Exactly the same way! :] Using hashPassword or directly PHP’s md5 method or any other way. You get plain inputed password, you have from form where you allow your user to change password, you hash it and store in DB in place where old, hashed password were previously stored.
Hashing is one-way operation. You can’t read (un-hash) password. You can only hash new password again and check if hash is the same as stored in DB (this way you are doing when logging user in). Therefore you always use the same function, no matter if you hash password for the first time, when inserting new record to your DB or if you hash new password again for updating existing record in DB.
I did not express myself very clearly, sorry about that.
My problem was actually knowing when not to rehash an already hashed password.
My current solution is this: if the length of the password being saved is longer than a defined maximum password length then it is hashed so I do not rehash it. It just means that the user wanted to update something else in the User record. Probably zaccaria’s solution is the safest.
Anyway, thanks for the answer, if you have an even cleaner solution I am glad to hear it.
Sorry, either I’m out of caffeine and urgently need a coffee or I’m not following you! :]
You don’t rehash passwords which length exceeds some fixed maximum? You detect what user want to updated (password or something else) by checking length of password? I’m not following your idea! :]
Yes, I agree that zaccaria’s solution is the best and sorry for not providing anything better (after all - he is a Master Member and I’m only an Advanced one! :]), but I got to ask you, because I got a bit lost, when reading your answer! :]
I wanted to handle the hashing inside the ActiveRecord. So from outside I just set a value and let the ActiveRecord handle if it hashes or not. I am doing this by overriding beforeSave.
public function beforeSave()
{
if (parent::beforeSave())
{
if (strlen($this->cod_de_acces)<=4)
{
$this->cod_de_acces = $this->hashPassword($this->cod_de_acces,$this->salt);
}
return true;
}
}
The problem is that at this stage I do not know if this password is a new password that needs to be hashed or it is just the old password that needs to remain the same and something else in the record was changed.
My passwords are 4 characters long, so my solution was to check for this. If the password length exceeds 4 then this password is already hashed and I do not hash it again.
But I think my design is not good and the decision to hash or not to hash needs to be moved somewhere else to be totally flexible. Probably in the controller where I can know for sure if the password was changed or not.
