Implement editing hash password field with custom algo/salt?

Archived from the Xataface Users forum.

FractalizeR — Wed Oct 05, 2011 12:00 am

Hello.

I have a table in my database with a list of users. They are users of my own application, this table doesn’t have any relation to Xataface authorization. It’s structure is like

Code: Select all

CREATE TABLE IF NOT EXISTS `user` (   `id` int(11) NOT NULL AUTO_INCREMENT,   `email` char(50) CHARACTER SET latin1 NOT NULL,   `password_hash` binary(20) NOT NULL,   `password_salt` char(5) NOT NULL )

Password is defined like

Code: Select all

`$password = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 12);

$insertDb[‘password_salt’] = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 5);
$insertDb[‘password_hash’] = sha1(sha1($password, true) . $insertDb[‘password_salt’], true);`

So, password field value depends on salt value. How do I implement UI for admin with Xataface to allow administrator to change password for a given user?

I tried to look at field__serialize example on forum, but it seems, it doesn’t allow you to access values of fields, other than the one being serialized in the handler.

I’m new to Xataface, but already inspired by it’s capabilities Can you help me?

---

shannah — Wed Oct 05, 2011 9:26 am

PHPBB does something similar. See this page of the wiki for some tips on how it was done for that app:
http://xataface.com/wiki/Authenticating … sers_table

---

FractalizeR — Thu Oct 06, 2011 3:22 am

Thanks. I almost got it working.

I used fields.ini:

Code: Select all

[password_hash] widget:label = "New password for user" widget:type=text visibility:list=hidden validators:required=0

And the following class table definition:

Code: Select all

`class tables_user {

    function password_hash__serialize($password) {
        $sql = “SELECT password_hash, password_salt FROM user where id=’” . addslashes($_POST[‘id’]) . “’”;
        $res = mysql_query($sql, df_db());
        if (!$res) {
            throw new Exception(mysql_error(df_db()));
        }
        $data = mysql_fetch_assoc($res);
        mysql_free_result($res);

        //If no password was set by admin
        if (empty($password)) {
            return $data[‘password_hash’];
        }

        //Hashing password
        $hash = sha1(sha1($password, true) . $data[‘password_salt’], true);
        return $hash;
    }

    function password_hash__display() {
        return “”;
    }

    function password_hash__toString() {
        return “”;
    }
}`

Password changing works. The only problem remains, is that validators:required=0 doesn’t work in 1.3.rc6. I’ve filed bug report on that.