ããå¨ä½¿ç¨PHPå¼åWebåºç¨çä¸ï¼å¾å¤çåºç¨é½ä¼è¦æ±ç¨æ·æ³¨åï¼è注åçæ¶åå°±éè¦æ们对ç¨æ·çä¿¡æ¯è¿è¡å¤çäºï¼æ常è§çè«è¿äºå°±æ¯é®ç®±åå¯ç äºï¼æ¬ææå¨è®¨è®ºå¯¹å¯ç çå¤çï¼ä¹å°±æ¯å¯¹å¯ç çå å¯å¤çã
ããMD5
ããç¸ä¿¡å¾å¤PHPå¼åè
å¨æå
æ¥è§¦PHPçæ¶åï¼å¤çå¯ç çé¦éå å¯å½æ°å¯è½å°±æ¯MD5äºï¼æå½æ¶å°±æ¯è¿æ ·çï¼
ãã$password = md5($_POST["password"]);
ããä¸é¢è¿æ®µä»£ç æ¯ä¸æ¯å¾çæï¼ç¶èMD5çå å¯æ¹å¼ç®åå¨PHPçæ±æ¹ä¸è²ä¼¼ä¸å¤ªå欢è¿äºï¼å 为å®çå å¯ç®æ³å®å¨æ¯æ¾å¾æç¹ç®åäºï¼èä¸å¾å¤ç ´è§£å¯ç çç«ç¹é½åæ¾äºå¾å¤ç»è¿MD5å å¯çå¯ç å符串ï¼æ以è¿éææ¯é常ä¸æå¡è¿å¨åå使ç¨MD5æ¥å å¯ç¨æ·çå¯ç çã
ããSHA256 å SHA512
ããå
¶å®è·åé¢çMD5åæçè¿æä¸ä¸ªSHA1å å¯æ¹å¼çï¼ä¸è¿ä¹æ¯ç®æ³æ¯è¾ç®åï¼æ以è¿éå°±ä¸ç¬å¸¦è¿å§ãèè¿éå³å°è¦è¯´å°çSHA256 å SHA512é½æ¯æ¥èªäºSHA2家æçå å¯å½æ°ï¼çååå¯è½ä½ å°±ççåºæ¥äºï¼è¿ä¸¤ä¸ªå å¯æ¹å¼åå«çæ256å512æ¯ç¹é¿åº¦çhashå串ã
ããä»ä»¬ç使ç¨æ¹æ³å¦ä¸ï¼
ãã<?php
ãã$password = hash("sha256", $password);
ããPHPå
ç½®äºhash()å½æ°ï¼ä½ åªéè¦å°å å¯æ¹å¼ä¼ ç»hash()å½æ°å°±å¥½äºãä½ å¯ä»¥ç´æ¥ææsha256, sha512, md5, sha1çå å¯æ¹å¼ã
ããçå¼
ããå¨å å¯çè¿ç¨ï¼æ们è¿æä¸ä¸ªé常常è§çå°ä¼ä¼´ï¼çå¼ã对ï¼æ们å¨å å¯çæ¶åå
¶å®ä¼ç»å å¯çå符串添å ä¸ä¸ªé¢å¤çå符串ï¼ä»¥è¾¾å°æé«ä¸å®å®å
¨çç®çï¼
ãã<?php
ããfunction generateHashWithSalt($password) {$intermediateSalt = md5(uniqid(rand(), true));$salt = substr($intermediateSalt, 0, 6);
ããreturn hash("sha256", $password . $salt);}
ããBcrypt
ããå¦æ让ææ¥å»ºè®®ä¸ç§å å¯æ¹å¼çè¯ï¼Bcryptå¯è½æ¯æç»ä½ æ¨èçæä½è¦æ±äºï¼å 为æä¼å¼ºçæ¨èä½ åé¢ä¼è¯´å°çHashing APIï¼ä¸è¿Bcryptä¹ä¸å¤±ä¸ºä¸ç§æ¯è¾ä¸éçå å¯æ¹å¼äºã
ãã<?php
ããfunction generateHash($password) {
ããif (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);return crypt($password, $salt);
ãã}
ãã}
ããBcrypt å
¶å®å°±æ¯Blowfishåcrypt()å½æ°çç»åï¼æ们è¿ééè¿CRYPT_BLOWFISHå¤æBlowfishæ¯å¦å¯ç¨ï¼ç¶ååä¸é¢ä¸æ ·çæä¸ä¸ªçå¼ï¼ä¸è¿è¿ééè¦æ³¨æçæ¯ï¼crypt()ççå¼å¿
须以$2a$æè
$2y$å¼å¤´ï¼è¯¦ç»èµæå¯ä»¥åèä¸é¢çé¾æ¥ï¼
ãã
http://www.php.net/security/crypt_blowfish.phpæ´å¤èµæå¯ä»¥çè¿éï¼
ãã
http://php.net/manual/en/function.crypt.phpPassword Hashing API
ããè¿éææ¯æ们çé头æï¼Password Hashing APIæ¯PHP 5.5ä¹åææçæ°ç¹æ§ï¼å®ä¸»è¦æ¯æä¾ä¸é¢å 个å½æ°ä¾æ们使ç¨ï¼
ããpassword_hash() â 对å¯ç å å¯.
ããpassword_verify() â éªè¯å·²ç»å å¯çå¯ç ï¼æ£éªå
¶hashå串æ¯å¦ä¸è´.
ããpassword_needs_rehash() â ç»å¯ç éæ°å å¯.
ããpassword_get_info() â è¿åå å¯ç®æ³çå称åä¸äºç¸å
³ä¿¡æ¯.
ããè½ç¶è¯´crypt()å½æ°å¨ä½¿ç¨ä¸å·²è¶³å¤ï¼ä½æ¯password_hash()ä¸ä»
å¯ä»¥ä½¿æ们ç代ç æ´å ç®çï¼èä¸è¿å¨å®å
¨æ¹é¢ç»äºæ们æ´å¥½çä¿éï¼æ以ï¼ç°å¨PHPçå®æ¹é½æ¯æ¨èè¿ç§æ¹å¼æ¥å å¯ç¨æ·çå¯ç ï¼å¾å¤æµè¡çæ¡æ¶æ¯å¦Laravelå°±æ¯ç¨çè¿ç§å å¯æ¹å¼ã
ãã<?php
ãã$hash = password_hash($passwod, PASSWORD_DEFAULT);对ï¼å°±æ¯è¿ä¹ç®åï¼ä¸è¡ä»£ç ï¼All doneã
ããPASSWORD_DEFAULTç®å使ç¨çå°±æ¯Bcryptï¼æ以å¨ä¸é¢æä¼è¯´æ¨èè¿ä¸ªï¼ä¸è¿å 为Password Hashing APIåå¾æ´å¥½äºï¼æå¿
é¡»ééå°æ³ä½ æ¨èPassword Hashing APIãè¿ééè¦æ³¨æçæ¯ï¼å¦æä½ ä»£ç 使ç¨çé½æ¯PASSWORD_DEFAULTå å¯æ¹å¼ï¼é£ä¹å¨æ°æ®åºç表ä¸ï¼passwordå段就å¾è®¾ç½®è¶
è¿60个å符é¿åº¦ï¼ä½ ä¹å¯ä»¥ä½¿ç¨PASSWORD_BCRYPTï¼è¿ä¸ªæ¶åï¼å å¯åå串æ»æ¯60个å符é¿åº¦ã
ããè¿é使ç¨password_hash()ä½ å®å
¨å¯ä»¥ä¸æä¾çå¼(salt)å æ¶èå¼ (cost)ï¼ä½ å¯ä»¥å°åè
ç解为ä¸ç§æ§è½çæ¶èå¼ï¼costè¶å¤§ï¼å å¯ç®æ³è¶å¤æï¼æ¶èçå
åä¹å°±è¶å¤§ãå½ç¶ï¼å¦æä½ éè¦æå®å¯¹åºççå¼åæ¶èå¼ï¼ä½ å¯ä»¥è¿æ ·åï¼
ãã<?php
ãã$options = [
ãã'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt'cost' => 12 // the default cost is 10
ãã];
ãã$hash = password_hash($password, PASSWORD_DEFAULT, $options);å¯ç å å¯è¿åï¼æ们éè¦å¯¹å¯ç è¿è¡éªè¯ï¼ä»¥æ¤æ¥å¤æç¨æ·è¾å
¥çå¯ç æ¯å¦æ£ç¡®ï¼
ãã<?php
ããif (password_verify($password, $hash)) {
ãã// Pass
ãã}
ããelse {
ãã// Invalid
ãã}
ããå¾ç®åçå§ï¼ç´æ¥ä½¿ç¨password_verifyå°±å¯ä»¥å¯¹æ们ä¹åå å¯è¿çå符串ï¼åå¨æ°æ®åºä¸ï¼è¿è¡éªè¯äºã
ããç¶èï¼å¦æææ¶åæ们éè¦æ´æ¹æ们çå å¯æ¹å¼ï¼å¦æä¸å¤©æ们çªç¶æ³æ´æ¢ä¸ä¸çå¼æè
æé«ä¸ä¸æ¶èå¼ï¼æ们è¿æ¶åå°±è¦ä½¿ç¨å°password_needs_rehash()å½æ°äºï¼
ãã<?php
ããif (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) {// cost change to 12
ãã$hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]);// don't forget to store the new hash!
ãã}
ããåªæè¿æ ·ï¼PHPçPassword Hashing APIæä¼ç¥éæ们éç°æ´æ¢äºå å¯æ¹å¼ï¼è¿æ ·ç主è¦ç®çå°±æ¯ä¸ºäºåé¢çå¯ç éªè¯ã
ããç®åå°è¯´ä¸ä¸password_get_info()ï¼è¿ä¸ªå½æ°ä¸è¬å¯ä»¥çå°ä¸é¢ä¸ä¸ªä¿¡æ¯ï¼
ããalgo â ç®æ³å®ä¾
ããalgoName â ç®æ³åå
ããoptions â å å¯æ¶åçå¯éåæ°
ããæ以ï¼ç°å¨å°±å¼å§ç¨PHP 5.5å§ï¼å«åçº ç»ä½çæ¬äºã
ããHappy Hacking