71街

$user = get_post_var('user');
if(!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
fail('用户名不合法');
 
$pass = get_post_var('pass');
/* 好歹我们也应该节省点CPU和内存吧，哈哈 */
if (strlen($pass) > 72)
fail('The supplied password is too long');

$hash = $hasher->HashPassword($pass);
if (strlen($hash) < 20)
fail('密码分配失败');
unset($hasher);
 
($stmt = $db->prepare('insert into users (user, pass) values (?, ?)'))
|| fail('MySQL prepare', $db->error);
$stmt->bind_param('ss', $user, $hash)
|| fail('MySQL bind_param', $db->error);
if (!$stmt->execute()) {
if ($db->errno ===1062 /* ER_DUP_ENTRY */)
fail('This username is already taken');
else
fail('MySQL execute', $db->error);
}

($stmt = $db->prepare('select pass from users where user=?'))
|| fail('MySQL prepare', $db->error);
$stmt->bind_param('s', $user)
|| fail('MySQL bind_param', $db->error);
$stmt->execute()
|| fail('MySQL execute', $db->error);
$stmt->bind_result($hash)
|| fail('MySQL bind_result', $db->error);
if (!$stmt->fetch() && $db->errno)
fail('MySQL fetch', $db->error);
 
if ($hasher->CheckPassword($pass, $hash)) {
$what= 'Authentication succeeded';
} else {
$what = 'Authentication failed';
}
unset($hasher);

if ($hasher->CheckPassword($pass, $hash)) {
$what= 'Authentication succeeded';
} else {
$what = 'Authentication failed';
$op = 'fail'; // Definitely not 'change'
}

$newpass = get_post_var('newpass');
if(strlen($newpass) > 72)
fail('The new password is too long');
$hash = $hasher->HashPassword($newpass);
if(strlen($hash) < 20)
fail('Failed to hash new password');
unset($hasher);
 
($stmt = $db->prepare('update users set pass=? where user=?'))
|| fail('MySQL prepare', $db->error);
$stmt->bind_param('ss', $hash, $user)
|| fail('MySQL bind_param', $db->error);
$stmt->execute()
|| fail('MySQL execute', $db->error);
 
$what = 'Password changed';