i have a mysql query as below :
select * from users where email='xxx#xxx.com' and password = SHA1(CONCAT(SHA1(SHA1("123456")),salt))
i want to convert to cake PHP find using beforSave Function :
public function beforeFind(array $queryData) {
if(isset($queryData['conditions']['User.password'])) {
$queryData['conditions']['User.password'] = 'SHA1(CONCAT(SHA1(SHA1("'.$queryData['conditions']['User.password'].'")),User.salt))';
}
$this->log($queryData);
return $queryData;
}
the mysql query is run okie but in cakephp find this not work.
Thank for help.
Don't include plain-text passwords in your queries!
You should never do this; you're including plain-text passwords as part of your query and including your 'salt' values as readable string as well.
SQL queries may be logged (and backed up), so those log files can contain all this information in readable format!
You should 'hash' the password using PHP and use the hashed password to query your database
Hashing passwords via the AuthComponent
First of all, if you're using the AuthComponent, CakePHP will do all this kind of actions automatically; it will look up/identify a user and (if correct) allow you to log-in that user.
See: Authentication
To encrypt passwords 'manually', use AuthComponent::Password() or Security::hash()
I'm in a hurry right now, but if you need more information or an example, place a comment, then I will add that information
If I have understood your problem correctly then you want to search for a user with given username and password. You don't need to use beforeSave for this. If you want to encode password then surely you could use beforeFind or IMO you can do it in a single line itself, just before you execute the query.
You can use Cakephp find by query method. Something like this $this->Users->query("your mysql query"); or if you want to use normal find, that would also work.
$user = $this->Users->find('first', array(
'conditions' => array('Users.email' => $email, 'Users.password' => $password)
));
Hope that helps.
Related
I'm writing a program and before it loads I want the user to enter the correct password without storing the password anywhere in my code. I've implemented MD5 hashes before but from what I've read they're outdated and can be broken. There are a few sites out there that attempt to reverse engineer and MD5 hash. What's the strongest encryption I can use to keep prying eyes out of my program (e.g., The NSA)?
"Encryption" is not the right thing to do for storing user passwords - as by design an encrypted password can be decrypted. As you said - hashing is the way to go.
MD5 is outdated, and I believe the current recommendation is sha1.
Note that there are ways to reverse any hashing algorithm to acceptable input. The commonly accepted standard to make this much more dificult is to add a unique "salt" to all passwords before putting them through the hashing function. A common mistake made when adding salts to passwords is to use the same salt value on every password in the database.
When salting passwords, use a unique value, for example the user ID, or the created date/time string for the user record. This will prevent attacks based on rainbow tables because there will be no existing ready to use rainbow table for your stored password hashes.
I personally like the approach of using the created date / time string of the user as it's a value that should never change and will be available and will likely be different for each user the the database.
Eexamples below assume you are familiar with PHP - however the concepts can be applied to any language.
Example:
Before saving a new user into the database:
$date = date('Y-m-d H:i:s');
// save this same value into the user record somewhere
$passwordHash = sha1($user['created_date'].$_POST['password']);
// and save the $passwordHash value into the password field for that user
To authenticate a login attempt, use something like the following:
function authenticateUserLogin($email, $password) {
$user = $db->fetchRow('SELECT * FROM users WHERE email=?', array($email));
if (!$user) return false;
$passwordHash = sha1($user['created_date'].$password);
return $user['password_hash'] !== $passwordHash;
}
To update an existing users password, use something like...
$passwordHash = sha1($user['date_created'].$newPassword);
$db->query('UPDATE users set password_hash=? WHERE id = ?', array($passwordHash, $user['id']));
I need to log users into eXist-db using XQuery. Of course I can use this code:
xquery version "3.0";
declare namespace exist = "http://exist.sourceforge.net/NS/exist";
declare namespace request="http://exist-db.org/xquery/request";
declare namespace xmldb="http://exist-db.org/xquery/xmldb";
declare option exist:serialize "method=json media-type=text/javascript";
let $userName := request:get-parameter("userName", ())
let $hash := request:get-parameter("hash", ())
let $login := xmldb:authenticate('/db', $userName, $hash)
return
<ajax-response>
<success>{$login}</success>
<username>{$userName}</username>
</ajax-response>
The problem is that, due to the fact that I receive the password and the username from another service, I receive them in hash form encrypted with MD5 (because they can't be passed in clear from a service to another).
But the xmldb:authenticate function needs the password in clear. How can I resolve this? Any idea? Is there a way to login 'manually' in eXist-db without using the authenticate function?
No, this is not possible: eXist-db does not work with hashes on the authentication functions, that would be a security risk since MD5 is not safe. In addition, eXist-db does not use MD5 internally for hashing the passwords, so validating a password would be difficult (matching two different hashing techniques is impossible)
Unfortunately there is no way to work around this with the standard functions.
I currently have a users table and a posts table. My posts table has a field for user_id, however, I am not sure how I would grab the users name field which is in the users table. I was thinking of using the models afterFind() method and then using SQL to select the data, but there has to be a better way than this. Also, on my view action, I am using the read() function to grab a single post. Would the models afterFind() kick in after it runs read()? If not, is there an equivalent such as afterRead()?
Just make an association of Post belongsTo User, and every regular find/read operation that has a sufficiently high recursive value will automatically fetch the user with each post.
$post = $this->Post->find(...);
echo $post['User']['name'];
you have to go like below :
$this->Cake->findById(7); Cake.id = 7
here , you can you use your user_id instead of 7 like..
Find BY CAKE PHP
$this->Post->bindModel(array('belongsTo'=>'User'));
$post = $this->Post->findById($post_id);
$userName = $post['User']['name'];
Here are errors, I've typed it in eclipse (:
I am testing a migration from 1.3 to 2.0 for an Intranet site. After logging on an existing user, print_r($this->Auth->user()); returns the following:
Array
(
[username] => keith
[password] => f793ff5af0ea72013679a4635f40fbfaa5808895
)
Theuser is defined in the Users table, so I would have expected to see all of the fields which are defined in the Users table, which is the behaviour under 1.3.
In 2.0 $this->Auth->login($this->request->data) will log the user in with whatever data is posted, whereas in 1.3 $this->Auth->login($this->data) would try to identify the user first and only log in when successful.
http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#identifying-users-and-logging-them-in
I'm guessing you passed data to your $this->Auth->login() method. $this->Auth->login() will authenticate and login with the form data POSTed without passing the data in (which will log in the user no matter what).
I have a raw sql query I need to run, but the database name changes in each environment (live: db, dev db_test)
I need to get the current database name from the databases.yml file.
How can I get just the current database name?
I am using the Propel ORM
Initially I thought this would be pretty easy via sfPropelDatabase::getConfiguration() but that returns an array. As such, I had to parse the result to get the data, and I think there's probably a better way than this:
$propel_config = sfPropelDatabase::getConfiguration();
preg_match('/dbname=([^;]+);/', $propel_config['propel']['datasources']['propel']['connection']['dsn'], $matches);
echo $matches[1];
Anyone got anything better?
The following code works in Propel2 -- essentially the same as the accepted answer.
$mgr = \Propel\Runtime\Propel::getConnectionManager($connectionId);
$dsn = $mgr->getConfiguration()['dsn'];
preg_match('/dbname=([^;]+)/', $dsn, $matches);
echo $matches[1];