PHP Yii2 Password Encryption

php security yii2 password-hash
WaduNoob picture WaduNoob · Sep 2, 2015 · Viewed 10.6k times · Source

Need help because i'm still new to Yii2. I want to encrypt the password before saving it to the database. So i'm using sha1 but the problem is that the password field in the form has contents when i apply this line of code in the controller shown below.

$model->password = sha1($model->attributes['password']);

This is the Controller create method:

public function actionCreate()
{
    $model = new Employeeinformation();

    //$model->password = sha1($model->attributes['password']);

    $model->created_date = date('Y-m-d H:i:s');

    if ($model->load(Yii::$app->request->post()) && $model->save()) {
        return $this->redirect(['view', 'id' => $model->employee_id]);
    } else {
        return $this->render('create', [
            'model' => $model,
        ]);
    }
}

This is the form:

<div class="employeeinformation-form">

<?php $form = ActiveForm::begin(); ?>

<?= $form->field($model, 'employee_id')->textInput(['minlength' => true, 'maxlength' => true]) ?>

<?= $form->field($model, 'password')->passwordInput(['maxlength' => true]) ?>

<?= $form->field($model, 'last_name')->textInput(['maxlength' => true]) ?>

<?= $form->field($model, 'first_name')->textInput(['maxlength' => true]) ?>

<?= $form->field($model, 'hired_date')->widget(\yii\jui\DatePicker::classname(), [
    'language' => 'en',
    'dateFormat' => 'yyyy-MM-dd',
]) ?>



<div class="form-group">
    <?= Html::submitButton($model->isNewRecord ? 'Create' : 'Update', ['class' => $model->isNewRecord ? 'btn btn-success' : 'btn btn-primary']) ?>
</div>

<?php ActiveForm::end(); ?>

Screenshot of my problem:

http://i.imgur.com/YTDW1Ud.png

Thank you in advance.

Answer

Scott Arciszewski picture Scott Arciszewski · Sep 3, 2015

I want to encrypt the password before saving it to the database.

No you don't. Well, you might think you want to encrypt the password, but if you're trying to protect users you actually want to hash the password, not encrypt it.

SHA1 doesn't provide encryption, it's a hash function. This is a very common misconception. You can learn more about basic cryptography terms and concepts at the linked blog post.

More importantly: You don't want a fast hash like SHA1 for passwords. Use password_hash() and password_verify() and you'll have secure password storage. You don't even need to particularly care what these functions do internally to use them correctly.

public function actionCreate()
{
    $model = new Employeeinformation();
    $post = Yii::$app->request->post();

    if ($model->load($post)) {
        $model->password = password_hash($model->password, PASSWORD_DEFAULT);
        $model->created_date = date('Y-m-d H:i:s');
        if ($model->save()) {
            return $this->redirect(['view', 'id' => $model->employee_id]);
        }
    }
    return $this->render('create', [
        'model' => $model,
    ]);
}

When employees login, you just need to do this:

if (password_verify($request->password, $storedEmployeeData->hashed_password)) {
    // Success
}

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How do you Encrypt and Decrypt a PHP String?

What I mean is: Original String + Salt or Key --> Encrypted String Encrypted String + Salt or Key --> Decrypted (Original String) Maybe something like: "hello world!" + "ABCD1234" --> Encrypt --> "2a2ffa8f13220befbe30819047e23b2…

Read More