Yii Framework Forum: Logic problem: encrypt user's password - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Logic problem: encrypt user's password Rate Topic: -----

#1 User is offline   Diegovl 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 96
  • Joined: 27-February 11

Posted 29 June 2012 - 12:01 PM

Hello guys.

Probably in this moment i'm really stupid and I'm losing in a glass of water...

Suppose that I want to crypt the user's password. Ok, during registration i can use beforeSave and save the sha1 value (or better hasing it...). No problem. Now we have stored the crypted password.

Now suppose that we have a Profile area where the user can edit his own data. If the password is not modified, how can i tell to beforeSave not to perform the function again (it is already crypted!) ?
0

#2 User is offline   rootbear 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 225
  • Joined: 17-June 11

Posted 29 June 2012 - 12:29 PM

1) old password never goes back to browser when you edit profile - regardless crypted or not;

2) in update password action, you always receive user's password in un-crypted plain text;

3) now if you receive empty in user's input (password) assuming user does not want to change password, you don't do anything to touch the encrypted password in db;

4) if you input some valid new password, then you simply encrypt it and save to db;
I enjoy the Yii.sy coding life here.
2

#3 User is offline   Diegovl 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 96
  • Joined: 27-February 11

Posted 29 June 2012 - 01:28 PM

View Postrootbear, on 29 June 2012 - 12:29 PM, said:

1) old password never goes back to browser when you edit profile - regardless crypted or not;

2) in update password action, you always receive user's password in un-crypted plain text;

3) now if you receive empty in user's input (password) assuming user does not want to change password, you don't do anything to touch the encrypted password in db;

4) if you input some valid new password, then you simply encrypt it and save to db;


Thanks for reply. Follow my insanity.


The user register his self with password "hello". Now with sha1 it become "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d".
The user go in his profile for change the address. But in the form is displayed "password" with sha1 value. If the user send the form, the sha1 password will not crypted again?





0

#4 User is offline   rootbear 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 225
  • Joined: 17-June 11

Posted 29 June 2012 - 01:45 PM

i know what you mean by your question. as i said, password will NEVER go back to browser in any format (encrypted or not);

in you model, you should have rule not allow password be searched or passed by to browser.

check this: safevalidator
I enjoy the Yii.sy coding life here.
1

#5 User is offline   Da:Sourcerer 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,269
  • Joined: 30-March 11
  • Location:Berlin, Germany

Posted 29 June 2012 - 01:48 PM

SHA1 is a poor choice for password hashing. Read this: http://www.yiiframew...ashes-with-yii/
programmer /ˈprəʊgramə/, noun: a device that converts ►coffee into ►code
1

#6 User is offline   Diegovl 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 96
  • Joined: 27-February 11

Posted 29 June 2012 - 03:06 PM

View Postrootbear, on 29 June 2012 - 01:45 PM, said:

i know what you mean by your question. as i said, password will NEVER go back to browser in any format (encrypted or not);

in you model, you should have rule not allow password be searched or passed by to browser.

check this: safevalidator


Hum...can you give to me a rapid example for form and the model rules?
0

#7 User is offline   jkofsky 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 688
  • Joined: 17-May 10
  • Location:Pensacola, Florida

Posted 29 June 2012 - 04:08 PM

View PostDiegovl, on 29 June 2012 - 03:06 PM, said:

Hum...can you give to me a rapid example for form and the model rules?

use a private variable in the model ($_currPassword)

in afterFind: set $_currPassword to the $model->password AND set the $model->password = null;

in beforeSave do something like this:
  if(isset($model->password)) {
    // then hash it
  } else {
    $model->password = $_currPassword;
  }

Just a thought; :rolleyes:
Do, or do not. There is no 'try.' Jedi Master Yoda
1

#8 User is offline   Diegovl 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 96
  • Joined: 27-February 11

Posted 29 June 2012 - 05:20 PM

View Postjkofsky, on 29 June 2012 - 04:08 PM, said:

use a private variable in the model ($_currPassword)

in afterFind: set $_currPassword to the $model->password AND set the $model->password = null;

in beforeSave do something like this:
  if(isset($model->password)) {
    // then hash it
  } else {
    $model->password = $_currPassword;
  }

Just a thought; :rolleyes:


Oh, ok, thanks! :D



0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users