Jinsi ya Kutumia Password Hashing na Verification
Hifadhi passwords wazi (plaintext) kwenye database ni hatari kubwa.
Kwa hivyo, PHP inatoa functions za hashing zinazolinda password zako dhidi ya wizi au SQL Injection.
Misingi ya password hashing:
Hifadhi hash, si password wazi.
Tumia password_hash() wakati wa registration.
Tumia password_verify() wakati wa login.
⚙️ 2. Password Hashing (password_hash)
<?php
$password = "MySecurePassword123";
// Tumia PASSWORD_DEFAULT (kwa sasa ni BCRYPT)
$hash = password_hash($password, PASSWORD_DEFAULT);
echo "Original Password: $password <br>";
echo "Hashed Password: $hash";
?>
💡 Maelezo:
PASSWORD_DEFAULT huchagua algorithm salama (BCRYPT au newer).
Hash hubadilika kila mara, hivyo kila login hash ni tofauti, hata kama password ni sawa.
🔑 3. Kuhifadhi Hash kwenye Database
<?php
include 'config.php'; // PDO connection
$username = "john_doe";
$email = "john@example.com";
$password = "MySecurePassword123";
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $pdo->prepare("INSERT INTO users (username, email, password) VALUES (:username, :email, :password)");
$stmt->execute([
'username' => $username,
'email' => $email,
'password' => $hash
]);
echo "✅ User registered successfully with hashed password!";
?>
💡 Faida:
Hakuna mtu anaweza kuona password halisi kwenye database.
Even admin hawezi kuona password halisi.
🔄 4. Password Verification (password_verify)
<?php
$inputPassword = "MySecurePassword123"; // password kutoka user input
$storedHash = '$2y$10$e0NfqkC5lS2l91k9YkEPIe0jvY8.Y6zEzCzQy0GeIWZg1A5QvP5U6'; // hash kutoka DB
if (password_verify($inputPassword, $storedHash)) {
echo "✅ Password is correct!";
} else {
echo "❌ Invalid password!";
}
?>
💡 Maelezo:
password_verify() inalinganisha password ya user na hash ya database.
Haihitaji ku-decrypt hash, inafanya comparison salama.
🧠 5. Kusasaisha Hash (Rehashing)
PHP inaruhusu rehash ikiwa algorithm inabadilika au cost inabadilika:
if (password_needs_rehash($storedHash, PASSWORD_DEFAULT)) {
$newHash = password_hash($inputPassword, PASSWORD_DEFAULT);
// update database na $newHash
}
💡 Maelezo:
Inahakikisha system inatumia algorithm salama kila wakati.
🔑 6. Integrate na User Login
<?php
include 'config.php';
session_start();
$email = $_POST['email'];
$password = $_POST['password'];
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
if ($user && password_verify($password, $user['password'])) {
session_regenerate_id(true);
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];
echo "✅ Login successful!";
} else {
echo "❌ Invalid email or password!";
}
?>
💡 Faida:
Hakuna password yenyewe imehifadhiwa wazi.
Usalama umeimarishwa na PDO + hashing.
✅ 7. Vidokezo Muhimu vya Security
Tumia password_hash() kwa registration.
Tumia password_verify() kwa login.
Usiweke password wazi kwenye database au logs.
Tumia HTTPS ili data isipite wazi kwenye network.
Consider adding 2FA (Two-Factor Authentication) kwa security zaidi.
🔗 Tembelea:
Kwa mafunzo zaidi ya PHP, security, PDO, na web development.
🚀 Unahitaji mfumo au website ya biashara?
Chagua huduma hapa chini kisha mteja bofya moja kwa moja kwenda kwenye ukurasa wa huduma au kuwasiliana nasi kwa WhatsApp.