(Note: this is a reposting of an entry I made when trying out Habari as my blog software. If you missed it, I hope you enjoy it now.

For a consulting job I'm working on where I'm porting a spaghetti-PHP application over to using CakePHP I am moving their existing authorization system over to using Cake's Auth component. Of course, they are storing all their passwords in plaintext in the user account table, so I needed an easy way to convert all the existing passwords over to be encrypted using the same hash that Auth would use. Doing this was surprisingly easy thanks to the power of shells and tasks in CakePHP..

~~~ /** * Shell for encrypted naked passwords with the correct hash for use * with the Auth component * * @auth Chris Hartjes */ class EncryptPasswordsShell extends Shell { var $uses = array('UserClient'); function main() { App::import('Core', 'Security'); $this->out("Starting to encrypt passwords\n\n"); $this->UserClient->recursive= -1; $users = $this->UserClient->find('all'); foreach ($users as $user) { $userName = $user['UserClient']['username']; $password = $user['UserClient']['password']; if ($password != '') { $data = array('UserClient' => array( 'id' => $user['UserClient']['id'], 'password' => Security::hash($password, null, true)) ); if ($this->UserClient->save($data)) { $this->out("Updated password for {$userName}"); } } else { $this->out("Bad password for {$userName}"); } } } } ~~~

I think the code in there is pretty self-explanatory. The only "gotcha" I ran into (fixed by a look at the Auth component itself) was that I needed to tell Security::hash() that I wanted to use the salt I defined in my config file. By default that parameter is set to false, hence the need to explicitly set it to true.

Thank to Mark Story for pointing me in the right direction for this.