在Yii2的basic版本中默認是從一個數組驗證用戶名和密碼,如何改為從數據表中查詢驗證呢?且數據庫的密碼要為哈希加密密碼驗證?
下面我們就一步一步解析Yii2的登錄過程。
一. 創建user表模型
表結構如下:
CREATE TABLE `user` ( `id` int(11) NOT NULL AUTO_INCREMENT, `pid` int(11) NOT NULL DEFAULT '0' COMMENT '父id', `username` char(70) NOT NULL COMMENT '用戶名', `password` char(70) NOT NULL COMMENT '密碼', `type` tinyint(4) NOT NULL DEFAULT '4' COMMENT '類型(1:總店,2:門店,3:管理員)', `created_time` int(11) NOT NULL COMMENT '注冊時間', `updated_time` int(11) NOT NULL COMMENT '修改時間', `status` tinyint(4) NOT NULL DEFAULT '1' COMMENT '封禁狀態,0禁止1正常', `login_ip` char(20) NOT NULL COMMENT '登錄ip', `login_time` int(11) NOT NULL COMMENT '上一次登錄時間', `login_count` int(10) NOT NULL DEFAULT '0' COMMENT '登陸次數', `update_password` int(10) NOT NULL DEFAULT '0' COMMENT '修改密碼次數', PRIMARY KEY (`id`), KEY `pid` (`pid`), KEY `username` (`username`), KEY `type` (`type`), KEY `status` (`status`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='登錄管理表';
使用Gii創建user模型
將Yii2 basic之前user模型代碼導入現在user中(先備份之前basic中的user模型)
1 namespace app\models; 2 3 use Yii; 4 5 /** 6 * This is the model class for table "user". 7 * 8 * @property integer $id 9 * @property integer $pid 10 * @property string $username 11 * @property string $password 12 * @property integer $type 13 * @property integer $created_time 14 * @property integer $updated_time 15 * @property integer $status 16 * @property string $login_ip 17 * @property integer $login_time 18 * @property integer $login_count 19 * @property integer $update_password 20 */ 21 class User extends \yii\db\ActiveRecord implements \yii\web\IdentityInterface 22 { public $authKey; 23 /*public $id; 24 public $username; 25 public $password; 26 public $authKey; 27 public $accessToken; 28 29 private static $users = [ 30 '100' => [ 31 'id' => '100', 32 'username' => 'admin', 33 'password' => 'admin', 34 'authKey' => 'test100key', 35 'accessToken' => '100-token', 36 ], 37 '101' => [ 38 'id' => '101', 39 'username' => 'demo', 40 'password' => 'demo', 41 'authKey' => 'test101key', 42 'accessToken' => '101-token', 43 ], 44 ]; 45 */ 46 47 /** 48 * @inheritdoc 49 */ 50 public static function tableName() 51 { 52 return 'user'; 53 } 54 55 /** 56 * @inheritdoc 57 */ 58 public function rules() 59 { 60 return [ 61 [['pid', 'type', 'created_time', 'updated_time', 'status', 'login_time', 'login_count', 'update_password'], 'integer'], 62 [['username', 'password', 'created_time', 'updated_time', 'login_ip', 'login_time'], 'required'], 63 [['username', 'password'], 'string', 'max' => 70], 64 [['login_ip'], 'string', 'max' => 20] 65 ]; 66 } 67 68 /** 69 * @inheritdoc 70 */ 71 public function attributeLabels() 72 { 73 return [ 74 'id' => 'ID', 75 'pid' => 'Pid', 76 'username' => 'Username', 77 'password' => 'Password', 78 'type' => 'Type', 79 'created_time' => 'Created Time', 80 'updated_time' => 'Updated Time', 81 'status' => 'Status', 82 'login_ip' => 'Login Ip', 83 'login_time' => 'Login Time', 84 'login_count' => 'Login Count', 85 'update_password' => 'Update Password', 86 ]; 87 } 88 89 /** 90 * @inheritdoc 91 */ 92 public static function findIdentity($id) 93 { 94 return static::findOne($id); 95 //return isset(self::$users[$id]) ? new static(self::$users[$id]) : null; 96 } 97 98 /** 99 * @inheritdoc 100 */ 101 public static function findIdentityByAccessToken($token, $type = null) 102 { 103 return static::findOne(['access_token' => $token]); 104 /*foreach (self::$users as $user) { 105 if ($user['accessToken'] === $token) { 106 return new static($user); 107 } 108 } 109 110 return null;*/ 111 } 112 113 /** 114 * Finds user by username 115 * 116 * @param string $username 117 * @return static|null 118 */ 119 public static function findByUsername($username) 120 { 121 $user = User::find() 122 ->where(['username' => $username]) 123 ->asArray() 124 ->one(); 125 126 if($user){ 127 return new static($user); 128 } 129 130 return null; 131 /*foreach (self::$users as $user) { 132 if (strcasecmp($user['username'], $username) === 0) { 133 return new static($user); 134 } 135 } 136 137 return null;*/ 138 } 139 140 /** 141 * @inheritdoc 142 */ 143 public function getId() 144 { 145 return $this->id; 146 } 147 148 /** 149 * @inheritdoc 150 */ 151 public function getAuthKey() 152 { 153 return $this->authKey; 154 } 155 156 /** 157 * @inheritdoc 158 */ 159 public function validateAuthKey($authKey) 160 { 161 return $this->authKey === $authKey; 162 } 163 164 /** 165 * Validates password 166 * 167 * @param string $password password to validate 168 * @return boolean if password provided is valid for current user 169 */ 170 public function validatePassword($password) 171 { 172 return $this->password === $password; 173 } 174 }
之前的basic中User模型是繼承了\yii\base\Object,為什么要繼承這個類,那是因為
1 #在\yii\base\Object中,有構造方法 2 public function __construct($config = []) 3 { 4 if (!empty($config)) { 5 Yii::configure($this, $config); 6 } 7 $this->init(); 8 } 9 #繼續追蹤Yii::configure($this, $config)代碼如下 10 public static function configure($object, $properties) 11 { 12 foreach ($properties as $name => $value) { 13 $object->$name = $value; 14 } 15 16 return $object; 17 } 18 #正是因為有這兩個方法,所以在User.php中 19 public static function findByUsername($username) 20 { 21 foreach (self::$users as $user) { 22 if (strcasecmp($user['username'], $username) === 0) { 23 return new static($user); 24 } 25 } 26 27 return null; 28 } 29 #將$user傳遞過來,通過static,返回一個User的實例。
當通過數據表查詢時候沒有必要再繼承\yii\base\Object,因為不必為類似原來類變量賦值了。這個時候需要User模型繼承\yii\db\ActiveRecord,因為要查詢用。
findIdentity是根據傳遞的id返回對應的用戶信息,getId返回用戶id,getAuthKey和validateAuthKey是作用於登陸中的--記住我。這個authKey是唯一的,當再次登陸時,從cookie中獲取authKey傳遞給validateAuthKey,驗證通過,就登陸成功。
二. 模擬用戶數據登錄
插入一條用戶模擬數據
INSERT INTO `user` (`username`, `password`) VALUES ('admin', '123')
控制器Controller
1 /** 2 * 登錄 3 */ 4 public function actionLogin() { 5 if (!\Yii::$app->user->isGuest) { 6 return $this->goHome(); 7 } 8 9 $model = new LoginForm(); 10 if ($model->load(Yii::$app->request->post()) && $model->login()) { 11 12 13 $this->redirect(array('charisma/index')); 14 } else { 15 return $this->render('login', [ 16 'model' => $model, 17 ]); 18 } 19 }
veiws中的login.php
1 <div class="well col-md-5 center login-box"> 2 <div class="alert alert-info"> 3 請填寫您的用戶名和密碼 4 </div> 5 6 <?php $form = ActiveForm::begin([ 7 'id' => 'login-form', 8 ]); ?> 9 10 <fieldset> 11 <div class="input-group input-group-lg"> 12 <span class="input-group-addon"><i class="glyphicon glyphicon-user red"></i></span> 13 <?php echo Html::input('type','LoginForm[username]', $model->username, ['class'=>'form-control','placeholder'=>'Username']); ?> 14 </div> 15 <div class="clearfix"></div><br> 16 <div class="input-group input-group-lg"> 17 <span class="input-group-addon"><i class="glyphicon glyphicon-lock red"></i></span> 18 <?php echo Html::input('password','LoginForm[password]', $model->password, ['class'=>'form-control','placeholder'=>'Password']); ?> 19 </div> 20 <div class="clearfix"></div> 21 22 <div class="clearfix"></div> 23 <p class="center col-md-5"> 24 <input type="submit" class="btn btn-primary" value="Login"> 25 </p> 26 </fieldset> 27 <?php ActiveForm::end();?> 28 29 <?php 30 if($model->errors){ 31 echo '用戶名或密碼錯誤'; 32 print_r($model->errors); 33 } 34 35 36 37 ?> 38 39 </div>
用戶名admin, 密碼123, 登錄ok!
問題來了,我們使用的是明文保存的密碼,這樣很不安全,所以我們必須要把用戶注冊時的密碼哈希加密后再保存到數據庫。
注*
如若修改登錄的表要修改main.php 配置:
'components' => [ 'user' => [ 'identityClass' => 'app\models\Customer', 'enableAutoLogin' => true, ],
將identityClass中common\models\User 改為app\models\Customer, 此時Customer表便可為定了表
三. Yii的密碼加密
YII2對密碼加密生成的結果是不同的,即用相同的初始密碼在不同時間得到的加密結果不同,所以我們不能用常用的方法去驗證密碼是否正確(將密碼加密后與數據庫中的密碼相比較)。YII2有自己的加密以及密碼驗證流程。
加密
$hash = Yii::$app->getSecurity()->generatePasswordHash('123456');
驗證
Yii::$app->getSecurity()->validatePassword('123456', $hash) ; #,返回true或false
我們先通過Yii的加密機制加密 “123” 獲取哈希密碼為: $2y$13$eXQl9YCo5XcKqqy9ymd2t.SuOvpXYERidceXoT/bPt4iwmOW3GiBy
修改模擬數據admin的密碼:
UPDATE `user` SET `password`='$2y$13$eXQl9YCo5XcKqqy9ymd2t.SuOvpXYERidceXoT/bPt4iwmOW3GiBy' WHERE (`username`='admin')
四.密碼驗證過程
在控制器中我們通過 實例化LoginForm,
Yii::$app->request->post()來獲取post提交的值,通過$model->load()加載post數據
然后$model->login() 就是驗證登錄
$model = new LoginForm(); if ($model->load(Yii::$app->request->post()) && $model->login()) { $this->redirect(array('charisma/index')); }
我們跳轉到app\models\LoginForm的login方法
public function login() { if ($this->validate()) { return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600*24*30 : 0); } else { return false; } }
login方法又是通過一個validate驗證方法 繼承vendor/yiisoft/yii2/base/Model.php
該驗證方法描述是這樣的:Performs the data validation. This method executes the validation rules applicable to the current [[scenario]]. The following criteria are used to determine whether a rule is currently applicable: - the rule must be associated with the attributes relevant to the current scenario; - the rules must be effective for the current scenario. This method will call [[beforeValidate()]] and [[afterValidate()]] before and after the actual validation, respectively. If [[beforeValidate()]] returns false, the validation will be cancelled and [[afterValidate()]] will not be called. Errors found during the validation can be retrieved via [[getErrors()]], [[getFirstErrors()]] and [[getFirstError()]].
我們打開model類的validate()
public function validate($attributeNames = null, $clearErrors = true) { if ($clearErrors) { $this->clearErrors(); } if (!$this->beforeValidate()) { return false; } $scenarios = $this->scenarios(); $scenario = $this->getScenario(); if (!isset($scenarios[$scenario])) { throw new InvalidParamException("Unknown scenario: $scenario"); } if ($attributeNames === null) { $attributeNames = $this->activeAttributes(); } foreach ($this->getActiveValidators() as $validator) { $validator->validateAttributes($this, $attributeNames); } $this->afterValidate(); return !$this->hasErrors(); }
也就是說獲取到場景且沒有錯誤的話,將場景yii\validators\RequiredValidator Object的每一個屬性實例化為對應Form規則(rules)實例
foreach ($this->getActiveValidators() as $validator) { $validator->validateAttributes($this, $attributeNames); }
現在找到LoginForm的驗證規則
/** * @return array the validation rules. */ public function rules() { return [ // username and password are both required [['username', 'password'], 'required'], // rememberMe must be a boolean value ['rememberMe', 'boolean'], // password is validated by validatePassword() ['password', 'validatePassword'], ]; }
其中username,password 必填, rememberMe為波爾類型, password通過ValidatePassword方法來驗證
查看validatePassword方法
/** * Validates the password. * This method serves as the inline validation for password. * * @param string $attribute the attribute currently being validated * @param array $params the additional name-value pairs given in the rule */ public function validatePassword($attribute, $params) { if (!$this->hasErrors()) { $user = $this->getUser(); if (!$user || !$user->validatePassword($this->password)) { $this->addError($attribute, 'Incorrect username or password.'); } } }
首先$this->getUser()會判斷在user表中是否有username=“admin”,如果存在就返回一個user的實例
public static function findByUsername($username) { $user = User::find() ->where(['username' => $username]) ->asArray() ->one(); if ($user) { return new static($user); } return null; }
通過$user->validatePassword($this->password) 判斷驗證密碼,這個是最關鍵的一步
因為之前通過$this->getUser 已經實例化了user表,所以validatePassword在User模型的原始代碼是這樣的
/** * Validates password * * @param string $password password to validate * @return boolean if password provided is valid for current user */ public function validatePassword($password) { return $this->password === $password; }
獲取用戶輸入的密碼, 再和數據庫中的密碼做對比,如果密碼相同就通過驗證。
現在我們已經把密碼123改為哈希密碼:$2y$13$eXQl9YCo5XcKqqy9ymd2t.SuOvpXYERidceXoT/bPt4iwmOW3GiBy
所以要通過Yii2 自帶的驗證 Yii::$app->getSecurity()->validatePassword('123456', $hash) ; 進行驗證
所以validatePassword方法的代碼應該修改如下:
/** * Validates password * * @param string $password password to validate * @return boolean if password provided is valid for current user */ public function validatePassword($password) { return Yii::$app->getSecurity()->validatePassword($password, $this->password); }
完整的LoginForm模型和User模型代碼如下:
1 <?php 2 3 namespace app\models; 4 5 use Yii; 6 use yii\base\Model; 7 8 /** 9 * LoginForm is the model behind the login form. 10 */ 11 class LoginForm extends Model 12 { 13 public $username; 14 public $password; 15 public $rememberMe = true; 16 17 private $_user = false; 18 19 20 /** 21 * @return array the validation rules. 22 */ 23 public function rules() 24 { 25 return [ 26 // username and password are both required 27 [['username', 'password'], 'required'], 28 // rememberMe must be a boolean value 29 ['rememberMe', 'boolean'], 30 // password is validated by validatePassword() 31 ['password', 'validatePassword'], 32 ]; 33 } 34 35 /** 36 * Validates the password. 37 * This method serves as the inline validation for password. 38 * 39 * @param string $attribute the attribute currently being validated 40 * @param array $params the additional name-value pairs given in the rule 41 */ 42 public function validatePassword($attribute, $params) 43 { 44 if (!$this->hasErrors()) { 45 $user = $this->getUser(); 46 47 if (!$user || !$user->validatePassword($this->password)) { 48 $this->addError($attribute, 'Incorrect username or password.'); 49 } 50 } 51 } 52 53 /** 54 * Logs in a user using the provided username and password. 55 * @return boolean whether the user is logged in successfully 56 */ 57 public function login() 58 { 59 if ($this->validate()) { 60 return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600*24*30 : 0); 61 } else { 62 return false; 63 } 64 } 65 66 /** 67 * Finds user by [[username]] 68 * 69 * @return User|null 70 */ 71 public function getUser() 72 { 73 if ($this->_user === false) { 74 $this->_user = User::findByUsername($this->username); 75 } 76 77 return $this->_user; 78 } 79 }
<?php namespace app\models; use Yii; /** * This is the model class for table "user". * * @property integer $id * @property integer $pid * @property string $username * @property string $password * @property integer $type * @property integer $created_time * @property integer $updated_time * @property integer $status * @property string $login_ip * @property integer $login_time * @property integer $login_count * @property integer $update_password */ class User extends \yii\db\ActiveRecord implements \yii\web\IdentityInterface { public $authKey; /** * @inheritdoc */ public static function tableName() { return 'user'; } /** * @inheritdoc */ public function rules() { return [ [['pid', 'type', 'created_time', 'updated_time', 'status', 'login_time', 'login_count', 'update_password'], 'integer'], [['username', 'password', 'created_time', 'updated_time', 'login_ip', 'login_time'], 'required'], [['username', 'password'], 'string', 'max' => 70], [['login_ip'], 'string', 'max' => 20] ]; } /** * @inheritdoc */ public function attributeLabels() { return [ 'id' => 'ID', 'pid' => 'Pid', 'username' => 'Username', 'password' => 'Password', 'type' => 'Type', 'created_time' => 'Created Time', 'updated_time' => 'Updated Time', 'status' => 'Status', 'login_ip' => 'Login Ip', 'login_time' => 'Login Time', 'login_count' => 'Login Count', 'update_password' => 'Update Password', ]; } /** * @inheritdoc */ public static function findIdentity($id) { return static::findOne($id); } /** * @inheritdoc */ public static function findIdentityByAccessToken($token, $type = null) { return null; } /** * Finds user by username * * @param string $username * @return static|null */ public static function findByUsername($username) { $user = User::find() ->where(['username' => $username]) ->asArray() ->one(); if ($user) { return new static($user); } return null; } /** * @inheritdoc */ public function getId() { return $this->id; } /** * @inheritdoc */ public function getAuthKey() { return $this->authKey; } /** * @inheritdoc */ public function validateAuthKey($authKey) { return $this->authKey === $authKey; } /** * Validates password * * @param string $password password to validate * @return boolean if password provided is valid for current user */ public function validatePassword($password) { return Yii::$app->getSecurity()->validatePassword($password, $this->password); #,返回true或false } #-------------------------------------輔助驗證----------------------------------------------------------- public function createhashpasswd(){ echo Yii::$app->getSecurity()->generatePasswordHash('123'); } }
ok,這樣就實現了哈希加密的用戶登錄了。
附 Yii的 密碼驗證
crypt() 函數
crypt() 函數返回使用 DES、Blowfish 或 MD5 算法加密的字符串。
在不同的操作系統上,該函數的行為不同,某些操作系統支持一種以上的算法類型。在安裝時,PHP 會檢查什么算法可用以及使用什么算法。
具體的算法依賴於 salt 參數的格式和長度。通過增加由使用特定加密方法的特定字符串所生成的字符串數量,salt 可以使加密更安全。
這里有一些和 crypt() 函數一起使用的常量。這些常量值是在安裝時由 PHP 設置的。
常量:
| [CRYPT_SALT_LENGTH] | 默認的加密長度。使用標准的 DES 加密,長度為 2 |
| [CRYPT_STD_DES] | 基於標准 DES 算法的散列使用 "./0-9A-Za-z" 字符中的兩個字符作為鹽值。在鹽值中使用非法的字符將導致 crypt() 失敗。 |
| [CRYPT_EXT_DES] | 擴展的基於 DES 算法的散列。其鹽值為 9 個字符的字符串,由 1 個下划線后面跟着 4 字節循環次數和 4 字節鹽值組成。它們被編碼成可打印字符,每個字符 6 位,有效位最少的優先。0 到 63 被編碼為 "./0-9A-Za-z"。在鹽值中使用非法的字符將導致 crypt() 失敗。 |
| [CRYPT_MD5] | MD5 散列使用一個以 $1$ 開始的 12 字符的字符串鹽值。 |
| [CRYPT_BLOWFISH] | Blowfish 算法使用如下鹽值:“$2a$”,一個兩位 cost 參數,“$” 以及 64 位由 “./0-9A-Za-z” 中的字符組合而成的字符串。在鹽值中使用此范圍之外的字符將導致 crypt() 返回一個空字符串。兩位 cost 參數是循環次數以 2 為底的對數,它的范圍是 04-31,超出這個范圍將導致 crypt() 失敗。 |
| CRYPT_SHA256 | SHA-256 算法使用一個以 $5$ 開頭的 16 字符字符串鹽值進行散列。如果鹽值字符串以 “rounds=<N>$” 開頭,N 的數字值將被用來指定散列循環的執行次數,這點很像 Blowfish 算法的 cost 參數。默認的循環次數是 5000,最小是 1000,最大是 999,999,999。超出這個范圍的 N 將會被轉換為最接近的值。 |
| CRYPT_SHA512 | SHA-512 算法使用一個以 $6$ 開頭的 16 字符字符串鹽值進行散列。如果鹽值字符串以 “rounds=<N>$” 開頭,N 的數字值將被用來指定散列循環的執行次數,這點很像 Blowfish 算法的 cost 參數。默認的循環次數是 5000,最小是 1000,最大是 999,999,999。超出這個范圍的 N 將會被轉換為最接近的值。 |
在該函數支持多種算法的系統上,如果支持上述常量則設置為 "1",否則設置為 "0"。
注釋:沒有相應的解密函數。crypt() 函數使用一種單向算法。
測試不同的算法
// 兩字符 salt if (CRYPT_STD_DES == 1) { echo "Standard DES: ".crypt('something','st')."\n<br>"; } else { echo "Standard DES not supported.\n<br>"; } // 4 字符 salt if (CRYPT_EXT_DES == 1) { echo "Extended DES: ".crypt('something','_S4..some')."\n<br>"; } else { echo "Extended DES not supported.\n<br>"; } //以 $1$ 開始的 12 字符 if (CRYPT_MD5 == 1) { echo "MD5: ".crypt('something','$1$somethin$')."\n<br>"; } else { echo "MD5 not supported.\n<br>"; } // 以 $2a$ 開始的 Salt。雙數字的 cost 參數:09. 22 字符 if (CRYPT_BLOWFISH == 1) { echo "Blowfish: ".crypt('something','$2a$09$anexamplestringforsalt$')."\n<br>"; } else { echo "Blowfish DES not supported.\n<br>"; } // 以 $5$ 開始的 16 字符 salt。周長的默認數是 5000。 if (CRYPT_SHA256 == 1) { echo "SHA-256: ".crypt('something','$5$rounds=5000$anexamplestringforsalt$')."\n<br>"; } else { echo "SHA-256 not supported.\n<br>"; } // 以 $5$ 開始的 16 字符 salt。周長的默認數是 5000。 if (CRYPT_SHA512 == 1) { echo "SHA-512: ".crypt('something','$6$rounds=5000$anexamplestringforsalt$'); } else { echo "SHA-512 not supported."; }
代碼的輸出
Standard DES: stqAdD7zlbByI Extended DES: _S4..someQXidlBpTUu6 MD5: $1$somethin$4NZKrUlY6r7K7.rdEOZ0w. Blowfish: $2a$09$anexamplestringforsaleLouKejcjRlExmf1671qw3Khl49R3dfu SHA-256: $5$rounds=5000$anexamplestringf$KIrctqsxo2wrPg5Ag/hs4jTi4PmoNKQUGWFXlVy9vu9 SHA-512: $6$rounds=5000$anexamplestringf$Oo0skOAdUFXkQxJpwzO05wgRHG0dhuaPBaOU/ oNbGpCEKlf/7oVM5wn6AN0w2vwUgA0O24oLzGQpp1XKI6LLQ0.
yii 密碼匹配實現過程
// 簡單的crypt驗證 $sa='$2y$05$'.substr(base64_encode(md5(rand(100000, 999999999))), 0, 22); // salt $sa2= generateSalt(5); // salt2 $hash = crypt('123456', $sa); print_r($hash); echo '<p>'; $validpwd= crypt('123456', $hash); print_r($validpwd); echo '<p>';
輸出結果:
$2y$05$Y2NjNzBjNDA3OThmM2FkNubFNy9pV695W//LpeFEN6eBizIQBtMxO $2y$05$Y2NjNzBjNDA3OThmM2FkNubFNy9pV695W//LpeFEN6eBizIQBtMxO true
yii 密碼匹配代碼精簡版
<?php $hash = generatePasswordHash('123456'); $validpwd = validatePassword('123456', '$2y$13$RtC1BSDoTVbWtckxKJO5Ge9ikm8LFAEsYX97JeJ72mHHbFgzRdw7.'); #, 參數2 =$hash if($validpwd){ echo 'true'; }else{ echo 'false'; } function generatePasswordHash($password, $cost = 13) { $salt = generateSalt($cost); $hash = crypt($password, $salt); // strlen() is safe since crypt() returns only ascii if (!is_string($hash) || strlen($hash) !== 60) { throw new Exception('Unknown error occurred while generating hash.'); } return $hash; } function generateSalt($cost = 13) { $cost = (int) $cost; if ($cost < 4 || $cost > 31) { throw new InvalidParamException('Cost must be between 4 and 31.'); } // Get a 20-byte random string $rand = generateRandomKey(20); // Form the prefix that specifies Blowfish (bcrypt) algorithm and cost parameter. $salt = sprintf("$2y$%02d$", $cost); // Append the random salt data in the required base64 format. $salt .= str_replace('+', '.', substr(base64_encode($rand), 0, 22)); return $salt; } function generateRandomKey($length = 32) { /* * Strategy * * The most common platform is Linux, on which /dev/urandom is the best choice. Many other OSs * implement a device called /dev/urandom for Linux compat and it is good too. So if there is * a /dev/urandom then it is our first choice regardless of OS. * * Nearly all other modern Unix-like systems (the BSDs, Unixes and OS X) have a /dev/random * that is a good choice. If we didn't get bytes from /dev/urandom then we try this next but * only if the system is not Linux. Do not try to read /dev/random on Linux. * * Finally, OpenSSL can supply CSPR bytes. It is our last resort. On Windows this reads from * CryptGenRandom, which is the right thing to do. On other systems that don't have a Unix-like * /dev/urandom, it will deliver bytes from its own CSPRNG that is seeded from kernel sources * of randomness. Even though it is fast, we don't generally prefer OpenSSL over /dev/urandom * because an RNG in user space memory is undesirable. * * For background, see http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/ */ $bytes = ''; if (!extension_loaded('openssl')) { throw new InvalidConfigException('The OpenSSL PHP extension is not installed.'); } // die($cryptoStrong); $bytes .= openssl_random_pseudo_bytes($length,$cryptoStrong); #create rand # &$cryptoStrong=1 //echo $length; if(byteLength($bytes) > $length){ echo 'aaa'; } //exit( byteSubstr($bytes, 0, $length)); if (byteLength($bytes) < $length || !$cryptoStrong) { echo 'sdf'; throw new Exception('Unable to generate random bytes.'); } return byteSubstr($bytes, 0, $length); } function byteLength($string) { return mb_strlen($string, '8bit'); } function byteSubstr($string, $start, $length = null) { return mb_substr($string, $start, $length === null ? mb_strlen($string, '8bit') : $length, '8bit'); } function validatePassword($password, $hash) { if (!is_string($password) || $password === '') { throw new InvalidParamException('Password must be a string and cannot be empty.'); } if (!preg_match('/^\$2[axy]\$(\d\d)\$[\.\/0-9A-Za-z]{22}/', $hash, $matches) || $matches[1] < 4 || $matches[1] > 30) { throw new InvalidParamException('Hash is invalid.'); } $test = crypt($password, $hash); $n = strlen($test); if ($n !== 60) { return false; } return compareString($test, $hash); } function compareString($expected, $actual) { $expected .= "\0"; $actual .= "\0"; $expectedLength = byteLength($expected); $actualLength = byteLength($actual); $diff = $expectedLength - $actualLength; for ($i = 0; $i < $actualLength; $i++) { $diff |= (ord($actual[$i]) ^ ord($expected[$i % $expectedLength])); } return $diff === 0; }