Logic problem: encrypt user's password

Hello guys.

Probably in this moment i’m really stupid and I’m losing in a glass of water…

Suppose that I want to crypt the user’s password. Ok, during registration i can use beforeSave and save the sha1 value (or better hasing it…). No problem. Now we have stored the crypted password.

Now suppose that we have a Profile area where the user can edit his own data. If the password is not modified, how can i tell to beforeSave not to perform the function again (it is already crypted!) ?

  1. old password never goes back to browser when you edit profile - regardless crypted or not;

  2. in update password action, you always receive user’s password in un-crypted plain text;

  3. now if you receive empty in user’s input (password) assuming user does not want to change password, you don’t do anything to touch the encrypted password in db;

  4. if you input some valid new password, then you simply encrypt it and save to db;

Thanks for reply. Follow my insanity.

The user register his self with password "hello". Now with sha1 it become "aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d".

The user go in his profile for change the address. But in the form is displayed "password" with sha1 value. If the user send the form, the sha1 password will not crypted again?

i know what you mean by your question. as i said, password will NEVER go back to browser in any format (encrypted or not);

in you model, you should have rule not allow password be searched or passed by to browser.

check this: safevalidator

SHA1 is a poor choice for password hashing. Read this: http://www.yiiframework.com/wiki/240/authenticating-against-phpass-hashes-with-yii/

Hum…can you give to me a rapid example for form and the model rules?

use a private variable in the model ($_currPassword)

in afterFind: set $_currPassword to the $model->password AND set the $model->password = null;

in beforeSave do something like this:




  if(isset($model->password)) {

    // then hash it

  } else {

    $model->password = $_currPassword;

  }



Just a thought; :rolleyes:

Oh, ok, thanks! :D