It is true that is better to handle difficult things automatically for newbies but when it comes to advance things, sometimes is better to see everything clear as water.
At the end of the day, what is important is that you have accomplished your objective, no matter how you do it.