1

I am trying to make this custom validation works, but I am not getting anything at the moment. What seems to be the problem?

['password', function($attribute, $params){

                $password = \Yii::$app->db
                    ->createCommand("SELECT * FROM forbiddenPasswords WHERE password = '{$params}'")
                    ->queryOne();

                if($password)
                    $this->addError($attribute, 'This password is forbidden. Please try another.');
            }],
Sasha
  • 8,521
  • 23
  • 91
  • 174

3 Answers3

3
  • $params contains validator parameters, not attribute,
  • you should correctly bind parameter in your query.

e.g. :

$count = Yii::$app->db->createCommand('SELECT COUNT(*) FROM forbiddenPasswords WHERE password = :password')
    ->bindValue(':password', $this->password)
    ->queryScalar();

if($count)
    $this->addError($attribute, 'This password is forbidden. Please try another.');

Or you could create an ActiveRecord model for forbiddenPasswords and use unique validator to do the same...

soju
  • 25,111
  • 3
  • 68
  • 70
0

I have checked that {$params} variable is for additional values. And if you want to validate password assign the value like this.

 ['password', function($attribute, $params){

           $pass=$this->password;
            $password = \Yii::$app->db
                ->createCommand("SELECT * FROM forbiddenPasswords WHERE password = '{$pass}'")
                ->queryOne();

            if($password)
                $this->addError($attribute, 'This password is forbidden. Please try another.');
        }],
Anamika Shrivastava
  • 703
  • 5
  • 11
0

Don't write open password validator. It's unsecure!

In Yii2 you can use validatePassword method of Security component.

First store in database hash of password by setPassword method:

/**
 *
 * @param string $password WARNING! OPEN PASSWORD!
 */
public function setPassword($password)
{
    $this->password_hash = Yii::$app->security->generatePasswordHash($password);
}

In model you should have method validatePassword:

/**
 * @param string $password WARNING! OPEN PASSWORD!
 *
 * @return boolean
 */
public function validatePassword($password)
{
    return Yii::$app->security->validatePassword($password, $this->password_hash);
}

Or, if you want use User model as form you can write this:

/**
 * @inheritdoc
 */
public function rules()
{
    return [
        ...
        ['password', 'validatePassword']
    ];
}

/**
 * @param string $attribute attribute name
 * @param array $params Additional params
 */
public function validatePassword($attribute, $params)
{
    if (Yii::$app->security->validatePassword($this->$attribute, $this->password_hash) == false) {
        $this->addError($attribute, Yii::t('frontend', 'Incorrect password'));
    }
}
Community
  • 1
  • 1
Onedev_Link
  • 1,981
  • 13
  • 26
  • Well, the question is not really about password hash. – soju Jan 26 '16 at 13:28
  • @soju Unencrypted passwords does not bother you? – Onedev_Link Jan 26 '16 at 13:30
  • 1
    where do you see unencrypted passwords (except in forbiddenPasswords table, but it is not a problem) ?? – soju Jan 26 '16 at 13:32
  • 1
    @soju You are right. It's my paranoia. I hope under the `password` means `hashed password`. – Onedev_Link Jan 26 '16 at 13:35
  • 1
    Don't worry, it is good thing to be paranoiac when you are a web dev :) – soju Jan 26 '16 at 13:36
  • 1
    @Onedev.Link I'll share you a secret some huge IT companies storing passwords unhashed. And `password` here unencrypted, since it just came from `POST`. And yea paranoia is good sometimes. – ineersa Jan 26 '16 at 14:25
  • 1
    I have a table of forbidden passwords. I don't see a point of hashing something that is public (I am using twitter and dropbox list for this). This table is not connected to the user in any way. User password is hashed. User is not allowed to use a password found in the table, that's all. – Sasha Jan 26 '16 at 14:39