Password field type does not hash value on save

👨‍💻 Development Help
1

Hi All I noticed fields using the Password type don’t get hashed when saved.

A quick dirty fix for this is to add the following function to the include/SugarFields/Fields/Password/SugarFieldPassword.php file:
public function save(&$bean, $params, $field, $properties) { $bean->$field = md5($bean->$field); }

is not in anyway secure as it uses MD5 and the hash isn’t salted but this will make sure that passwords are not stored in the database as plaintext

2

Aldo that is not an standard field type in SuiteCRM, I’m sure it can help people who manually added it to their system.

Thanks!!!

3

it is a standard field type, but it is omitted from studio.

to use the type, the type of the field in variable definitions needs to be changed to password.

on top of this I found a much better way to do passwords using bcrypt and I realised the SugarFieldBase class files are executed twice (they where at least when I was doing this) so my SugarFieldPassword file now looks like:

<?php


require_once 'include/SugarFields/Fields/Base/SugarFieldBase.php';

class SugarFieldPassword extends SugarFieldBase
{
    /**
     * @see SugarFieldBase::importSanitize()
     */
    public function importSanitize(
        $value,
        $vardef,
        $focus,
        ImportFieldSanitize $settings
        ) {
        $value = md5($value);
        
        return $value;
    }

    private static $saved = [];

    public function save(&$bean, $params, $field, $properties, $prefix = '') {
        parent::save($bean, $params, $field, $properties, $prefix);
        if (
            array_key_exists($bean->id, self::$saved)
            &&
            in_array($field, self::$saved[$bean->id])
        ) {
            return;
        };

        $bean->$field = password_hash($bean->$field, PASSWORD_BCRYPT);
        if (! array_key_exists($bean->id, static::$saved)) {
            static::$saved[$bean->id] = [$field];
        }
        elseif (! in_array($field, static::$saved[$bean->id])) {
            array_push(static::$saved[$bean->id], $field);
        }
    }

}
2 Likes
4

If you put the file into
custom/include/SugarFields/Fields/Password/SugarFieldPassword.php
it will support upgrade.

5

It was Standard a one point. Now, the fact that it’s not included in Studio by default, it means it’s not fully supported and that makes it not standard.

Again, thanks for sharing the information. I know many of us still rely on that field type.