Use crypt () for user authentication in PHP

The crypt () function returns a string encrypted with DES, Blowfish, or MD5. In different operating systems, the behavior of this function is different. Some operating systems support more than one algorithm type. During installation, PHP checks what algorithms are available and used.

Understanding crypt ()

Anyone who has experience using a non-Windows platform may be familiar with crypt (). This function is called one-way encryption and can encrypt some plain codes, however, the password cannot be converted to the original plaintext. The crypt () function is defined as follows.

String crypt (string input_string [, string salt])

Here, the input_string parameter is the plaintext string to be encrypted, and the second available salt is a single-digit string, which can affect the encrypted password and further eliminate the possibility of cracking. By default, PHP uses a two-character DES interference string. If the system uses MD5 (refer to the next section ), PHP uses a 12-character interference string. You can run the following command to find the length of the interference string to be used by the system.

Print "My system salt size is:". CRYPT_SALT_LENGTH;

Crypt () supports four encryption algorithms. Table 19.1 shows the supported algorithms and the length of corresponding salt parameters.

Table crypt () supports four encryption algorithms
Algorithm Salt Length
CRYPT_STD_DES 2-character (Default)
CRYPT_EXT_DES 9-character
CRYPT_MD5 12-character beginning with $1 $
CRYPT_BLOWFISH 16-character beginning with $2 $

On the surface, the crypt () function seems useless, but it is indeed widely used to ensure the integrity of the system password. Because, even if the one-way encryption password falls into the hands of a third party, it is useless because it cannot be restored to plain text.
Use crypt () for User Authentication
The previous section briefly introduces the functions of the crypt () function. The following describes how to use the function to authenticate a user's identity. The goal is the same as that described in section 19.2.3.


$ User_name = $ _ POST ["user_name"];
Require_once ("sys_conf.inc"); // system configuration file, including database configuration information
// Connect to the database
$ Link_id = mysql_connect ($ DBHOST, $ DBUSER, $ DBPWD );
Mysql_select_db ($ DBNAME); // select the database my_chat
// Query the existence of Logon user information
$ Str = "select name, password from user where name = '$ user_name '";
$ Result = mysql_query ($ str, $ link_id); // execute the query
@ $ Rows = mysql_num_rows ($ result); // number of records that obtain the query result
$ User_name = $ _ SESSION ["user_name"];
$ Password = $ _ POST ["password"];
$ Salt = substr ($ password, 0, 2 );
$ Password_en = crypt ($ password, $ salt); // use crypt () to encrypt the User password
// For old users
If ($ rows! = 0)
{
List ($ name, $ pwd) = mysql_fetch_row ($ result );
// If the password is entered correctly
If ($ pwd = $ password_en)
{
$ Str = "update user set is_online = 1 where name = '$ user_name' and password = '$ password_en '";
$ Result = mysql_query ($ str, $ link_id); // execute the query
Require ("main. php"); // go to the chat page
}
// Incorrect password
Else
{
Require ("relogin. php ");
}
}
// For new users, write their information to the database
Else
{
$ Str = "insert into user (name, password, is_online) values ('$ user _ name',' $ password_en ', 1 )";
$ Result = mysql_query ($ str, $ link_id); // execute the query
Require ("main. php"); // go to the chat page
}
// Close the database
Mysql_close ($ link_id );
?>

The example is very similar to the XOR encryption algorithm used in the previous section to protect user information. The core part of the example is that lines 16th and 17 use the crypt () function to obtain the encrypted password, check whether the user is valid by comparing the password in the database with the encrypted password in Row 3.

Next, let's take an instance to see what the encrypted password looks like.

For example, if the username is rock and the password is 123456, the encrypted password is:

12tio. zIbWQ3c

A simple user authentication system is implemented above. When using crypt () to protect important confidential information, note that using crypt () by default is not the safest, it can only be used in systems with low security requirements.