ZF-7238: Zend_Form_Element_Hash namespace problem

Issue Type: Bug Created: 2009-07-10T03:49:57.000+0000 Last Updated: 2012-03-14T00:25:26.000+0000 Status: Closed Fix version(s): Reporter: Enrico Zimuel (zimuel) Assignee: Adam Lundrigan (adamlundrigan) Tags: - Zend_Form

Related issues: Attachments:


I notice a difference between the namespace of a Zend_Form_Element_Hash with this two examples:

$token = new Zend_Form_Element_Hash('token'); $token->setSalt(md5(uniqid(rand(), TRUE))); $this->addElement($token);

and this one:

$this->addElement('hash', 'token', array( 'salt' => md5(uniqid(rand(), true)), ));

If a use the first one in a validation check it works fine. With the second example the validation fails. For instance in the first scenario the namescape is "Zend_Form_Element_Hash_salt_token" and in the second is "Zend_Form_Element_Hash_124b1234e34535_token". In this example if a use the validation the session name it will be always failed.

For instance a simple login system into a Controller:

public function loginAction () { $flash = $this->_helper->getHelper('flashMessenger'); if ($flash->hasMessages()) { $this->view->message = $flash->getMessages(); }

    $this->view->form = new App_Form_Login();


public function submitAction () { $form = new App_Form_Login(); $request = $this->getRequest(); if (!$form->isValid($request->getPost())) { ... }

This example doesn't works because in the submitAction the instance of the object $form will have a different namespace, the token is generated each time.

My proposal is to change the getSessionName method of Zend/Form/Element/Hash.php:

public function getSessionName() { return CLASS . '' . $this->getSalt() . '' . $this->getName(); }

with this one:

public function getSessionName() { return CLASS . '_' . $this->getName(); }

What do you think?



Posted by Tom Graham (noginn) on 2009-08-18T06:26:48.000+0000

I think your usage is incorrect, the salt should be consistent for each request. Your method of using "md5(uniqid(rand(), TRUE))" means this will never be the case.

Posted by Enrico Zimuel (zimuel) on 2009-10-19T13:18:30.000+0000

I agree with you, you have to be consistent with the value of the sault and, in fact, it works in the first example. The data in POST are consistent with the SESSION value so it should be works.

Have you found an issue?

See the Overview section for more details.


© 2006-2017 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.