Shawn Boles Wed Oct 20 09:19:33 -0400 2010

Subject: Automagic Password Hashing... am I missing the point?

EDIT: Using the nightly build, on the site, it works. Don't know if this is a new feature, or a "broken" feature in 1.0.

Howdy. I have a User class based on the users table, which has four columns: handle, name, email, and password.

My plan was to have the User class handle md4 hashing passwords before storing them in the database, and doing comparisons between submitted strings and the stored password, so that I don't have validation code all around the application.

My idea was to have "set_password" in the User class hash the data:

public function set_password($plaintext) {
$this->assign_attribute('password', hash('md4', $plaintext, true));

And then simply assigned the value from the form, thusly:

$user = new User();
$user->handle = $_POST['handle'];
$user->password = $_POST['password'];
$user->name = $_POST['name'];
$user->email = $_POST['email'];

However, this is not saving the hashed version of the password to the databasel the "set_password" function isn't even being called. I appear to be misunderstanding the documents, but my understanding was that a "set_<name>" function in a model is called whenever a value is assigned to that value, and that assign_attribute would store my modified version into the model ready for save.

Even if I dump password after save:

die('Password: ' . $user->password);

I'm getting the plain text password, not the hashed version. The callback doesn't even seem to be called.

I'm using the latest stable build.

Elviss Strazdins Thu Oct 21 19:51:27 -0400 2010

Same here. Value setter callbacks do not work.

Benjamin P Sat Oct 23 06:43:30 -0400 2010

Oh yes, they do work in 1.0
The comment of the __set()-Method (Model.php) indicate that a static attribute

static $setters = array('password');

is needed. Nightly builds work without it.

Jacques Fuentes Sat Oct 23 17:25:00 -0400 2010

Benjamin is correct (thanks). Use the nightly build if you want setters/getters w/o declaring them statically.