Md5 Password

hello.

I have problem.

I have MD5 decript password to my DB. When i register new user, the MD5 change my password to md5 + salt to DB.

All its ok, when i login, password is correct… but…

when i click “update user” and i don’t change passsword, only save this edit user, my password change MD5 password to MD5 + MD5 and when i login to user, i can’t, password is wrong.

Example:

make new user : password - pass1

in DB save : password - a722c63db8ec8625af6cf71cb8c2d939

When i edit user i get:

password - **************************** <- a722c63db8ec8625af6cf71cb8c2d939

and where i save this user the MD5 change : a722c63db8ec8625af6cf71cb8c2d939 to new MD5 : 57a7ce8ba8e428f96afae6828592e688

and password now is : a722c63db8ec8625af6cf71cb8c2d939 no pass1…

Hi,

can you please the code for creating and updating the password?

If I may give you a hint:

Try to avoid MD5 Hashs because they are insecure. You can use SHA512 instead.

Thx for reply.

USER MODEL:




public function beforeSave() {

        $pass = md5($this->password);

        $this->password = $pass;

        return true;

    }



USER IDENTITY:




public function authenticate() {

        $user = user::model()->findByAttributes(array('name' => $this->username));

//        echo md5($this->password); echo '<br>';

//        echo $user->password; exit;

        if ($user === null) { // No user was found!

            $this->errorCode = self::ERROR_USERNAME_INVALID;

        }

        // $user->Password refers to the "password" column name from the database

        else if ((md5($this->password) . Yii::app()->params["salt"]) !== $user->password) {

            $this->errorCode = self::ERROR_PASSWORD_INVALID;

        } else {

// User/pass match

            $this->_id = $user->id;

            $this->errorCode = self::ERROR_NONE;

        }

        return !$this->errorCode;

    }


    public function getId() {

        return $this->_id;

    }



USER CREATE:




public function actionCreate()

	{

		$model=new User;


		// Uncomment the following line if AJAX validation is needed

		// $this->performAjaxValidation($model);


		if(isset($_POST['User']))

		{

			$model->attributes=$_POST['User'];

			if($model->save())

				$this->redirect(array('index'));

		}


		$this->render('create',array(

			'model'=>$model,

		));

	}



USER UPDATE:




public function actionUpdate($id)

	{

		$model=$this->loadModel($id);


		// Uncomment the following line if AJAX validation is needed

		// $this->performAjaxValidation($model);


		if(isset($_POST['User']))

		{

			$model->attributes=$_POST['User'];

			if($model->save())

				$this->redirect(array('index'));

		}


		$this->render('update',array(

			'model'=>$model,

		));

	}



Use Yii Security Extension to encrypt/decrypt password based on an encryption key

To implement,

• Download the extension from the below link

      http://www.yiiframework.com/extension/yii-encrypt/

• Unzip the data in the extension folder

• Import the class by adding the below code in the import part of config

‘application.extensions.encrypter.Encrypter’,

• Add below piece of code in the component array in config file

      'encrypter'=&gt;array (


           'class'=&gt;'Encrypter',


           'key'=&gt;'XXXXXXXXXXXXXXXX',


      ),

• Now we can encrypt characters by calling the below function in controllers/views

      &#036;myEncryptedString = Yii::app()-&gt;encrypter&gt;encrypt(&#036;myDecryptedString);

• For to decrypt

      &#036;myDecryptedString = Yii::app()-&gt;encrypter&gt;decrypt(&#036;myEncryptedString);

Link to download Encrypter doesn’t works.

I think the problem is, that you don’t proof if a new user password is set or it is empty.

possible sequence:

You fetch the user model from the database. There is the password saved as MD5. If you update your user and no password is set, perhaps it takes the saved MD5 password as new password.

So if you proof if the user entered a new password or not the problem should be solved

Where are you hashing the password - beforeSave? You need to check the scenario (register) and only hash it on insert/create/register or when the user updates their password.

Matt

I delete beforeSave() function :).

In actionCreate I ADD :




$pass = md5($model->password);

            $model->password = $pass;



And in actionUpdate :

i add this:


$checkpass = $model->password;

and after $model->atributess :




if ($model->password == $checkpass) {

                

            } else {

                $pass = md5($model->password);

                $model->password = $pass;

            }

            if ($model->save())

                $this->redirect(array('index'));

        }



And all is done now.

Yes Matt, in beforeSave() function i hash password.

can i encrypt in afterValidate function??

The necro-posting force is strong in this one.

don’t use md5, it’s not secure. Use CPasswordHelper instead

http://www.yiiframework.com/doc/api/1.1/CPasswordHelper