Need help because i'm still new to Yii2. I want to encrypt the password before saving it to the database. So i'm using sha1 but the problem is that the password field in the form has contents when i apply this line of code in the controller shown below.
$model->password = sha1($model->attributes['password']);
This is the Controller create method:
public function actionCreate()
{
$model = new Employeeinformation();
//$model->password = sha1($model->attributes['password']);
$model->created_date = date('Y-m-d H:i:s');
if ($model->load(Yii::$app->request->post()) && $model->save()) {
return $this->redirect(['view', 'id' => $model->employee_id]);
} else {
return $this->render('create', [
'model' => $model,
]);
}
}
This is the form:
<div class="employeeinformation-form">
<?php $form = ActiveForm::begin(); ?>
<?= $form->field($model, 'employee_id')->textInput(['minlength' => true, 'maxlength' => true]) ?>
<?= $form->field($model, 'password')->passwordInput(['maxlength' => true]) ?>
<?= $form->field($model, 'last_name')->textInput(['maxlength' => true]) ?>
<?= $form->field($model, 'first_name')->textInput(['maxlength' => true]) ?>
<?= $form->field($model, 'hired_date')->widget(\yii\jui\DatePicker::classname(), [
'language' => 'en',
'dateFormat' => 'yyyy-MM-dd',
]) ?>
<div class="form-group">
<?= Html::submitButton($model->isNewRecord ? 'Create' : 'Update', ['class' => $model->isNewRecord ? 'btn btn-success' : 'btn btn-primary']) ?>
</div>
<?php ActiveForm::end(); ?>
Screenshot of my problem:
Thank you in advance.
I want to encrypt the password before saving it to the database.
No you don't. Well, you might think you want to encrypt the password, but if you're trying to protect users you actually want to hash the password, not encrypt it.
SHA1 doesn't provide encryption, it's a hash function. This is a very common misconception. You can learn more about basic cryptography terms and concepts at the linked blog post.
More importantly: You don't want a fast hash like SHA1 for passwords. Use password_hash() and password_verify() and you'll have secure password storage. You don't even need to particularly care what these functions do internally to use them correctly.
public function actionCreate()
{
$model = new Employeeinformation();
$post = Yii::$app->request->post();
if ($model->load($post)) {
$model->password = password_hash($model->password, PASSWORD_DEFAULT);
$model->created_date = date('Y-m-d H:i:s');
if ($model->save()) {
return $this->redirect(['view', 'id' => $model->employee_id]);
}
}
return $this->render('create', [
'model' => $model,
]);
}
When employees login, you just need to do this:
if (password_verify($request->password, $storedEmployeeData->hashed_password)) {
// Success
}
$password = md5($password);
Best way to handle, make sure to correlate this to the login screen to check
$passwordentered = md5($passwordentered);
if ($passwordentered = "Correct"){
"Grant Access"
}
Hope this helps.
Yii2 comes with user module in advanced setup. See how it store user passwords in encrypted way.
You can use setPassword() method in User Model to get hashed passwords.
public function setPassword($password)
{
$this->password_hash = Yii::$app->security->generatePasswordHash($password);
}
and call this method before saving model data.
public function signup()
{
if ($this->validate()) {
$user = new User();
$user->username = $this->username;
$user->email = $this->email;
$user->setPassword($this->password);
$user->generateAuthKey();
if ($user->save()) {
return $user;
}
}
return null;
}
Also look at the Yii2 doc for passwords and authentication.
In your model add:
public function beforeSave()
{
$this->password=md5($this->password);
return true;
}
Now add this to your controller:
$model->password = md5($model->password);
The content for password is there because you set the attribute before sending the data through the save (and validate) method.
If you like to do it in the controller, you can do it as the following:
public function actionCreate()
{
$model = new Employeeinformation();
if ($model->load(Yii::$app->request->post())){
$model->password = sha1($model->password);
$model->created_date = date('Y-m-d H:i:s');
if ($model->save())
return $this->redirect(['view', 'id' => $model->employee_id]);
}
return $this->render('create', [
'model' => $model,
]);
}
Another way, is to do the password hashing in the beforeSave method of the Employeeinformation model (add this method inside the model class):
public function beforeSave($insert)
{
if(isset($this->password))
$model->password = sha1($model->password);
$model->created_date = date('Y-m-d H:i:s');
return parent::beforeSave($insert);
}
If done using the beforeSave method, these two lines in the controller code can be removed as they are no longer necessary:
$model->password = sha1($model->password);
$model->created_date = date('Y-m-d H:i:s');
However, referring to http://www.yiiframework.com/doc-2.0/guide-security-passwords.html, it is not recommended to use md5 or sha1 for password encryption. Yii2 provide two helper functions to generate & verify password.
Use this to encrypt password:
$hash = Yii::$app->getSecurity()->generatePasswordHash($password);
And to verify it:
if (Yii::$app->getSecurity()->validatePassword($password, $hash)) {
// all good, logging user in
} else {
// wrong password
}
This is a better choice than sha1 that is used in the original code you posted.
you can look at User model for example, there are method setPassword()
public function setPassword($password) { $this->password_hash = Yii::$app->security->generatePasswordHash($password); }
this is how to you set password on database, and also it's already encrypt by yii2 encription