Skip to content
Browse files

fixes #2650: updated blog tutorial to use CPasswordHelper

  • Loading branch information...
1 parent afa8706 commit 60e9e0e73ddc96336351ef66f9894cac6aab12a7 @samdark samdark committed Jul 21, 2013
Showing with 12 additions and 40 deletions.
  1. +2 −36 demos/blog/protected/models/User.php
  2. +10 −4 docs/blog/prototype.auth.txt
View
38 demos/blog/protected/models/User.php
@@ -75,7 +75,7 @@ public function attributeLabels()
*/
public function validatePassword($password)
{
- return crypt($password,$this->password)===$this->password;
+ return CPasswordHelper::verifyPassword($password,$this->password);
}
/**
@@ -85,40 +85,6 @@ public function validatePassword($password)
*/
public function hashPassword($password)
{
- return crypt($password, $this->generateSalt());
- }
-
- /**
- * Generates a salt that can be used to generate a password hash.
- *
- * The {@link http://php.net/manual/en/function.crypt.php PHP `crypt()` built-in function}
- * requires, for the Blowfish hash algorithm, a salt string in a specific format:
- * - "$2a$"
- * - a two digit cost parameter
- * - "$"
- * - 22 characters from the alphabet "./0-9A-Za-z".
- *
- * @param int cost parameter for Blowfish hash algorithm
- * @return string the salt
- * @throws CException if improper cost passed
- */
- protected function generateSalt($cost=10)
- {
- if(!is_numeric($cost)||$cost<4||$cost>31){
- throw new CException('Cost parameter must be between 4 and 31.');
- }
- // Get some pseudo-random data from mt_rand().
- $rand='';
- for($i=0;$i<8;++$i)
- $rand.=pack('S',mt_rand(0,0xffff));
- // Add the microtime for a little more entropy.
- $rand.=microtime();
- // Mix the bits cryptographically.
- $rand=sha1($rand,true);
- // Form the prefix that specifies hash algorithm type and cost parameter.
- $salt='$2a$'.sprintf('%02d',$cost).'$';
- // Append the random salt string in the required base64 format.
- $salt.=strtr(substr(base64_encode($rand),0,22),array('+'=>'.'));
- return $salt;
+ return CPasswordHelper::hashPassword($password);
}
}
View
14 docs/blog/prototype.auth.txt
@@ -42,9 +42,15 @@ class UserIdentity extends CUserIdentity
}
~~~
-In the `authenticate()` method, we use the `User` class to look for a row in the `tbl_user` table whose `username` column is the same as the given username in a case-insensitive manner. Remember that the `User` class was created using the `gii` tool in the prior section. Because the `User` class extends from [CActiveRecord], we can exploit [the ActiveRecord feature](http://www.yiiframework.com/doc/guide/database.ar) to access the `tbl_user` table in an OOP fashion.
+In the `authenticate()` method, we use the `User` class to look for a row in the `tbl_user` table whose `username` column
+is the same as the given username in a case-insensitive manner. Remember that the `User` class was created using the `gii`
+tool in the prior section. Because the `User` class extends from [CActiveRecord], we can exploit
+[the ActiveRecord feature](http://www.yiiframework.com/doc/guide/database.ar) to access the `tbl_user` table in an OOP fashion.
-In order to check if the user has entered a valid password, we invoke the `validatePassword` method of the `User` class. We need to modify the file `/wwwroot/blog/protected/models/User.php` as follows. Note that instead of storing the plain password in the database, we store a hash of the password and a randomly generated salt. When validating the user-entered password, we should compare the hash results, instead. We use the PHP built-in function `crypt()` to hash the password and to validate it, for complete details see the Wiki article [Use crypt() for password storage](http://www.yiiframework.com/wiki/425).
+In order to check if the user has entered a valid password, we invoke the `validatePassword` method of the `User` class.
+We need to modify the file `/wwwroot/blog/protected/models/User.php` as follows. Note that instead of storing the plain
+password in the database, we store a hash of the password. When validating the user-entered password, we should compare
+the hash results, instead. We use the Yii built-in [CPasswordHelper] to hash the password and to validate it.
~~~
[php]
@@ -53,12 +59,12 @@ class User extends CActiveRecord
......
public function validatePassword($password)
{
- return crypt($password,$this->password)===$this->password;
+ return CPasswordHelper::verifyPassword($password,$this->password);
}
public function hashPassword($password)
{
- return crypt($password, $this->generateSalt());
+ return CPasswordHelper::hashPassword($password);
}
}
~~~

0 comments on commit 60e9e0e

Please sign in to comment.
Something went wrong with that request. Please try again.