如何在 yii2 中添加散列密码
how to add hashed passwords in yii2
使用 Yii 2 basic 不是高级版本。
我有一个 crud 管理员身份验证系统。它只在数据库中存储一个 id、用户名和密码。当用户登录时,如果用户名和密码正确,他们将登录。
但是我现在想确保这些密码的安全,所以我想对它们进行加盐和哈希处理。这是我觉得很难做的部分,或者更难把东西放在哪里。
第 1 部分:
我有一个 AdminController,它与我的用户模型 Create.php 页面一起使用。
第 2 部分:
我有一个 siteController,它与 LoginForm 模型和 login.php 页面一起登录。
我会先回顾一下第一部分,因为它显然必须在这里实际生成一个散列密码。
管理员控制器:
public function actionCreate()
{
$model = new User();
if ($model->load(Yii::$app->request->post()) && $model->save()) {
return $this->redirect(['view', 'id' => $model->id]);
} else {
return $this->render('create', [
'model' => $model,
]);
}
}
User.php
<?php
namespace app\models;
use yii\base\NotSupportedException;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
use yii\data\ActiveDataProvider;
/**
* User model
*
* @property integer $id
* @property string $username
* @property string $password
*/
class User extends ActiveRecord implements IdentityInterface
{
/**
* @inheritdoc
*/
public static function tableName()
{
return 'Users';
}
public function rules(){
return [
[['username','password'], 'required']
];
}
public static function findAdmins(){
$query = self::find();
$dataProvider = new ActiveDataProvider([
'query' => $query,
]);
return $dataProvider;
}
/**
* @inheritdoc
*/
public static function findIdentity($id)
{
return static::findOne(['id' => $id]);
}
/**
* @inheritdoc
*/
public static function findIdentityByAccessToken($token, $type = null)
{
throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
}
/**
* Finds user by username
*
* @param string $username
* @return static|null
*/
public static function findByUsername($username)
{
return static::findOne(['username' => $username]);
}
/**
* @inheritdoc
*/
public function getId()
{
return $this->id;
}
/**
* @inheritdoc
*/
public function getAuthKey()
{
return static::findOne('AuthKey');
}
/**
* @inheritdoc
*/
public function validateAuthKey($authKey)
{
return static::findOne(['AuthKey' => $authKey]);
}
/**
* Validates password
*
* @param string $password password to validate
* @return boolean if password provided is valid for current user
*/
public function validatePassword($password)
{
return $this->password === $password;
}
}
问题??:
所以正如你在这个模型中看到的那样,我只有来自数据库的 ID、用户名和密码,所以我认为我需要为数据库中的字段创建一个名为 "hashed_password"?
create.php:
<?php $form = ActiveForm::begin(); ?>
<?= $form->field($model, 'username')->textInput(['maxlength' => 50]) ?>
<?= $form->field($model, 'password')->passwordInput(['maxlength' => 50]) ?>
<div class="form-group">
<?= Html::submitButton($model->isNewRecord ? 'Create' : 'Update', ['class' => $model->isNewRecord ? 'btn btn-success' : 'btn btn-primary']) ?>
</div>
<?php ActiveForm::end(); ?>
对,那是第 1 部分,需要生成散列密码并将其保存到数据库中的实际位置,我该如何实现?
好的,继续第 2 部分:
站点控制器:
public function actionLogin()
{
if (!\Yii::$app->user->isGuest) {
return $this->goHome();
}
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
return $this->goBack();
} else {
return $this->render('login', [
'model' => $model,
]);
}
}
LoginForm.php(型号):
class LoginForm extends Model
{
public $username;
public $password;
public $rememberMe = true;
private $_user = false;
/**
* @return array the validation rules.
*/
public function rules()
{
return [
// username and password are both required
[['username', 'password'], 'required'],
// rememberMe must be a boolean value
['rememberMe', 'boolean'],
// password is validated by validatePassword()
['password', 'validatePassword'],
];
}
/**
* Validates the password.
* This method serves as the inline validation for password.
*
* @param string $attribute the attribute currently being validated
* @param array $params the additional name-value pairs given in the rule
*/
public function validatePassword($attribute, $params)
{
if (!$this->hasErrors()) {
$user = $this->getUser();
if (!$user || !$user->validatePassword($this->password)) {
$this->addError($attribute, 'Incorrect username or password.');
}
}
}
/**
* Logs in a user using the provided username and password.
* @return boolean whether the user is logged in successfully
*/
public function login()
{
if ($this->validate()) {
return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600*24*30 : 0);
} else {
return false;
}
}
/**
* Finds user by [[username]]
*
* @return User|null
*/
public function getUser()
{
if ($this->_user === false) {
$this->_user = User::findByUsername($this->username);
}
return $this->_user;
}
}
Login.php:
<?php $form = ActiveForm::begin(); ?>
<?= $form->field($model, 'username'); ?>
<?= $form->field($model, 'password')->passwordInput(); ?>
<div class="form-group">
<div class="col-lg-offset-1 col-lg-11">
<?= Html::submitButton('Login', ['class' => 'btn btn-primary', 'name' => 'login-button']) ?>
</div>
</div>
就是这样,我如何在每个用户创建时为每个用户集成一个 hashed_password,然后在登录时验证它?
我一直在阅读文档中的这个,但就是无法让它工作 http://www.yiiframework.com/doc-2.0/guide-security-passwords.html
数据库中不需要 password_hash 字段。您可以使用 "password" 字段来存储散列后的密码,这样更安全,更不容易被入侵者破解。请按如下方式修改文件,
User.php
<?php
namespace app\models;
use yii\base\NotSupportedException;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
use yii\data\ActiveDataProvider;
class User extends ActiveRecord implements IdentityInterface {
//public $salt = "stev37f"; //Enter your salt here
public static function tableName() {
return 'Users';
}
public function rules() {
return [
[['username','password'], 'required']
];
}
public static function findAdmins() {
$query = self::find();
$dataProvider = new ActiveDataProvider([
'query' => $query,
]);
return $dataProvider;
}
public static function findIdentity($id) {
return static::findOne(['id' => $id]);
}
public static function findIdentityByAccessToken($token, $type = null) {
throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
}
public static function findByUsername($username) {
return static::findOne(['username' => $username]);
}
public function getId() {
return $this->id;
}
public function getAuthKey() {
return static::findOne('AuthKey');
}
public function validateAuthKey($authKey) {
return static::findOne(['AuthKey' => $authKey]);
}
public function validatePassword($password) {
return $this->password === static::hashPassword($password); //Check the hashed password with the password entered by user
}
public static function hashPassword($password) {// Function to create password hash
$salt = "stev37f";
return md5($password.$salt);
}
}
管理员控制器
public function actionCreate() {
$model = new User();
if ($model->load(Yii::$app->request->post()) && $model->validate()) {
$model->password = User::hashPassword($model->password); // Hash the password before you save it.
if($model->save())
return $this->redirect(['view', 'id' => $model->id]);
}
return $this->render('create', [
'model' => $model,
]);
}
要重置密码,您需要通过电子邮件将密码重置 link 发送给用户。
创建用户时,应生成并保存密码哈希。
生成它
\Yii::$app->security->generatePasswordHash($password);
要在登录时检查它,更改实现 UserIdentity 的用户模型
/**
* Validates password
*
* @param string $password password to validate
* @return boolean if password provided is valid for current user
*/
public function validatePassword($password)
{
return Yii::$app->getSecurity()->validatePassword($password, $this->password_hash);
}
而不是 password_hash 使用来自数据库的字段。
仅参考Yii2高级模板用户模型实现。
/**
* Generates password hash from password and sets it to the model
*
* @param string $password
*/
public function setPassword($password)
{
$this->password_hash = Yii::$app->security->generatePasswordHash($password);
}
然后覆盖用户模型中的 beforeSave 方法以在保存到 DB 之前散列密码
public function beforeSave($insert)
{
if(parent::beforeSave($insert)){
$this->password_hash=$this->setPassword($this->password_hash);
return true;
}else{
return false;
}
}
今天我们只是应用PHP crypt函数,而不是自己实现密码+salt哈希算法,它比md5(密码+salt)更安全
只需转到项目根目录中的 commands 文件夹,然后通过 adding/modifying 操作编辑名为 UserController.php 的文件,即可将其设为 command将 actionChangePassword 命名为如下所示:
public function actionChangePassword($password)
{
print \Yii::$app->security->generatePasswordHash($password)."\n";
}
然后从您的 bash 或命令提示符使用项目根目录中的 yii 命令
./yii user/change-password NewPasswordStringHere
它应该打印出密码的哈希值,复制它并在之后使用任何管理数据库的方式(例如 phpMyAdmin)更新用户 table。
Notice:
Executing the yii command may be slightly varied from system to another. i.e in Windows you may write yii arguments only
without prefixing with ./ in Linux, in other projects they could
have rename it to another name to be something like bin in
Medkey
使用 Yii 2 basic 不是高级版本。
我有一个 crud 管理员身份验证系统。它只在数据库中存储一个 id、用户名和密码。当用户登录时,如果用户名和密码正确,他们将登录。
但是我现在想确保这些密码的安全,所以我想对它们进行加盐和哈希处理。这是我觉得很难做的部分,或者更难把东西放在哪里。
第 1 部分: 我有一个 AdminController,它与我的用户模型 Create.php 页面一起使用。 第 2 部分: 我有一个 siteController,它与 LoginForm 模型和 login.php 页面一起登录。
我会先回顾一下第一部分,因为它显然必须在这里实际生成一个散列密码。
管理员控制器:
public function actionCreate()
{
$model = new User();
if ($model->load(Yii::$app->request->post()) && $model->save()) {
return $this->redirect(['view', 'id' => $model->id]);
} else {
return $this->render('create', [
'model' => $model,
]);
}
}
User.php
<?php
namespace app\models;
use yii\base\NotSupportedException;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
use yii\data\ActiveDataProvider;
/**
* User model
*
* @property integer $id
* @property string $username
* @property string $password
*/
class User extends ActiveRecord implements IdentityInterface
{
/**
* @inheritdoc
*/
public static function tableName()
{
return 'Users';
}
public function rules(){
return [
[['username','password'], 'required']
];
}
public static function findAdmins(){
$query = self::find();
$dataProvider = new ActiveDataProvider([
'query' => $query,
]);
return $dataProvider;
}
/**
* @inheritdoc
*/
public static function findIdentity($id)
{
return static::findOne(['id' => $id]);
}
/**
* @inheritdoc
*/
public static function findIdentityByAccessToken($token, $type = null)
{
throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
}
/**
* Finds user by username
*
* @param string $username
* @return static|null
*/
public static function findByUsername($username)
{
return static::findOne(['username' => $username]);
}
/**
* @inheritdoc
*/
public function getId()
{
return $this->id;
}
/**
* @inheritdoc
*/
public function getAuthKey()
{
return static::findOne('AuthKey');
}
/**
* @inheritdoc
*/
public function validateAuthKey($authKey)
{
return static::findOne(['AuthKey' => $authKey]);
}
/**
* Validates password
*
* @param string $password password to validate
* @return boolean if password provided is valid for current user
*/
public function validatePassword($password)
{
return $this->password === $password;
}
}
问题??: 所以正如你在这个模型中看到的那样,我只有来自数据库的 ID、用户名和密码,所以我认为我需要为数据库中的字段创建一个名为 "hashed_password"?
create.php:
<?php $form = ActiveForm::begin(); ?>
<?= $form->field($model, 'username')->textInput(['maxlength' => 50]) ?>
<?= $form->field($model, 'password')->passwordInput(['maxlength' => 50]) ?>
<div class="form-group">
<?= Html::submitButton($model->isNewRecord ? 'Create' : 'Update', ['class' => $model->isNewRecord ? 'btn btn-success' : 'btn btn-primary']) ?>
</div>
<?php ActiveForm::end(); ?>
对,那是第 1 部分,需要生成散列密码并将其保存到数据库中的实际位置,我该如何实现?
好的,继续第 2 部分:
站点控制器:
public function actionLogin()
{
if (!\Yii::$app->user->isGuest) {
return $this->goHome();
}
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
return $this->goBack();
} else {
return $this->render('login', [
'model' => $model,
]);
}
}
LoginForm.php(型号):
class LoginForm extends Model
{
public $username;
public $password;
public $rememberMe = true;
private $_user = false;
/**
* @return array the validation rules.
*/
public function rules()
{
return [
// username and password are both required
[['username', 'password'], 'required'],
// rememberMe must be a boolean value
['rememberMe', 'boolean'],
// password is validated by validatePassword()
['password', 'validatePassword'],
];
}
/**
* Validates the password.
* This method serves as the inline validation for password.
*
* @param string $attribute the attribute currently being validated
* @param array $params the additional name-value pairs given in the rule
*/
public function validatePassword($attribute, $params)
{
if (!$this->hasErrors()) {
$user = $this->getUser();
if (!$user || !$user->validatePassword($this->password)) {
$this->addError($attribute, 'Incorrect username or password.');
}
}
}
/**
* Logs in a user using the provided username and password.
* @return boolean whether the user is logged in successfully
*/
public function login()
{
if ($this->validate()) {
return Yii::$app->user->login($this->getUser(), $this->rememberMe ? 3600*24*30 : 0);
} else {
return false;
}
}
/**
* Finds user by [[username]]
*
* @return User|null
*/
public function getUser()
{
if ($this->_user === false) {
$this->_user = User::findByUsername($this->username);
}
return $this->_user;
}
}
Login.php:
<?php $form = ActiveForm::begin(); ?>
<?= $form->field($model, 'username'); ?>
<?= $form->field($model, 'password')->passwordInput(); ?>
<div class="form-group">
<div class="col-lg-offset-1 col-lg-11">
<?= Html::submitButton('Login', ['class' => 'btn btn-primary', 'name' => 'login-button']) ?>
</div>
</div>
就是这样,我如何在每个用户创建时为每个用户集成一个 hashed_password,然后在登录时验证它?
我一直在阅读文档中的这个,但就是无法让它工作 http://www.yiiframework.com/doc-2.0/guide-security-passwords.html
数据库中不需要 password_hash 字段。您可以使用 "password" 字段来存储散列后的密码,这样更安全,更不容易被入侵者破解。请按如下方式修改文件,
User.php
<?php
namespace app\models;
use yii\base\NotSupportedException;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
use yii\data\ActiveDataProvider;
class User extends ActiveRecord implements IdentityInterface {
//public $salt = "stev37f"; //Enter your salt here
public static function tableName() {
return 'Users';
}
public function rules() {
return [
[['username','password'], 'required']
];
}
public static function findAdmins() {
$query = self::find();
$dataProvider = new ActiveDataProvider([
'query' => $query,
]);
return $dataProvider;
}
public static function findIdentity($id) {
return static::findOne(['id' => $id]);
}
public static function findIdentityByAccessToken($token, $type = null) {
throw new NotSupportedException('"findIdentityByAccessToken" is not implemented.');
}
public static function findByUsername($username) {
return static::findOne(['username' => $username]);
}
public function getId() {
return $this->id;
}
public function getAuthKey() {
return static::findOne('AuthKey');
}
public function validateAuthKey($authKey) {
return static::findOne(['AuthKey' => $authKey]);
}
public function validatePassword($password) {
return $this->password === static::hashPassword($password); //Check the hashed password with the password entered by user
}
public static function hashPassword($password) {// Function to create password hash
$salt = "stev37f";
return md5($password.$salt);
}
}
管理员控制器
public function actionCreate() {
$model = new User();
if ($model->load(Yii::$app->request->post()) && $model->validate()) {
$model->password = User::hashPassword($model->password); // Hash the password before you save it.
if($model->save())
return $this->redirect(['view', 'id' => $model->id]);
}
return $this->render('create', [
'model' => $model,
]);
}
要重置密码,您需要通过电子邮件将密码重置 link 发送给用户。
创建用户时,应生成并保存密码哈希。 生成它
\Yii::$app->security->generatePasswordHash($password);
要在登录时检查它,更改实现 UserIdentity 的用户模型
/**
* Validates password
*
* @param string $password password to validate
* @return boolean if password provided is valid for current user
*/
public function validatePassword($password)
{
return Yii::$app->getSecurity()->validatePassword($password, $this->password_hash);
}
而不是 password_hash 使用来自数据库的字段。
仅参考Yii2高级模板用户模型实现。
/**
* Generates password hash from password and sets it to the model
*
* @param string $password
*/
public function setPassword($password)
{
$this->password_hash = Yii::$app->security->generatePasswordHash($password);
}
然后覆盖用户模型中的 beforeSave 方法以在保存到 DB 之前散列密码
public function beforeSave($insert)
{
if(parent::beforeSave($insert)){
$this->password_hash=$this->setPassword($this->password_hash);
return true;
}else{
return false;
}
}
今天我们只是应用PHP crypt函数,而不是自己实现密码+salt哈希算法,它比md5(密码+salt)更安全
只需转到项目根目录中的 commands 文件夹,然后通过 adding/modifying 操作编辑名为 UserController.php 的文件,即可将其设为 command将 actionChangePassword 命名为如下所示:
public function actionChangePassword($password)
{
print \Yii::$app->security->generatePasswordHash($password)."\n";
}
然后从您的 bash 或命令提示符使用项目根目录中的 yii 命令
./yii user/change-password NewPasswordStringHere
它应该打印出密码的哈希值,复制它并在之后使用任何管理数据库的方式(例如 phpMyAdmin)更新用户 table。
Notice:
Executing the
yiicommand may be slightly varied from system to another. i.e in Windows you may writeyii argumentsonly without prefixing with./in Linux, in other projects they could have rename it to another name to be something likebinin Medkey