PHP encryption in several ways

In the use of PHP to develop Web applications, many applications will require users to register, and the registration of the time we need to deal with the user's information, the most common is the mailbox and password, this article is intended to discuss the processing of the password: that is, the encryption of the password processing.

MD5

I believe that many PHP developers in the first contact with PHP, the first cryptographic function to handle the password may be MD5, I was like this:

$password MD5 ($_post["password"]);

Is the above code familiar? However, MD5 encryption method At present in the Lake of PHP seems not very popular, because its encryption algorithm is a bit simple, and a lot of password-breaking sites are stored a lot of MD5 encrypted password string, so here I do not advocate also in the single use of MD5 to encrypt the user's password.

SHA256 and SHA512

In fact, with the previous MD5 the same time there is a SHA1 encryption method, but also the algorithm is relatively simple, so here is a stroke of it. And here is going to talk about SHA256 and SHA512 are from the SHA2 family of cryptographic functions, look at the name may you guess, the two encryption methods to generate 256 and 512 bits of the length of the hash string.

They are used in the following ways:

$password $password);

PHP has built-in hash() functions, you just have to pass the encryption to the hash() function. You can directly specify sha256 , sha512 , md5 , and sha1 so on encrypted way.

Salt value

In the process of encryption, we also have a very common small partner: Salt values. Yes, when we encrypt, we actually add an extra string to the encrypted string for the purpose of increasing security:

function generatehashwithsalt ($password) {    $intermediateSaltMD5 (uniqid(randtrue));     $salt substr ($intermediateSalt, 0, 6);     return $password $salt );}

Bcrypt

If I were to suggest a way of encrypting it, Bcrypt it might be the minimum I recommend to you, because I would strongly recommend what you'll say later Hashing API , but Bcrypt it's also a good way to encrypt.

 function  Generatehash ( $password  Span style= "color: #000000;" ) { if  (defined  ("Crypt_blowfish ") && Crypt_blowfish) {  $salt  = ' $2y$11$ '. substr  (md5  (uniqid  ( rand         (), true )), 0, 22);  return  crypt  ( $password ,  $salt  ); }}

Bcrypt is actually Blowfish a crypt() combination of functions, and we are here to CRYPT_BLOWFISH determine Blowfish whether it is available, and then generate a salt value as above, but it is important to note that crypt() the salt value must $2a$ $2y$ begin or Start, For more information, refer to the following link:

http://www.php.net/security/crypt_blowfish.php

More information can be seen here:

http://php.net/manual/en/function.crypt.php

Password Hashing API

Here is our play, Password Hashing API is a new feature after PHP 5.5, it is mainly to provide the following functions for us to use:

Password_hash () – Encrypt the password. password_verify () – verifies that a password has been encrypted to verify that its hash string is consistent . Password_needs_rehash () – Re-encrypt the password . Password_get_info () – Returns the name of the cryptographic algorithm and some related information .

Although the crypt() function is enough to use, but password_hash() not only can make our code shorter, but also in the security to give us better protection, so now the official PHP is recommended this way to encrypt the user's password, a lot of popular frameworks such as Laravel This is the encryption method used.

$hash = Password_hash ($passwod, Password_default);

Yes, it's that simple, a line of code, all done.

PASSWORD_DEFAULTThe current use is Bcrypt , so in the above I would say recommend this, but because Password Hashing API do better, I must seriously think you recommend Password Hashing API . It is important to note that if your code uses PASSWORD_DEFAULT encryption, then in the database table, the password field will have to be set more than 60 characters in length, you can also use PASSWORD_BCRYPT , this time, after the encryption string is always 60 characters long.

Here password_hash() you can completely not provide salt value (salt) and consumption value (cost) , you can understand the latter as a performance of the consumption value, the larger cost the encryption algorithm, the more complex, the more memory consumed. Of course, if you need to specify the corresponding salt value and consumption value, you can write:

$options = [    //Write your own code to generate a suitable salt    // c7> The defaultcost is]; $hash = Password_hash ($password$options);

After the password is encrypted, we need to verify the password to determine if the user entered the correct password:

if (Password_verify ($password$hash)) {    //  Pass}Else  {    //  Invalid}

Quite simply, it is password_verify possible to validate the string (in the database) that we previously encrypted before being used directly.

However, if there are times when we need to change our encryption, such as a day when we suddenly want to change the salt value or increase the consumption value, we are going to use the password_needs_rehash() function:

if (Password_needs_rehash ($hash, Password_default, [' cost ' = +])})    {// cost change-to-    $hash = Password_hash ($password, Password_default, [' cost ' = +]);     //  don ' t forget to store the new hash!}

Only in this way, PHP Password Hashing API will know that we re-replaced the encryption method, so that the main purpose is to verify the password later.

To put it simply password_get_info() , this function generally sees the following three messages:

algo– algorithm example algoname– algorithm name options– encryption time Optional parameters

So, start with PHP 5.5 now, and stop obsessing about the lower version.

PHP encryption in several ways