addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramlinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

JaxPHP / JaxWeb Message Board › Yii hash of passwords

Yii hash of passwords

A former member
Post #: 107
Another thing about some of the chatter in the background was on password security.

After reading much, it looks like Yii does not hash passwords and must be coded to do so. There looks to be a user manage module to help with this. Storing unhashed and unsalted passwords is never a good thing. There are too many ways for data to leak such as company employees, shared server databases, website insecurities and poor scripting. It is one thing to compromise your data but to compromise user/passwords would destroy the ability to hold your users accountable and possibly make you liable for damages caused by a hacker portraying to be the user.

User Management Module

rehash password only when changed



public function authenticate()
{
$users=array(
// username => password
'demo'=>'demo',
'admin'=>'admin',
);
if(!isset($users[$this->username]))
$this->errorCode=self::ERROR_USERNAME_INVALID;­
else if($users[$this->username]!==$this->­password)
$this->errorCode=self::ERROR_PASSWORD_INVALID;­
else
$this->errorCode=self::ERROR_NONE;
return !$this->errorCode;
}

appname.db
id,"username","password­","email"
1,"test1","pass1",­"test1@example.com"
2,"test2","pass2",­"test2@example.com"
etc...


Tim
ZipOnOver, Local business Directory


BTW:
When will the Ruby on Rails people stop the BS?
Daniel's Corner - Comparison of PHP frameworks – Part I
"I edited the PHP version to just check if the array is empty, just like the Ruby version. Like magic, the execution time of the PHP version dropped more than half. The PHP version went from being ~70% slower than the Ruby version to being ~17% faster."

Eric N.
user 4016762
Orange Park, FL
Post #: 73
Yes, Tim, the Yii default login is really just a placeholder. Any app involving security for multiple users and roles should definitely crack the User Management Module.

For http://888wuzdead.com­ we'd already set up a users table before committing to Yii. And we only have two roles: user and admin.

So we stuck with our original schema, then customized the Yii login to support our "first one's free" approach:

  • allow anyone to post and verify by email,
  • encourage them to select an optional author/user name associated with that email address,
  • then (coming soon) select an optional password to bypass email verification.


BTW:
I've seen lots of claims about Yii being fast. We're not pushing it enough to worry about benchmark comparisons, but it's definitely not slow.
Powered by mvnForum

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy