Yii2 password hash

Question

I'd like to know how password hash is generated?

// This is my code:

$email="mail@example.net";
$password="mypassword";

// How to get password_hash variable?

$user = User::find()->where(['email'=>$email, 'password_hash'=>$password_hash])->one();
if(isset($user)){
   echo "there is";
} else {
 "Sorry!";  
}

Thank you.

`User::find()->where(['email'=>$email, 'password_hash'=>$password_hash])->one();` This habit does not secure with sql injection. We should find model then call validatePassword function to validate user model. Reference Pheagey's answer. — Ngô Văn Thao, Jul 02 '15 at 04:24

score 2 · Answer 1 · answered Jun 30 '15 at 19:57

2

http://www.yiiframework.com/doc-2.0/guide-security-passwords.html Is how passwords are handled in Yii 2. Unless you're a crypto expert DO NOT try to write your own.

answered Jun 30 '15 at 19:57

David J Eddy

1,999
1
19
37

score 0 · Answer 2 · answered Feb 16 '15 at 09:54

  public function verifyPassword($password)
    {
        if(md5($password) === $this->password)
            return TRUE;
        else
            return FALSE;
        //return Yii::$app->security->validatePassword($password, $this->password);
    }

  public function beforeSave($insert)
    {
        // hash new password if set
        if ($this->newPassword) {
            //$this->password = Yii::$app->security->generatePasswordHash($this->newPassword);
            $this->password = md5($this->newPassword);
        }

        // convert ban_time checkbox to date
        if ($this->ban_time) {
            $this->ban_time = date("Y-m-d H:i:s");
        }

        // ensure fields are null so they won't get set as empty string
        $nullAttributes = ["email", "username", "ban_time", "ban_reason"];
        foreach ($nullAttributes as $nullAttribute) {
            $this->$nullAttribute = $this->$nullAttribute ? $this->$nullAttribute : null;
        }

        return parent::beforeSave($insert);
    }

^- MD5 is a terrible choice. – David J Eddy Aug 18 '15 at 15:40 — David J Eddy, Aug 18 '15 at 15:40

score -4 · Answer 3 · answered Dec 28 '14 at 19:02

-4

I use hash with md5 but i create function in user model

    public function validatePassword($password)
{
    return $this->PASSWORD === md5($password);
}

answered Dec 28 '14 at 19:02

Nuengnapa

117
1
6

1

md5 is highly insecure. I would either use PHP's new built-in password_hash function or yii\base\Security::generatePasswordHash. – Justin Cherniak Dec 29 '14 at 06:35
1

This is the answer: `$user = User::find()->where(['email'=>$email])->one(); if(!$user){ // Wrong email } elseif (!Yii::$app->security->validatePassword($password, $user->password_hash)) { // Invalid password } else { // Ok }` – Nedim Dec 29 '14 at 07:44
...Please tell me you no longer do this. Use the built in crypto methods. MD5 will get you compromised. A simple MD4/SHA1 hash is no longer a secure form of encryption. – David J Eddy Aug 18 '15 at 15:41

Yii2 password hash

3 Answers3