CodeIgniter 2 + Sparks + PHP ActiveRecord Part 2: The User Model

Published Aug 3, 2011

Shawn McCool

Web Developer | @ShawnMcCool

Posted In

Tagged

Note: This tutorial requires that you are using PHP 5.3.

In this episode we create a user model and focus on securely storing passwords in a database table by using sha256 encryption. We go over the reasons why using MD5 is no longer acceptable and we create a password validation method.

Be sure to watch in HD.

Download the source for part 2.

1 Comments

unlucky posted...

I have two questions. 1) Is there a better way to view what you error may actually be when viewing your page. I have firebug and use firefox but the errors that are displayed aren't really clear on what the issues are. They hardly ever point to your controller or model. Typically point to some AR .php file. 2) I'm trying to use a form to create a new user. Why isn't $user = User::create($_POST,TRUE) working with your model when the following worked. I'm not sure what the diff is $user = User:create(array('username'=> 'testuser','password'=>testpass')); Thanks

satti posted...

http://heybigname.com/2011/08/17/codeigniter-2-sparks-php-activerecord-part-3-login/ is not working...no vedio is being displayed

ian posted...

hmm... I'm using 2.0.3 and don't have that problem. It's working perfectly. Did they add an update to it without changing the version number or am I just lucky so far?

daslicht posted...

Hello, any suugestions how to better understnd all those "magic functions" such as "before_save" and the other active record things such as "find_by" or "create" ? And what is that MY_Loader doing ?! Is there a IDE available wich supports code completion for codeigniter / active record ? That woudl help alot to get started.

Will B posted...

You're totally right! I must have mistyped it when I was copying off the video or something along those lines. Sorry for the fuss. *ashamedly backs away*

Will B posted...

Firstly, those are some great videos - they've been a real help to me learning CI for my new job & it's fantastic that you're able to put these out, but this definition of a salted hash is incorrect :( A salted hash is made from hashing a modified version of the password, i.e: hash("salted-" . $unsecure_pass) Rather than: hash('randomchars') . hash($unsecure_pass) This makes it almost impossible to get at your password using any sort of hash dictionary - and you should use a long string of random alphanumeric characters as your salt. My old programming job was very security-oriented so I felt obliged to point this out!

Vanilla posted...

Dude , you rock at the material !! but really suck at explaining [sometimes]!

Uncreation posted...

If I may put in a small request, I'd like to see PHP-AR associations covered :-) Enjoying the new series so far!

Trevor Thomas posted...

Yes, I have realized from the start that if they have the source, they can easily unshuffle it. But a lot of times, they dont have access to your code. They will get in to the database only through sql injection. And using some form of script obfuscation would go a long way. Hiphop php for instance.

Trevor Thomas posted...

I took this to another level. I cut the salt+hash into 8 blocks of 16 characters. Made an array 1-8, and shuffled it. I then shuffled 8 blocks of characters based on that, and embedded the random numbers in the hash at certain places. Then I wrote a function to break it apart, and reassemble them in the correct order.

Shawn McCool posted...

When extending the base controller class it's important to call the parent's constructor before calling any of your own code. If you don't do that then you won't have access to anything that CI has autoloaded. It'd be best if you could drop by the #codeigniter IRC channel and share your code using pastebin.com. I'll probably be in there, or if I'm not someone else will be able to help. It's hard to know exactly what's happening unless it's the constructor problem without looking at the code.

Shawn McCool posted...

When I discussed profiling with the developers they basically suggested that the CI profiler was sufficient. I'm not a huge fan of the idea that profiling is done in the page output. I definitely think that there's room for some developer to create a profiler that assigns keys to each query and stores performance data into a database. It'd be nice to have an interface in which you could render and explore the data. But, I digress. I'm getting quite a bit of use out of the spark and would love to, at some point, include discussion of profiling including concepts such as N+1 and eager-loading.

Shawn McCool posted...

This is precisely what we're doing in this screencast. This is code from the zip file attached to the post: $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); $hash = hash('sha256', $salt . $password); return $salt . $hash; As you can see we're creating a salt, then, we're concatenating it to the password and then hashing the resulting string using sha256. A NEW string containing both the salt and the resulting salted password hash are then returned and stored. The benefit of this of course is that every individual entry gets its own salt.

Shawn McCool posted...

The loader has to know to search for / load sparks. I haven't personally upgraded to CI 2.1. I think that I may actually be only making 1 more CI screencast before I start changing the way that I do screencasts. The last screencast will wrap up what I didn't finish in part 6. It was rumored that spark support would be native in 2.1. But, that's apparently not the case. I don't really see much in 2.1 to get excited over except for cumbersome migration support.

Shawn McCool posted...

That's absolutely on the list for this week.

Shawn McCool posted...

Thanks for the heads up. It's been resolved.

Shawn McCool posted...

PHPActiveRecord has a quite nice logging hook. This brings up a good point, and one that was brought up by just yesterday by another person. Simply create a logger class that supports the methods 'log' and 'clear' and have them jack into the CI logging class. I'll go over this in a later screencast. I'm talking to Matthew Machuga (the spark maintainer) to try to get him to add this functionality to his spark. But, for now this is what I'm doing. Sorry for the lack of indentation. Modification to sparks/php-activerecord/0.0.1/libraries/PHPActiveRecord.php At the bottom, outside of the class add: class CILogger { private $CI = FALSE; public function __construct() { $this->CI =& get_instance(); } public function log($message) { $this->CI->log->write_log('error', 'SQL --> ' . $message); } } Then, in the same file.. Find the code block "INITIALIZE ACTIVERECORD" and replace it with this: // Initialize PHPActiveRecord ActiveRecord\Config::initialize(function ($cfg) use ($connections, $active_group) { $cfg->set_model_directory(APPPATH.'models/'); $cfg->set_connections($connections); // This connection is the default for all models $cfg->set_default_connection($active_group); // logger if(ENVIRONMENT == 'development') { $CI =& get_instance(); $CI->logger = new CILogger(); $cfg->set_logging(true); $cfg->set_logger($CI->logger); } }); IN ADDITION: If you more information to be added to the log per query then replace your sparks/php-activerecord/0.0.1/vendor/php-activerecord/lib/Connection.php with this one: https://raw.github.com/greut/php-activerecord/bc4db6b4154de43825668e11b379def4b0d599a7/lib/Connection.php It sounds like a lot of work but it's very easy and works very well.

Shawn McCool posted...

It's looking like CI 2.1 will include Sparks functionality. For now, I have posted a solution for users of 2.0.3+ in the yellow call-out box.

Shawn McCool posted...

I agree that using a separate log is optimal. I virtually never use the CI log for anything. I definitely think that being able to log queries and their execution time is very important. I think that it's possible that people could pass up the option to use this spark due to the fact that they can't use profiling without modifying it.

Shawn McCool posted...

Check your phpinfo() for mcrypt.

Shawn McCool posted...

But, the 2nd half isn't the only important part. Both halves are important. In order to create a dictionary to crack one password. The hacker would have to take the first half of our hashed_password field and then create an sha256 dictionary. Then, they can test the 2nd half against that dictionary. That's an incredible improvement. When they moved onto the next user record.. they'd have to do the same. A dictionary for each salt is essentially just pure brute forcing. We could make this more secure by key stretching, but really.. this is just fine.

Shawn McCool posted...

Assuming people have access to your database they probably have access to your unshuffling algorithm. When generating a dictionary to use against the database they'll first unshuffle the hash, then proceed to attack it the same way that they'd attack any hashed password store. It's at that point that the salting solution would make this algorithm impractical as it requires a new dictionary for every user in the database.

Shawn McCool posted...

As long as auto-loading is working for you let's not look a gift horse in the mouth. =)

Shawn McCool posted...

After looking into the issue more thoroughly I've come to the conclusion that I will not support version 2.0.3. If you want to make the necessary adjustment to MY_Loader.php (change _ci_autoloader references to ci_autoloader) then that is your choice. However, since CI 2.0.3 is a minor revision change and actually breaks legitimately extended code then it should be considered as a broken release. I'm waiting for further word back from the CI 2 developers before I'm willing to move from this stance.

Nick Morgan posted...

Shawn, I have been using this implementation and love it very much, but I seem to have a small (but somewhat serious) problem. For some reason, when I try to load a method that doesn't exist inside a controller that does exist, the Session Library isn't being autoloaded, and PHP Fatal Errors occur. I have no idea why the Session Library isn't being autoloaded in this situation, but it is normally autoloaded fine, and I've been using sessions and flashdata throughout the rest of my application without any problem. The error is happening inside the constructor of MY_Controller where it looks for the "id" session variable. As a solution attempt, when I try to load the session variable explicitly with $this->load->library('session') in the line before where the error happens, the error still happens. It seems that the Session Library still isn't being loaded. WTF? Otherwise, this implementation works fine and I love it, but I hate having potential errors that are not gracefully handled. Have you experienced this problem and know what to do about it?

Nguyen Loc Duy posted...

Very nice tutorial, I'm reaching part 6 of this series. One problem, if I upgrade to CI 2.1 the "Fatal error: Class 'User' not found in" appears again. Do you know how to fix this?

Matthew Machuga posted...

Sorry for that delay, Shawn. Since Disqus doesn't send notifications I didn't think anyone had replied. Whoops! Anyway, yes I agree that profiling is important and I am actually rather disappointed that developers haven't added it into the core. I also don't really care for the fact it won't export the actual variables without modification. I'll look into adding the profiler to my spark for sure, but I think I'm going to look into tweaking the framework a bit as well. Thanks!

Matthew Machuga posted...

Hello everyone! I saw this comment and have not been contacted by Shawn so I figured I'd just reply inline with this comment/request. Firstly, thank you for using and promoting my spark :). Secondly, while I can see the usefulness of adding this, let me explain my reservations. I personally prefer to keep my logging for PHPActiveRecord in it's own separate log sometimes, so I haven't really thought to integrate it with the CI Logger. This would be wise in many cases, however, I feel if I supply my own logger class I may be conflicting with other Logging class names (I could namespace it to avoid this), and I'm sure others already have their specialized logging classes they could simply plug in as you've shown. As another small point, I have in the past tried to prevent modifying the PHPActiveRecord bootstrapper untouched, though in version 0.0.2 I will be tweaking the autoloader to include Modular Extensions (HMVC) model directories seamlessly. So if enough people request an embedded logger, I will consider throwing it in there. Thanks again!

Hojin Jang posted...

thanks a lot! :)

Feik Tamás posted...

One thing, what you haven't said, and it's important. The names of Tables. When i create a model called 'cms_user' then it'll query a table with name 'cms_users' ( +s ). Is it possible to change in the model what the table name will be? BTW if somebody get the database, then usualy get the source too, then they can see, only the the secound part of the hash is important. Then they can also make a sha256 dictionary.. ( i have some more secure way to improve this ) The next screencast shall be a multilevel authentication. for example, when you store a serialized array in table, which exatcly points for what modules what access do you have. ( Array('news' => 1,'downloads' => 1,'users' => 0)) etc.. EDIT: I found the solution -> // explicit table name static $table_name = 'simple_book'; // explicit pk static $primary_key = 'book_id';

Eljon Curry posted...

bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); is causing a white page for me. I'm on php 5.3, CI 2.1.0 (activerecord 0.0.2 not that it matters). I've dug around the php manual and see no dependencies. It throws no errors or warnings. Any ideas?

Chinedu Michael posted...

This is good!! But I think the one downside I have seen so far is that the PHP-ActiveRecord queries do not show in CodeIgniter profiler. This can really be problem when trying to debug.