Mahngiel Posted August 7, 2012 Share Posted August 7, 2012 I am using your method of creating the salt on the fly withOUT storing the users unique salt in the database. So I'm assuming $user->salt will work? Why on earth would you do that? You would NEVER accomplish finding a pair. The salt method I provided to you earlier generates a random 32 character string. If you do not save this salt, you will never match it. Lastly, I am getting the Fatal error: Call to undefined method User_model::get_user() in /Users/michaelsanger/Sites/cl_ci_new/application/controllers/auth.php on line 34 error again. You didn't add that method to your model CONTROLLER: <?php function validate_credentials() { // loading the model with the the second object being the database name? $this->load->model('user_model', 'users'); The second parameter passed to the load object is a reference name. You could have a class called Uber_long_and_retarded_class_name_model and pass 'uber' as the second parameter to use $this->uber->method(). CONTROLLER: <?php // when the user hits submit and enters their info, the following checks takes what they entered and stores it in $data and sends over to the model to run and check the query log the user in and start their session. $login = $this->input->post('submit'); if($login) { $user = $this->users->get_user( array('email' => $this->input->post('email')) ); $query = $this->user_model->validate(); } a) maybe you retrieved a return on $user, maybe you didn't. You haven't checked. b) you're not sending anything to your validation model, which it is expecting CONTROLLER: <?php if($user) { $data = array( 'email' => $user->email, 'password' => $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) ); $user = $this->users->get_user($data); } a) now you're checking if your user object returned anything useful. problem is, you don't have a value for $user->salt CONTROLLER: <?php if($query) { $data = array( 'email' => $this->input->post('email'), 'is_logged_in' => true ); $this->session->set_userdata($data); redirect('account/dashboard'); } a) query will not return because you didn't pass the parameter above b) why are you setting arrays for your userdata? $this->session->set_userdata('key', 'value'); echo $this->session->userdata('key'); CONTROLLER: <?php else { $this->index(); } } You've provided no output for the user on failure. Why? MODEL: // takes the data created by the user from the controller and checks it with the database function validate($data) { $this->output->enable_profiler(TRUE); $query = $this->db->where($data)->get('users', 1); if($query->row()) { return $query->row(); } } Though this is a valid use, it's not logical. You model should not validate your user, it should only return data and your controller decide if it's valid. Then, your controller can do other actions against that. Your models should have methods that perform tasks. See if you can guess what these do merely by their titles get_user() get_users() delete_user() add_user() count_users() Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 8, 2012 Author Share Posted August 8, 2012 ok I think I'm super close. I've fixed my salt problem and added 'alnum' so it's hashing properly and have stored it in a row in my db. However I am not sure on how to pass the method to the user model ( undefined method error ) It seems that I'm doing that with $data: Here is my current configuration - CONTROLLER: function validate_credentials() { $this->load->model('user_model', 'um'); $login = $this->input->post('submit'); $user = $this->um->validate( array('email' => $this->input->post('email')) ); if($login) { $user = $this->um->get_user(array('email' => $this->input->post('email'))); } if($user) { $data = array( 'email' => $user->email, 'password' => $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) ); $user = $this->um->get_user($data); } if($query) { $this->session->set_userdata($data); redirect('account/dashboard'); } else { $this->index(); } } MODEL: function validate($data) { $this->output->enable_profiler(TRUE); $query = $this->db->where($data)->get('users', 1); if($query->row()) { return $query->row(); } } Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 8, 2012 Author Share Posted August 8, 2012 I just noticed a mistake I made. I went ahead and fixed it and changed $user = $this->um->get_user(array('email' => $this->input->post('email'))); to $user = $this->um->validate(array('email' => $this->input->post('email'))); Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 8, 2012 Author Share Posted August 8, 2012 Ok - I think I'm in the right spot and understanding everything. For some reason the post pw field is not getting hashed via $this->output->enable_profiler(TRUE); I've made new comments for everything: CONTROLLER: function validate_credentials() { // WHEN THE VIEW IS LOADED THIS FUNCTION IS CALLED AND LOADS MODEL AS WELL AS DEFINES THE SALT VARIABLE AND LOADS THE ENCRYPTING HELPER LIBRARY $this->load->model('user_model', 'um'); $login = $this->input->post('submit'); $salt = $this->_salt(); $this->load->library('encrypt'); //IF THE SUBMIT BUTTON IS TRIGGERED THE POST DATA IS SENT TO THE VALIDATE FUNCTION IN THE MODEL VIA VARIABLES CREATED if($login) { $data = array( 'email' => $this->input->post('email'), 'password' => $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) ); $user = $this->um->validate($data); } // IF ITS A REAL USER OPEN THE GATE AND LET THEM IN if($user) { $this->session->set_userdata($data); redirect('account/dashboard'); } else { // RELOAD THE LOGIN VIEW IF INFO DOESN'T CHECK OUT $this->index(); } } MODEL: function validate($data) { $this->output->enable_profiler(TRUE); // TAKING THE DATA FROM THE MODEL AND CHECKING IT AGAINST THE STORED INFO IN THE DB $query = $this->db->where($data)->get('users', 1); if($query->row()) { return $query->row(); } } Quote Link to comment Share on other sites More sharing options...
Mahngiel Posted August 9, 2012 Share Posted August 9, 2012 lol @ hashing with profiler. The profiler is a benchmark library Do you read the manual? http://codeigniter.com/user_guide/general/profiling.html this: $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) is what's hashing your password. Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 haha not hashing with the profiler. I have it in there to check if/how my queries are running. Just using it as a troublehshooter. That being said when the query is run, the password is being hashed, but in the profiler the post values that are being shown, shows that the password is being entered as clear text to COMPARE to the hashed stored in the db Quote Link to comment Share on other sites More sharing options...
Mahngiel Posted August 9, 2012 Share Posted August 9, 2012 i see what you're saying now. ha. so have you created a new user, this time saving the salt created at registration into the user's db row? is the comparison method the same as the registration method? Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 yes, I have successfully created a new user with a unique salt that is being stored in the appropriate rows in my database. It appears to be the same conceptually as far as I can tell,however I'm not convinced that password entered in post is being properly utilized with the salt and hash. CREATE USER-CONTROLLER: function create_member() { $this->load->library('form_validation'); $this->form_validation->set_rules('first_name', 'First Name', 'trim|required'); $this->form_validation->set_rules('last_name', 'Last Name', 'trim|required'); $this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email'); $this->form_validation->set_rules(sha1('password', 'trim|required|max_length[32]')); $this->form_validation->set_rules('password2', 'Confirm Password', 'trim|required|matches[password]'); if($this->form_validation->run() == FALSE) { $data['main_content'] = 'home/home_page'; $this->load->view('includes/templates/home_page_template', $data); } else { $this->load->model('user_model'); if($query = $this->user_model->create_member()) { $data['main_content'] = 'account/welcome'; $this->load->view('includes/templates/main_page_template', $data); } else { $this->load->view('home/home_page'); } } } CREATE USER-MODEL: function create_member() { $salt = $this->_salt(); $this->load->library('encrypt'); $new_member_insert_data = array( 'first_name' => $this->input->post('first_name'), 'last_name' => $this->input->post('last_name'), 'email' => $this->input->post('email'), 'password' => $this->encrypt->sha1($salt . $this->encrypt->sha1($this->input->post('password'))), 'salt' => $this->encrypt->sha1($salt) ); $insert = $this->db->insert('users', $new_member_insert_data); return $insert; } } LOGIN CONTROLLER: function validate_credentials() { // WHEN THE VIEW IS LOADED THIS FUNCTION IS CALLED AND LOADS MODEL AS WELL AS DEFINES THE SALT VARIABLE AND LOADS THE ENCRYPTING HELPER LIBRARY $this->load->model('user_model', 'um'); $login = $this->input->post('submit'); $this->load->library('encrypt'); $salt = $this->_salt(); //IF THE SUBMIT BUTTON IS TRIGGERED THE POST DATA IS SENT TO THE VALIDATE FUNCTION IN THE MODEL VIA VARIABLES CREATED if($login) { $data = array( 'email' => $this->input->post('email'), 'password' => $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) ); $user = $this->um->validate($data); } // IF ITS A REAL USER OPEN THE GATE AND LET THEM IN if($user) { $this->session->set_userdata($data); redirect('account/dashboard'); } else { $this->index(); } } LOGIN MODEL: function validate($data) { $this->output->enable_profiler(TRUE); // TAKING THE DATA FROM THE MODEL AND CHECKING IT AGAINST THE STORED INFO IN THE DB $query = $this->db->where($data)->get('users', 1); if($query->row()) { return $query->row(); } } Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 so to summarize: I'm also suspicious of my hashing methods and them being implemented properly as well as the main problem - the logic and flow and correctness of the whole lot. Quote Link to comment Share on other sites More sharing options...
Mahngiel Posted August 9, 2012 Share Posted August 9, 2012 I've written this for you at least three times now, and you still continue to pervade my advice. In your LOGIN controller, you're creating a new hash - even though you're not using it, it's probably confusing you. The largest issue is you still are not retrieving the user's salt. $data = array( 'email' => $this->input->post('email'), 'password' => $this->encrypt->sha1($user->salt. $this->encrypt->sha1($this->input->post('password'))) ); You've never defined $user. It's a two step process. $user->salt comes from querying for the matching email. Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 I assume you mean to $user = $this->um->validate($data); before the $data array because as far as I can tell that is defining $user. In the meantime I'm going to examine all of the code you've posted to get to that bottom of that. Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 per my pm I just sent you: CONTROLLER: function validate_credentials() { // WHEN THE VIEW IS LOADED THIS FUNCTION IS CALLED AND LOADS MODEL AS WELL AS DEFINES THE SALT VARIABLE AND LOADS THE ENCRYPTING HELPER LIBRARY $this->load->model('user_model', 'um'); $login = $this->input->post('submit'); $this->load->library('encrypt'); //IF THE SUBMIT BUTTON IS TRIGGERED THE POST DATA IS SENT TO THE VALIDATE FUNCTION IN THE MODEL VIA VARIABLES CREATED if($login) { $user = $this->um->validate(array('email' => $this->input->post('email'))); if( $user ) { // now, using that returned row, grab the salt from it and use it in a second query where you apply the same hash method $data = array( 'email' => $user->email, 'password' => $this->encrypt->sha1( $user->salt . $this->encrypt->sha1($this->input->post('password'))) ); // send that new array back to get_user $user = $this->um->validate( $data ); $this->session->set_userdata($data); redirect('account/dashboard'); } else { $this->index(); } } } MODEL: function validate($data) { $this->output->enable_profiler(TRUE); // TAKING THE DATA FROM THE MODEL AND CHECKING IT AGAINST THE STORED INFO IN THE DB $query = $this->db->where($data)->get('users', 1); if($query->row()) { return $query->row(); } } Quote Link to comment Share on other sites More sharing options...
Mahngiel Posted August 9, 2012 Share Posted August 9, 2012 that looks appropriate. You can always debug your code by echo'ing the contents of the retrieved row's password and the encrypted user input. if those don't match, you have a problem with consistency in your encryption method Quote Link to comment Share on other sites More sharing options...
RalphLeMouf Posted August 9, 2012 Author Share Posted August 9, 2012 solved: CONTROLLER: function validate_credentials() { // WHEN THE VIEW IS LOADED THIS FUNCTION IS CALLED AND LOADS MODEL AS WELL AS DEFINES THE SALT VARIABLE AND LOADS THE ENCRYPTING HELPER LIBRARY $this->load->model('user_model', 'um'); $login = $this->input->post('submit'); $this->load->library('encrypt'); //IF THE SUBMIT BUTTON IS TRIGGERED THE POST DATA IS SENT TO THE VALIDATE FUNCTION IN THE MODEL VIA VARIABLES CREATED if($login) { $user = $this->um->validate(array('email' => $this->input->post('email'))); if( $user ) { // CHECK THE USER'S PASSWORD AGAINST THE ONE FROM THE LOGIN FORM if($user->password == $this->encrypt->sha1( $user->salt . $this->encrypt->sha1($this->input->post('password')))) { $this->session->set_userdata(array( 'email' => $this->input->post('email') )); redirect('account/dashboard'); exit; } } } $this->index(); } MODEL: function validate($data) { // TAKING THE DATA FROM THE MODEL AND CHECKING IT AGAINST THE STORED INFO IN THE DB $this->output->enable_profiler(TRUE); $query = $this->db->where($data)->get('users', '1'); if($query->row()) { return $query->row(); } } I also figured out that I was storing mistaking storing the salt hashed on the create user function so that was huge Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.