I'm getting funny behavior with CakePHP in my register new user form. It's a pretty basic username, email and password form.
When the user types out and incomplete form it looks like this:
Of course creation of the new user fails because the password and email fields are empty. When the form errors are shown it looks like this:
I'm not sure why the password field is filled up with text magically. Shouldn't it be empty?
it looks like it's getting populated with the hash of the password.
your issue has something to do with the way Auth handles auto password hashing inside the $this->data object. i believe it's enabled by default, and a hack it may be, i solved this by setting $this->data['User']['password'] to an empty string at the end of the action in question.
Seems like the password field is being prefilled with a sha1($_POST['password']), of course as $_POST['password'] contains nothing it's the same as doing sha1('').
I'm not familiar with CakePHP but you should disable the preffiling on the password field, if you can.
Simply don't name the input field 'password' in the view, but 'newPassword' for example. That gives you the opportunity to do validation on the not-hashed password (length, strength, ..) and hash it manually afterwards by using the callback beforeSave():
function beforeSave() {
parent::beforeSave();
if (isset($this->data[$this->name]['newPassword']) && !empty($this->data[$this->name]['newPassword']))
$this->data[$this->name]['password'] = Security::hash($this->data[$this->name]['newPassword'], 'sha256', true);
return true;
}
You can disable the hashing of passwords by telling AuthComponent to use your User model for sourcing methods, such as hashing:
$this->Auth->authenticate = $this->User;
You can then overwrite the method that is causing the problem and it will be used instead:
function hashPasswords($data) {
// do nothing
return $data;
}
Obviously the above will disable password hashing completely, but if you apply the correct conditions to this example you can prevent hashing only when needed.
Full details here: http://teknoid.wordpress.com/2008/10/08/demystifying-auth-features-in-cakephp-12/
Even better than any of the solutions here (except for the information regarding validating a field that isn't linked to the Auth Component then moving the hashed data to the correct index manually - that is good advice ) is to let the View layer handle this.
Since you can't read the field anyways, and good practice is to not remember or autofill * masked fields (passwords in this case) you should manually set the fields value to nothing in the View.
IE :
<?php
...
echo $form->input( 'User.password', array(
'type' => 'password',
'value' => ''
));
...
?>
This will ensure that even though the value in the data array is hashed that that hashed value will NOT be displayed in your field.