0

So, I've got a user edit form setup that is now working. But I want to add some security to this form, by requiring the user to confirm their current password before they can change their profile details (email, some other info, their password).

My problem is I don't know how to compare a password they give me to the hashed value that's stored in the database.

It's hashed via:

protected function _setPassword($password) {
    return (new DefaultPasswordHasher)->hash($password);
}

I've found this post on Stack Overflow, and tried implementing it using the following as a custom validator:

public function verifyPassword($value, $context) {
    $user = $this->find('conditions', [
     'Users.id' => $context['data']['id'],
    ]);

    return password_verify($value, $user->password);
}

But it doesn't appear to be working. Granted this is for an alpha version of 3.0, so maybe this isn't supposed to be working anymore. I'm just wondering if there's some way to compare the password they give me to the hashed version stored in the database?

Community
  • 1
  • 1
Arak Tai'Roth
  • 408
  • 1
  • 7
  • 24
  • Hash the password they provide for you, get the other password out of the database, compare the two. –  Jun 22 '15 at 00:41
  • That doesn't work, hashes are one way and never the same. – Arak Tai'Roth Jun 22 '15 at 00:45
  • It indeed was a duplicate, thank you for that. I'm not exactly sure what's appropriate for me to do now. Do I delete this question, or something else? – Arak Tai'Roth Jun 22 '15 at 01:03
  • You can accept that the linked question solved your problem (see http://meta.stackexchange.com/a/250930), this will immediately close your question and mark it as a duplicate. – ndm Jun 22 '15 at 01:27

0 Answers0