I've been using the Zend Framework to good effect on and off for a few months now and have found it very useful in rapidly bringing projects to completion. Many people feel Zend Framework is more a library than a framework and with good reason. There are few things it prevents you from doing but it's not ready to go 'out of the box' in the way some other frameworks are. One example is in the way passwords are stored in the database. The default is simply to store them in plain text.
The manual does cover hashing the password but even this isn't really ideal. There seems to be some consensus forming that the correct way to handle passwords is using bcrypt, a Blowfish-based hashing scheme. The most widely known demonstration of this within the PHP community is the phpass hashing framework. It has already been integrated into wordpress and phpBB. As such, I was in good company integrating it into my own projects.
The first step is making the phpass code available in your ZF project. The changes I made were minor, renaming the class and switching the PasswordHash function to __construct. I would encourage you to fetch the latest code from the phpass project page. The snippet of code I changed is below.
classAcai_Hash{var $itoa64;var $iteration_count_log2;var $portable_hashes;var $random_state; function__construct($iteration_count_log2, $portable_hashes){The next step was altering the database table adapter in Zend_Auth. The code for this is below.
<?phpclassAcai_Auth_Adapter_DbTableextendsZend_Auth_Adapter_DbTable{publicfunction__construct($zendDb=null, $tableName=null, $identityColumn=null, $credentialColumn=null){//Getthedefaultdbadapter//Fromwhere? Itisnotstoredintheregistry.if($zendDb==null){
$zendDb=Zend_Registry::get('DbAdapter');}//Setdefaultvalues
$tableName= $tableName ? $tableName:'accounts';
$identityColumn= $identityColumn ? $identityColumn:'email';
$credentialColumn= $credentialColumn ? $credentialColumn:'password';parent::__construct($zendDb,
$tableName,
$identityColumn,
$credentialColumn);}protectedfunction_authenticateCreateSelect(){//getselect
$dbSelect=clone $this->getDbSelect();
$dbSelect->from($this->_tableName)->where(
$this->_zendDb->quoteIdentifier($this->_identityColumn,true).' = ?', $this->_identity);return $dbSelect;}protectedfunction_authenticateValidateResult($resultIdentity){//Checkthathashvalueiscorrect
$hash=newAcai_Hash(8,false);
$check= $hash->CheckPassword($this->_credential,
$resultIdentity['password']);if(!$check){
$this->_authenticateResultInfo['code']=Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID;
$this->_authenticateResultInfo['messages'][]='Supplied credential is invalid.';return $this->_authenticateCreateAuthResult();}
$this->_resultRow= $resultIdentity;
$this->_authenticateResultInfo['code']=Zend_Auth_Result::SUCCESS;
$this->_authenticateResultInfo['messages'][]='Authentication successful.';return $this->_authenticateCreateAuthResult();}publicfunctiongetResultRowObject($returnColumns=null, $omitColumns=null){if($returnColumns|| $omitColumns){returnparent::getResultRowObject($returnColumns, $omitColumns);}else{
$omitColumns=array('password');returnparent::getResultRowObject($returnColumns, $omitColumns);}}}Usage is just as for the standard Zend adapter.
$auth=Zend_Auth::getInstance();
$authAdapter=newAcai_Auth_Adapter_DbTable;
$authAdapter->setIdentity($values['email'])->setCredential($values['password']);
$result= $auth->authenticate($authAdapter);if(!$result->isValid()){//Badcredentials}else{//Goodcredentials}When you're initially registering a new user a hash can be generated simply with the following code.
//Generatehashforpassword
$hash=newAcai_Hash(8,false);
$passwordHash= $hash->HashPassword($password);Hopefully you can integrate the above code into your own projects. If you have any questions post them in the comments below and I'll try to answer them.