I have two field "password" (This field is in the database) and confirm_password (This field is not in the database)
Well, I need to compare if password == confirm_password.. but I'm not knowing create a custom validation to "confirm_password"... Would need to have this field in the database?
How do I do?
Generally you can access all data in a custom validation rule via the $context argument, where it's stored in the data key, ie $context['data']['confirm_password'], which you could then compare to the current fields value.
$validator->add('password', 'passwordsEqual', [
'rule' => function ($value, $context) {
return
isset($context['data']['confirm_password']) &&
$context['data']['confirm_password'] === $value;
}
]);
That being said, recently a compareWith validation rule was introduced which does exactly that.
https://github.com/cakephp/cakephp/pull/5813
$validator->add('password', [
'compare' => [
'rule' => ['compareWith', 'confirm_password']
]
]);
Now there has a method call sameAs in validator class, for version 3.2 or grater.
$validator -> sameAs('password_match','password','Passwords not equal.');
see API
I know it's late answer but will help to other.
// Your password hash value (get from database )
$hash = '$2y$10$MC84b2abTpj3TgHbpcTh2OYW5sb2j7YHg.Rj/DWiUBKYRJ5./NaRi';
$plain_text = '123456'; // get from form and do not make hash. just use what user entred.
if (password_verify($plain_text, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
OR
$hasher = new DefaultPasswordHasher();
$check = $hasher->check($plain_text,$hash); // it will return true/false
Related
I'm using cakephp 2.xx, I want to hashing password with sha256 before it going to database,
before it I wanna make validation value password in my form input, validation which check password input and re-confirm password is match, if In my controller, when form catch validation, the password automatically hash
if ($this->request->data['Driver']['password'] != $this->request->data['Driver']['confirm_password']) {
$this->request->data['Driver']['password'] = hash('sha256',$this->request->data['Driver']['password']);
}
necessarily, the password hash when form no catch validate at all, so how can I make validation in my model ?
Thanks In Advance.
In your model (Driver.php)
Validation
<?php
public $validate = array(
'password' => array(
'notempty' => array(
'rule' => array('notempty'),
),
'password_confirm'=>array(
'rule'=>array('password_confirm'),
'message'=>'Password Confirmation must match Password',
),
),
);
?>
Custom validation rule
<?php
public function password_confirm(){
if ($this->data['Driver']['password'] !== $this->data['Driver']['password_confirmation']){
return false;
}
return true;
}
?>
Hashing,but I think that better to choose AuthComponent
<?php
public function beforeSave($options = array()) {
$this->data['Driver']['password'] = hash('sha256',$this->data['Driver']['password']);
return true;
}
?>
It's overall description and you probably would need to modify some parts of it
I have a password stored at database hashed with DefaultPasswordHasher at add action.
I have another action for change the password for the loggedin user, on this form I have a field called current_password that I need compare with the current password value from database.
The issue is that DefaultPasswordHasher is generating a different hash for each time that I'm hashing the value of the form so this will never match with the hash from database.
Follow the validation code of the 'current_password' field:
->add('current_password', 'custom', [
'rule' => function($value, $context){
$user = $this->get($context['data']['id']);
if ($user) {
echo $user->password; // Current password value hashed from database
echo '<br>';
echo $value; //foo
echo '<br>';
echo (new DefaultPasswordHasher)->hash($value); // Here is displaying a different hash each time that I post the form
// Here will never match =[
if ($user->password == (new DefaultPasswordHasher)->hash($value)) {
return true;
}
}
return false;
},
'message' => 'Você não confirmou a sua senha atual corretamente'
])
That is the way bcrypt works. Bcrypt is a stronger password hashing algorithm that will generate different hashes for the same value depending on the current system entropy, but that is able to compare if the original string can be hashed to an already hashed password.
To solve your problem use the check() function instead of the hash() function:
->add('current_password', 'custom', [
'rule' => function($value, $context){
$user = $this->get($context['data']['id']);
if ($user) {
if ((new DefaultPasswordHasher)->check($value, $user->password)) {
return true;
}
}
return false;
},
'message' => 'Você não confirmou a sua senha atual corretamente'
Can you help me with this? I am building my own login form using Laravel. But I have a problem because I stored my password using Hash method and in my login form I used hash method again to compare. But I found out that the hash value is always changing.
Here's my code in routes:
Route::post('/admin_handle_login', function()
{
$rules = array(
'admin_username' => 'required',
'admin_password' => 'required'
);
$validate_admin_login = Validator::make(Input::all(), $rules);
if($validate_admin_login->fails()) {
$messages = $validate_admin_login->messages();
Session::flash('warning_notification','Error: Incomplete details!');
return Redirect::to('/flaxadmin')
->withErrors($messages)
->withInput(Input::except('admin_password'));
} else {
$d = array(
Input::get('admin_username'), Hash::make(Input::get('admin_password'))
);
$validate_admin = DB::table('administrators')
->select('username')
->where('username', Input::get('admin_username'))
->where('password', Hash::check('password', Input::get('admin_password')))
->count();
fp($d);
fp($validate_admin);
}
});
The result is
Array
(
[0] => admin002
[1] => $2y$10$RTwKHN9W1/unu1ZhYlNjauApJjjoNTBnE6td/AZ5jWgZEdqVav0um
)
0
In my database the password of admin002 is
$2y$10$47sSXLzh/YXN6Rf2fmljYO7lZaxfhXVSUTp5bssR2gYQ6Nw9luUH2
Is my code wrong? Or are there any proper way to do this? I am a begiiner in Laravel..
First, you cannot do it this way. Assuming username is unique, you should do:
$validate_admin = DB::table('administrators')
->select('username')
->where('username', Input::get('admin_username'))
->first();
if ($validate_admin && Hash::check(Input::get('admin_password'), $validate_admin->password)) {
// here you know data is valid
}
However you should think about rather using built-in methods than coding it yourself. You have Auth::attempt or Auth::validate if you want to login/check only user with password so there's really no need to code it yourself.
Here you're checking the string 'password' with the hashed version of the input password.
So try fetching the user by their username and if you've a result you can compare the hashed version of the password, stored in the database, with the input password. Like so:
$user = DB::table('administrators')
->select('username', 'password')
->where('username', Input::get('admin_username');
if($user->count()) {
$user = $user->first();
if(Hash::check(Input::get('admin_password'), $user->password)) {
//User has provided valid credentials :)
}
}
A slight improvement to marcin-nabiałek's answer, you can now use PHP's password_verify to achieve the same
$user = App\User::where('email', $request->email)->first();
if($user && password_verify($request->password, $user->password)) {
// authenticated user,
// do something...
}
This is useful code 100% laravel 6/7/8.
if ($data = AddEmployee::where('name', $request->name)-first()) {
$pass = Hash::check($request->password, $data->password);
if ($pass) {
echo "sucess";
} else {
echo "Password Not Valid";
}
} else {
echo "Username Not Valid" . "<br>";
}
I've been using this tutorial to rewrite my login/logout functionality to handle authentication and matching passwords in the model.
It now adds the user perfectly, but upon login the username/password fields are rejected. It seems the login function is looking for a differently hashed password than my new hashPasswords() function is storing. Any suggestions on what the problem could be?
It's a fairly standard setup. Thanks for any help!
Pertinent Sections of code:
User Model:
var $validate = array(
'password' => array(
'The Password must be filled' =>array(
'rule' => 'notEmpty',
'message' => 'Please supply a valid password.'
),
'The Password must be between 5 and 15 characters' => array(
'rule' => array('between', 5, 15),
'message' => 'The password must be between 5 and 15 characters.'
),
'The passwords do not match' => array(
'rule' => 'matchPasswords',
'message' => 'The passwords do not match.'
)
),
function hashPasswords($data) {
if (isset($this->data['User']['password'])) {
$this->data['User']['password'] = Security::hash($this->data['User']['password'], NULL, TRUE);
return $data;
}
return $data;
}
function beforeSave() {
$this->hashPasswords(NULL, TRUE);
return TRUE;
}
Users Controller:
function beforeFilter() {
parent::beforeFilter();
if ($this->action == 'add' || $this->action == 'edit' ) {
$this->Auth->authenticate = $this->User;
}
}
function add() {
if (!empty($this->data)) {
if ($this->User->save($this->data)) {
$this->Session->setFlash('Your Account Has Been Created.');
$this->redirect(array('action' => 'homepage'));
}
}
}
function login() {
}
I haven't seen the video, but -
When $this->data['User'] has a 'username' and 'password' array, and is used to save a user - cake actually hashes the password. What may potentially be happening is your hashed password being hashed again - check out the cake documentation on hashPassword
As far as password matching goes - it is actually far easier to do this on the client side where they aren't hashed (lots of Jquery functions out there that validate forms). You can even go as far as writing a simple:
if($this->data['User']['password'] != $this->data['User']['password_conf']{
$this->Session->setFlash('Passwords do not match');
} else {
//save user etc
}
If you want validate in the model, then certainly write a custom validation rule - but again the password will be hashed for you - you only need to compare the non-hashed versions and see if they match, returning true if they do.
Also - everyone has completely different ways of authenticating users - first and foremost read the documentation - there's an excellent tutorial for a simple Authenticated / ACL application which takes about 30 mins to go through and should be anyones starting point.
Greetings,
I am setting up a pretty standard registration form with password field.
The problem is, after a failed submission (due to empty field, incorrect format etc), the controller reloads the registration page, but with the password field containing the hashed value of the previously entered password. How do I make it empty after each failed submission?
View:
echo $form->password('Vendor.password', array('class' => 'text-input'));
Controller:
Security::setHash('sha1');
$this->Auth->sessionKey = 'Member';
$this->Auth->fields = array(
'username' => 'email',
'password' => 'password'
);
Help is very much appreciated, thanks!
You may run into another problem down the road with cakePHP password validation.
The problem is that cake hashes passwords first, then does validation, which can cause the input to fail even if it is valid according to your rules. This is why the password is returned to the input field hashed instead of normal.
to fix this, instead of using the special field name 'password', use a different name like 'tmp_pass'. This way, cakePHP Auth won't automatically hash the field.
Here's a sample form
echo $form->create('Vendor', array('action' => 'register'));
echo $form->input('email');
echo $form->input( 'tmp_pass', array( 'label' => 'Password','type'=>'password' ));
echo $form->end('Register');
In your Vendor model, don't assign validation rules to 'password' instead assign these rules to 'tmp_pass', for example
var $validate = array('email' => 'email', 'password' => ... password rules... );
becomes
var $validate = array('email' => 'email', 'tmp_pass' => ... password rules... );
Finally, in your Vendor model, implement beforeSave().
First, see if the data validates ('tmp_pass' will be validated against your rules).
If successful, manually hash tmp_pass and put it in $this->data['Vendor']['password'] then return true. If unsuccessful, return false.
function beforeSave() {
if($this->validates()){
$this->data['Vendor']['password'] = sha1(Configure::read('Security.salt') . $this->data['User']['tmp_pass']);
return true;
}
else
return false;
}
this?
password('Vendor.password', array('class' => 'text-input','value'=>''))
In your controller:
function beforeRender() {
parent::beforeRender();
$this->data['Vendor']['password'] = '';
}