我对 Zend 框架很陌生,并且希望构建一个密码安全性非常严格的应用程序。我一直在尝试遵循有关密码加盐的用户指南,但到目前为止还没有任何运气。我已经设置了我的数据库和表适配器(如 Zend Framework 站点上的文档中所述,但它似乎没有完成示例(或者我没有很好地遵循!)我已经开始:
$authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter,
'users',
'username',
'password', "MD5(CONCAT('".Zend_Registry::get('staticSalt')."', ?, password_salt))"
);
但是从这里开始,密码盐做了什么?我只需要一个例子,我就走了!有没有人有一个例子或指出我正确的方向?
非常感谢!
使用 Zend 框架进行安全登录的优秀示例(尽管使用了盐)
身份验证方法:
/**
* Authenticate user with specified identity and credential
*
* most used case is authenticate user inline in script
*
* @param string $identity
* @param string $credential
* @return Zend_Auth_Result
*/
public function authenticate ($identity, $credential)
{
$auth = Zend_Auth::getInstance();
$adapter = $this->getAdapter();
$adapter->setIdentity($identity)
->setCredential(self::passwordHash($credential));
$config = Singular_Runtime::extract('config');
$isActiveCol = $config->resources->auth->columns->is_active;
$isActiveAllowVal = $config->resources->auth->is_active->allow_value;
/**
* @see APPLICATION_PATH/configs/application.ini -> resources.auth
*/
if (null != $isActiveCol && null != $isActiveAllowVal) {
$adapter->getDbSelect()->where("{$isActiveCol} = ?", $isActiveAllowVal);
}
Singular_Event::dispatch('beforeAuth', array(
'auth' => $auth, 'adapter' => $adapter
));
$result = $auth->authenticate($adapter);
if ($result->isValid()) {
$auth->getStorage()->write($adapter->getResultRowObject());
Singular_Event::dispatch('afterAuth', array(
'auth' => $auth, 'adapter' => $adapter
));
}
return $result;
}
和密码哈希生成方法:
/**
* Password hash generator
*
* @static
* @param string $password
* @return string
*/
public static function passwordHash ($password)
{
$password = strtolower($password);
return md5(
str_repeat(
md5($password) . strrev($password) . sha1($password),
strlen($password)
)
);
}