Hifadhi passwords wazi (plaintext) kwenye database ni hatari kubwa.
Kwa hivyo, PHP inatoa functions za hashing zinazolinda password zako dhidi ya wizi au SQL Injection.
Misingi ya password hashing:
Hifadhi hash, si password wazi.
Tumia password_hash() wakati wa registration.
Tumia password_verify() wakati wa login.
βοΈ 2. Password Hashing (password_hash)
<?php
$password = "MySecurePassword123";
// Tumia PASSWORD_DEFAULT (kwa sasa ni BCRYPT)
$hash = password_hash($password, PASSWORD_DEFAULT);
echo "Original Password: $password <br>";
echo "Hashed Password: $hash";
?>
π‘ Maelezo:
PASSWORD_DEFAULT huchagua algorithm salama (BCRYPT au newer).
Hash hubadilika kila mara, hivyo kila login hash ni tofauti, hata kama password ni sawa.
π 3. Kuhifadhi Hash kwenye Database
<?php
include 'config.php'; // PDO connection
$username = "john_doe";
$email = "john@example.com";
$password = "MySecurePassword123";
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $pdo->prepare("INSERT INTO users (username, email, password) VALUES (:username, :email, :password)");
$stmt->execute([
'username' => $username,
'email' => $email,
'password' => $hash
]);
echo "β
User registered successfully with hashed password!";
?>
π‘ Faida:
Hakuna mtu anaweza kuona password halisi kwenye database.
Even admin hawezi kuona password halisi.
π 4. Password Verification (password_verify)
<?php
$inputPassword = "MySecurePassword123"; // password kutoka user input
$storedHash = '$2y$10$e0NfqkC5lS2l91k9YkEPIe0jvY8.Y6zEzCzQy0GeIWZg1A5QvP5U6'; // hash kutoka DB
if (password_verify($inputPassword, $storedHash)) {
echo "β
Password is correct!";
} else {
echo "β Invalid password!";
}
?>
π‘ Maelezo:
password_verify() inalinganisha password ya user na hash ya database.
Haihitaji ku-decrypt hash, inafanya comparison salama.
π§ 5. Kusasaisha Hash (Rehashing)
PHP inaruhusu rehash ikiwa algorithm inabadilika au cost inabadilika:
if (password_needs_rehash($storedHash, PASSWORD_DEFAULT)) {
$newHash = password_hash($inputPassword, PASSWORD_DEFAULT);
// update database na $newHash
}
π‘ Maelezo:
Inahakikisha system inatumia algorithm salama kila wakati.
π 6. Integrate na User Login
<?php
include 'config.php';
session_start();
$email = $_POST['email'];
$password = $_POST['password'];
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user && password_verify($password, $user['password'])) {
session_regenerate_id(true);
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
echo "β
Login successful!";
} else {
echo "β Invalid email or password!";
}
?>
π‘ Faida:
Hakuna password yenyewe imehifadhiwa wazi.
Usalama umeimarishwa na PDO + hashing.
β
7. Vidokezo Muhimu vya Security
Tumia password_hash() kwa registration.
Tumia password_verify() kwa login.
Usiweke password wazi kwenye database au logs.
Tumia HTTPS ili data isipite wazi kwenye network.
Consider adding 2FA (Two-Factor Authentication) kwa security zaidi.
π Tembelea:
π https://www.faulink.com/
Kwa mafunzo zaidi ya PHP, security, PDO, na web development.