views:

514

answers:

2

I am upgrading a cakephp app at my new job from l.1 to 1.2. I am replacing the homegrown 1.1 authorization code with the great Auth component. The problem is that the passwords are not hashed in the legacy DB. How can I turn off the password hashing temporarily so I can start using the Auth component.

Don't worry, I will hash the passwords and change this later.

A: 

Technically you could just hash all the passwords in the database in one swoop, using the query below. BACKUP YOUR TABLE FIRST!

UPDATE user_table SET password = SHA1(password)

From the CakePHP manual, the default hashing scheme is SHA-1, so unless you've changed it this should do it. SHA1 is a built-in MySQL function, though I assume it's available in most other databases as well.

Christian P.
I am aware that I can hash the passwords this way, but I just want to temporarily turn it off.
bucho
Also, cakephp uses a salt, so it would be a bad idea. Perhaps later you'll have to create a script to select and then hash via Security::hash().
metrobalderas
CakePHP Security::hash() prefixes the string to hash with the Security salt value from app/config/core.php
neilcrookes
+3  A: 

Here is the solution adapted from another stack overflow answer. By overriding the User::hashPassword model to do nothing basically.

http://stackoverflow.com/questions/573307/how-do-i-replace-the-cakephp-password-hashing-algorithm

<?php
class User extends AppModel {
    var $name = 'User';

    // this is used by the auth component to turn the password into its hash before comparing with the DB
    function hashPasswords($data) {
         return $data;
    }
}
?>
bucho
You also have to configure the AuthComponent to authenticate against the User Model to make use of this...$this->Auth->authenticate = $this->User;
neilcrookes