# |
Feb 12th 2020, 07:24 |
ishan |
How can I get html response as a string in cakephp >= 3.5? I want same output as `$response->body()` but since it's deprecated what is the best alternative? I've tried using `$response->getBody()` but it is returning object of `\Zend\Diactoros\Stream` instead of string. |
# |
Feb 12th 2020, 07:13 |
ishan |
Hello, Good morning |
# |
Feb 12th 2020, 07:02 |
alexdd55976 |
morning |
# |
Feb 12th 2020, 05:10 |
md.islam11 |
it always returning something: { "success": true, "data": { "id": 24 } } |
# |
Feb 12th 2020, 05:10 |
md.islam11 |
How to make custom return type of " ```return $this->Crud->execute();``` " |
# |
Feb 12th 2020, 05:08 |
md.islam11 |
Hello |
# |
Feb 11th 2020, 20:24 |
thomas078 |
still works..ok |
# |
Feb 11th 2020, 20:15 |
thomas078 |
cake 3.8.9 isAuthorized($user) should it still work?? |
# |
Feb 11th 2020, 19:43 |
np |
@phantomwatson OK, the problem is with the scrutinizer. Thanks. |
# |
Feb 11th 2020, 19:31 |
np |
We have upgrade app from cakephp3 to 4, config it’s same, now error comme https://scrutinizer-ci.com/ tool. I try now in different way |
# |
Feb 11th 2020, 19:29 |
phantomwatson |
And you can connect to the database using 'root' and no password through other means, like phpMyAdmin or via a command line? Just to rule out there being something wrong/missing with the database. |
# |
Feb 11th 2020, 19:26 |
np |
@phantomwatson yes, its test and null. |
# |
Feb 11th 2020, 19:22 |
phantomwatson |
@np, it looks like you're running a test. Are you sure that you set the password to `null` in the `'test'` configuration in `app.php`? |
# |
Feb 11th 2020, 19:20 |
jslamka5685 |
@phantomwatson Thank you |
# |
Feb 11th 2020, 19:19 |
phantomwatson |
@jslamka5685, I think that's `Date::i18nFormat(Date::$niceformat)` |
# |
Feb 11th 2020, 18:56 |
np |
Hallo, how to set db without password in cakephp4, we try ‘password’ => ‘’, ‘password’ => null, but ```PHPUnit 8.5.2 by Sebastian Bergmann and contributors. IIIIIIIIIIIIIIII..Exception: SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost' (using password: YES)``` |
# |
Feb 11th 2020, 18:54 |
jslamka5685 |
When a date is being output in a template, it has a default "friendly" output. What function is being run to apply this formatting? |
# |
Feb 11th 2020, 17:39 |
damiano |
thanks |
# |
Feb 11th 2020, 17:38 |
damiano |
yeah got it |
# |
Feb 11th 2020, 17:38 |
phantomwatson |
This is assuming that the request also transmits user data, like a username or a user ID that you'd use to figure out which user is trying to log in. |
# |
Feb 11th 2020, 17:37 |
phantomwatson |
which you'd be generating on the fly. That way, tokens won't get exposed if someone gets into your database. |
# |
Feb 11th 2020, 17:37 |
phantomwatson |
Another option is to randomly generate a single salt (or use the `Security.salt` configuration value that's already in CakePHP) that you use for everyone's token. Then, you don't need to store the token in the database at all, because whenever there's a token in a request, you can compare it to `Security::hash($entity->username . $entity->password . $salt, 'sha1', true);` |
# |
Feb 11th 2020, 17:35 |
damiano |
in db |
# |
Feb 11th 2020, 17:35 |
damiano |
yes |
# |
Feb 11th 2020, 17:35 |
phantomwatson |
So this token is stored in the database? |
# |
Feb 11th 2020, 17:34 |
phantomwatson |
If you want to get wacky, you could generate the token by `hash($username . $passwordHash)` in order for that remote possibility of someone deriving the password from the publicly-transmitted authentication token to be even less likely. But whenever people are hashing hashes, people tend to consider that a code smell that indicates that something dumb is happening. |
# |
Feb 11th 2020, 17:34 |
damiano |
maybe randomString() there is pointless |
# |
Feb 11th 2020, 17:34 |
damiano |
this is what i did: `$entity->token = Security::hash($entity->username . $entity->password . Security::randomString(24), 'sha1', true);` |
# |
Feb 11th 2020, 17:31 |
damiano |
@phantomwatson sure!! hehe |
# |
Feb 11th 2020, 17:31 |
phantomwatson |
(Assuming usernames must be unique ;) ) |
# |
Feb 11th 2020, 17:31 |
damiano |
but i must add a salt for sure |
# |
Feb 11th 2020, 17:31 |
damiano |
yeah i would like to avoid it, i mean, i would like to save and stop, as @neon1024 said i can hash(user + password) in that way i will surelly get an unique token |
# |
Feb 11th 2020, 17:30 |
phantomwatson |
If you just need a unique string and that's the only requirement, then you could literally just generate a random string and test it for uniqueness before setting it. That would be perfectly fine for a small user pool, but might cause long database lookups if you have a billion users. |
# |
Feb 11th 2020, 17:30 |
damiano |
however if my database gets exposed, they will copy the token and that's all, they can use whatever they want with user token... i am implementing login via user/password, token and cookie |
# |
Feb 11th 2020, 17:28 |
damiano |
@phantomwatson but are there any other method to create a safe token ? |
# |
Feb 11th 2020, 17:27 |
damiano |
ok @phantomwatson |
# |
Feb 11th 2020, 17:27 |
damiano |
UUIDs look insecure to me |
# |
Feb 11th 2020, 17:27 |
slackebot |
salt, to do the same thing, they would essentially need to guess two passwords at the same time, and one of them is guaranteed to be long enough that it's impractical to ever brute-force it. |
# |
Feb 11th 2020, 17:27 |
phantomwatson |
If it's not salted, and if your database gets exposed, and if someone else knows what hashing function you're using and how your inputs are concatenated together, they could theoretically (and easily, if the password is weak) generate a rainbow table of hashes that correspond to different passwords until they find a hash that matches the one stored for that user. Then they'll know what the user's password is. With a long and secret |
# |
Feb 11th 2020, 17:22 |
damiano |
sha256 seems too long for a token |
# |
Feb 11th 2020, 17:21 |
damiano |
@phantomwatson otherwise? :) |