Hi cbmeeks
> Below is my function to register a new user. In the function, you
> will notice that I attempt to sha256 the password to store in the
> database. Works great.
>
> However, just before the data is saved, the password box gets the new
> sha256-ed password. In other words, if there is an error saving, you
> can actually SEE the sha256 password. Which would mean that a user
> might not catch that and re-submit which would pass their password in
> as the new sha256 password.
Instead of setting
$this->data['User']['password'] = hash('sha256',$salt.$user.$pass);
Why not do this:
$newUser = $this->data['User'];
$newUser['password'] = hash('sha256',$salt.$user.$pass);
if($this->User->save($newUser)) { ...
That way the original data is unchanged. Or you could just set the
password to null if the save fails. Meaning that the user has to
re-enter the password, which seems to be a fairly typical way of doing
things. It also reduces the number of times that the password is
whizzing around on the Internet.
Regards,
Langdon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
