PHP password_hash () uses an instance. I. preface PHP5.5 provides many new features and Api functions, one of which is PasswordHashingAPI (creating and verifying hash passwords ). It contains four functions: password_get_info (), passwor 1, preface
PHP5.5 provides many new features and Api functions, one of which is the Password Hashing API (create and verify the hash Password ).
It contains four functions: password_get_info (), password_hash (), password_needs_rehash (), and password_verify ().
Before PHP5.5, we may use md5 or sha1 encryption methods to encrypt passwords (no text is saved as CSDN does ..), For example:
Echo MD5. ("123456"); // output: e10adc3949ba59abbe56e057f20f883e
However, simple md5 encryption can be easily cracked by dictionary. you can obtain the original password by finding a website with md5 decryption.
II. Password Hashing API
The Password Hashing API provided by php5.5 can solve these problems well.
Let's first look at the password_hash () function:
The code is as follows:
String password_hash (string $ password, integer $ algo [, array $ options])
It has three parameters: password, hash algorithm, and option. The first two items are required.
Let's use password_hash () to create a hash password:
The code is as follows:
$ Pwd = "123456 ";
$ Hash = password_hash ($ pwd, PASSWORD_DEFAULT );
Echo $ hash;
The output result of the preceding example is similar to $ 2y $10 $ 4kAu4FNGuolmRmSSHgKEMe3DbG5pm3diikFkiAKNh. Sf1tPbB4uo2.
The hash value of the refresh page will also change constantly.
After the hash value is created, we can use password_verify () to verify whether the password matches the hash value:
The code is as follows:
Boolean password_verify (string $ password, string $ hash)
It receives two parameters: password and hash value, and returns a boolean value. Check whether the generated hash value matches the password:
The code is as follows:
If (password_verify ($ pwd, '$ 2y $10 $ 4kAu4FNGuolmRmSSHgKEMe3DbG5pm3diikFkiAKNh. Sf1tPbB4uo2 ')){
Echo "the password is correct ";
} Else {
Echo "incorrect password ";
}
Basically, the above two functions can be used to securely create and verify the hash password. There are two other API functions:
The code is as follows:
Password_get_info () // view information about the hash value
Password_needs_rehash () // check whether a hash value is created using a specific algorithm and option.
III. Comments
Although the hash password created through password_hash () is more secure, it reduces the interoperability.
For example, we use the md5 method and standard MD5 encryption in php. it is easy to use other languages for verification, such as node. js:
The code is as follows:
Var hash = crypto. createHash ('md5'). update ("123456"). digest ('Hex ');
If (hash = "e10adc3949ba59abbe56e057f20f883e") console. log ('correct password ');
The hash value encrypted with password_hash () can only be verified by password_verify in PHP.
The two methods have their own advantages and disadvantages. do they use md5 (or sha1) + salt (interfering strings) or password_hash () based on the actual situation.
PHP5.5 provides many new features and Api functions, one of which is the Password Hashing API (create and verify the hash Password ). It contains four functions: password_get_info (), passwor...