php-hash-password-validation.php

<?

// Snippet from: http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/

/* ---- Defining the Class ---- */
class PassHash {  
    // blowfish  
    private static $algo = '$2a';  
    // cost parameter  
    private static $cost = '$10';  
    // mainly for internal use  
    public static function unique_salt() {  
        return substr(sha1(mt_rand()),0,22);  
    }  
    // this will be used to generate a hash  
    public static function hash($password) {  
        return crypt($password,  
                    self::$algo .  
                    self::$cost .  
                    '$' . self::unique_salt());  
    }  
    // this will be used to compare a password against a hash  
    public static function check_password($hash, $password) {  
        $full_salt = substr($hash, 0, 29);  
        $new_hash = crypt($password, $full_salt);  
        return ($hash == $new_hash);  
    }  
}

/* ---- Registering a new user ---- */
// include the class  
require ("PassHash.php");  
// read all form input from $_POST  
// ...  
// do your regular form validation stuff  
// ...  
// hash the password  
$pass_hash = PassHash::hash($_POST['password']);  
// store all user info in the DB, excluding $_POST['password']  
// store $pass_hash instead  
// ...  

/* ---- Validating the User at Login ---- */
 // include the class  
require ("PassHash.php");  
// read all form input from $_POST  
// ...  
// fetch the user record based on $_POST['username']  or similar  
// ...  
// check the password the user tried to login with  
if (PassHash::check_password($user['pass_hash'], $_POST['password']) {  
    // grant access  
    // ...  
} else {  
    // deny access  
    // ...  
}
?>