Codeigniter and hash password for login?_问答_开发者

Codeigniter and hash password for login?

开发者 https://www.devze.com 2023-03-28 21:34 出处：网络

I am making a login page and I need help accessing the hashpassword in my database using CodeIgniter.

My hashPassword function is:

function hashPassword($pass, $passKey开发者_如何学JAVA){
    $key = base64_decode($passwordKey);
    return base64_encode(hash_hmac(
        'sha256', 
        $key . mb_convert_encoding($password, 'UTF-16LE', 'ASCII'),
        $key, true));
}

I have to do the following:

extract the user's id from my_aspnet_Users table using their username
extract password and passwordKey from my_aspnet_Membership using their id
check if password equals hashPassword(<password entered by user>, passwordKey) to know if the entered password is valid.

So I have two models:

Class Password extends CI_Model{
    function getPassword($password, $passwordKey){

    $this -> db -> select ('userId, Password, PasswordKey');
    $this -> db -> from ('my_aspnet_Membership'); 
    $this -> db -> where ('Password = '. "'" . $password . "'");
    $this -> db -> where ('PasswordKey = '. "'" . $passwordKey . "'");

    $q = $this -> db -> get(); 

    if ($q -> num_rows() == 1){
        return $q ->result();}else{
            return false;
        } 
    }  
}

and..

Class User extends CI_Model{
    function getUser($id){

        $this -> db -> select('id, name ');
        $this -> db -> from('my_aspnet_Users');
        $this -> db -> where('id = '. "'". $id . "'");
        $this -> db -> limit(1);

        $query = $this -> db -> get();

        if($query -> num_rows() == 1){
            return $query->result();
        }
        else{
            return false;
        }
    }
}

I just have no idea how make them work together to perfrom password check.

Firstly, a couple of comments on your design.

You don't need two tables - one for users and one for membership. You just need a user's table with a column to store password hash.
SHA256 is a general purpose hash function. Use bcrypt instead.

So the pseudo code will read something like

class User extends CI_Model
    function getHash($password) {
        /* Code to get hash */
        return $passwordHash;
    }

    function validateUser($username, $password) {
        $passwordHash = $this->getHash($password);

        /* Query MySQL 
           select * from user 
           where 
           username = $username and
           password_hash = $passwordHash 
        */

        if num_rows > 1
            return true
        else
            return false
    }
}

If you don't have the option of having username, use user id/user email (anything that uniquely identifies the user) in the query instead.

Hope this clarifies it for you.

Just reuse the same function (which is ridiculously overly complicated by the way). So if when I create an account you run functionX() on my password before you store it, just run functionX() on the password someone inputs on login and see if that exists with the inputted username in the database?

Edit: I think mainly your problem here is that you need a username/email field to confirm the user is the same as the inputted password. The above still applied though

CodeIgniter uses a library called "Tank Auth": http://konyukhov.com/soft/tank_auth/

It includes the class "PasswordHash.php": http://bit.ly/1gahwtT

Example code:

require "PasswordHash.php";

define("phpass_hash_portable",TRUE);
define("phpass_hash_strength",8);

$hasher = new PasswordHash(phpass_hash_strength,phpass_hash_portable);
if ($hasher->CheckPassword($password_to_check, $original_encoded_password)) {
    echo "password correct";
} else {
    echo "password incorrect";
}