PHP password handling methods _ PHP Tutorial

Several methods for PHP to process passwords. Several methods for PHP to process passwords are used to develop Web applications using PHP. many applications require user registration, and we need to process user information during registration, the most common methods for PHP to process passwords

When using PHP to develop Web applications, many applications require user registration, and we need to process user information during registration, the most common is the mailbox and password. This article is intended to discuss how to process the password, that is, how to encrypt the password.

MD5

I believe that when many PHP developers first came into contact with PHP, the preferred encryption function for password processing may be MD5. at that time, I was like this:

$ Password = md5 ($ _ POST ["password"]);

Is the above code quite familiar? However, the MD5 encryption method is currently not very popular in PHP, because its encryption algorithm is actually a bit simple, in addition, many password cracking sites store a lot of MD5-encrypted password strings, so I do not advocate using MD5 alone to encrypt users' passwords.

SHA256 and SHA512

In fact, there is also a SHA1 encryption method in the same period as the MD5 method, but it is also a simple algorithm, so let's take it over here. The SHA256 and SHA512 mentioned here are both from the SHA2 family's encryption functions. you may have guessed the name, the two encryption methods generate 256 and 512-bit hash strings respectively.

Their usage is as follows:

$ Password = hash ("sha256", $ password );

PHP has a built-in hash () function. you only need to pass the encryption method to the hash () function. You can directly specify sha256, sha512, md5, sha1, and other encryption methods.

Salt value

In the encryption process, we also have a very common friend: salt value. Yes, we will add an extra string to the encrypted string during encryption to improve security:

Function generateHashWithSalt ($ password ){

$ IntermediateSalt = md5 (uniqid (rand (), true ));

$ Salt = substr ($ intermediateSalt, 0, 6 );

Return hash ("sha256", $ password. $ salt );

}

Bcrypt

If I suggest an encryption method, Bcrypt may be the minimum requirement I recommend for you, because I will strongly recommend the Hashing API that you will discuss later, however, Bcrypt is also a good encryption method.

Function generateHash ($ password ){

If (defined ("CRYPT_BLOWFISH") & CRYPT_BLOWFISH ){

$ Salt = '$ 2y $11 $'. substr (md5 (uniqid (rand (), true), 0, 22 );

Return crypt ($ password, $ salt );

}

}

Bcrypt is actually a combination of Blowfish and crypt () functions. here we use CRYPT_BLOWFISH to determine whether Blowfish is available and then generate a salt value like above. However, it should be noted that crypt () the salt value must start with $ 2a $ or $ 2y $. For more information, see the following link:

Http://www.php.net/security/crypt_blowfish.php

For more information, see:

Http://php.net/manual/en/function.crypt.php

Password Hashing API

Here is the main story. the Password Hashing API is a new feature provided after PHP 5.5. it mainly provides the following functions for our use:

Password_hash ()-encrypt the password.

Password_verify ()-verify the encrypted password and verify that its hash string is consistent.

Password_needs_rehash ()-re-encrypt the password.

Password_get_info ()-return the encryption algorithm name and related information.

Although the crypt () function is sufficient, password_hash () not only makes our code shorter, but also provides us with better security protection, currently, PHP officially recommends this method to encrypt users' passwords. many popular frameworks such as Laravel use this method.

$ Hash = password_hash ($ passwod, PASSWORD_DEFAULT );

Yes, that's just a simple line of code, All done.

PASSWORD_DEFAULT currently uses Bcrypt, so I will recommend this on it, but because the Password Hashing API is better, I must seriously think that you would recommend the Password Hashing API. Note that if your code uses the PASSWORD_DEFAULT encryption method, you must set the password field to exceed 60 characters in the database table. you can also use PASSWORD_BCRYPT, at this time, the encrypted string is always 60 characters in length.

In this example, password_hash () is used. you can choose not to provide the salt and cost values. you can consider the latter as a performance consumption value. The larger the cost, the more complex the encryption algorithm is, the larger the memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write as follows:

$ Options = [

'Salt' => custom_function_for_salt (), // write your own code to generate a suitable salt

'Cost' => 12 // the default cost is 10

];

$ Hash = password_hash ($ password, PASSWORD_DEFAULT, $ options );

After the password is encrypted, we need to verify the password to determine whether the password entered by the user is correct:

If (password_verify ($ password, $ hash )){

// Pass

}

Else {

// Invalid

}

It's easy. simply use password_verify to verify the previously encrypted string (in the database.

However, if we sometimes need to change our encryption method, for example, if we suddenly want to change the salt value or increase the consumption value one day, we need to use the password_needs_rehash () function at this time:

If (password_needs_rehash ($ hash, PASSWORD_DEFAULT, ['cost' => 12]) {

// Cost change to 12

$ Hash = password_hash ($ password, PASSWORD_DEFAULT, ['cost' => 12]);

// Don't forget to store the new hash!

}

Only in this way will the PHP Password Hashing API know that we have replaced the encryption method again. The main purpose of this method is to verify the Password later.

To put it simply, password_get_info (), this function can see the following three Information:

Algo-algorithm instance

AlgoName-algorithm name

Options-optional parameters during encryption

So, let's start using PHP 5.5 now. Don't worry about the earlier version.

When using PHP to develop Web applications, many applications require user registration. during registration, we need to process user information, most often...