Working with Passwords in PHP


Another appliance of hash functions is authenticating a password entered in a
form on your web site with a password stored in your database.
For obvious
reasons, you don’t want to store unencrypted passwords in your database. You
want to prevent evil hackers who have access to your database (because the
sysadmin blundered) from stealing passwords used by your clients. Because
hash functions are not at all reversible, you can store the password hashed
with a function like md5() or sha1() so the evil hackers can’t get the password
in plain text.
The example Auth class implements two methods—addUser() and
authUser()—and makes use of the sha1() hashing function. The table scheme
looks like this:

CREATE TABLE users (
  email   VARCHAR(128) NOT NULL PRIMARY KEY,
  passwd CHAR(40) NOT NULL
);
We use a length of 40 here, which is the same as the sha1() digest in
hexadecimal characters:
<?php
class Auth {
    function Auth()
    {
        mysql_connect('localhost', 'user', 'password');
        mysql_select_db('my_own_bookshop');
    }
    public function addUser($email, $password)
    {
        $q = '
            INSERT INTO users(email, passwd)
               VALUES ("'. $email. '", "'. sha1($password).'")
        ';
        mysql_query($q);
    }
    public function authUser($email, $password)
    {
        $q = '
            SELECT * FROM users
            WHERE email="'. $email. '"
                AND passwd ="'. sha1($password). '"
        ';
        $r = mysql_query($q);
        if (mysql_num_rows($r) == 1) {
            return TRUE;
        } else {
            return FALSE;
        }
    }
}
?>
We didn’t use addslashes() around the $email and $password variables
earlier. We will do that in the script that calls the methods of this class:
<?php
/* Include our authentication class  and sanitizing function*/
require_once 'Auth.php';
require_once 'sanitize.php';

/* Define our parameters */
$sigs = array (
    'email'  => array ('required' => TRUE, 'type' => 'string',
        'function' => 'addslashes'),
    'passwd' => array ('required' => TRUE, 'type' => 'string',
        'function' => 'addslashes')
);
/* Clean up our input */
sanitize_vars(&$_POST, $sigs);
/* Instantiate the Auth class and add the user */
$a = new Auth();
$a->addUser($_POST['email'], $_POST['passwd']);
/* or… we instantiate the Auth class and validate the user */
$a = new Auth();
echo $a->authUser($_POST['email'], $_POST['passwd']) ? 'OK' :
➥'ERROR';
?>
After the user is added to the database, something like this appears in
your table:
+--------+------------------------------------------+
| user   | password                                 |
+--------+------------------------------------------+
| derick | 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 |
+--------+------------------------------------------+
The first person who receives the correct password back from this
hash can ask me for a crate of Kossu.


Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

Advanced Androd Games, ebook download

Welcome to Advanced Android 4 Games. This book will help you create great games for the Android platform. There are plenty of books out there that tackle this subject, but only this book gives you a unique perspective by showing you howeasy it is to bring native PC games to the platform with minimum effort. This is done using real-world examples and source code in each chapter. Keep in mind that before you dig intothis book, you will need a solid foundation in Java and ANSI C. I have tried to clearly and simply explain the most complicated concepts with a combination of graphics and sample code. The source code provided for each chapter will help you understand the concepts in detail and make the most of your time as a mobile game developer.
read more »