Hướng dẫn dùng incompatibilities trong PHP
Chúng thể hiện cách bạn muốn dữ liệu bạn đang đóng gói được biểu diễn ở định dạng nhị phân: Show vì thế
Ở đâu
Nó cho gói biết cách bạn muốn dữ liệu được biểu diễn trong dữ liệu nhị phân. Đoạn mã dưới đây sẽ chứng minh điều này. Lưu ý rằng bạn có thể giải nén với định dạng khác với định dạng mà bạn đã đóng gói dữ liệu.
26 hữu ích 0 bình luận chia sẻ So, you want to use bcrypt? Awesome! However, like other areas of cryptography, you shouldn't be doing it yourself. If you need to worry about anything like managing keys, or storing salts or generating random numbers, you're doing it wrong. The reason is simple: it's so trivially easy to screw up bcrypt. In fact, if you look at almost every piece of code on this page, you'll notice that it's violating at least one of these common problems. Face It, Cryptography is hard.Leave it for the experts. Leave it for people whose job it is to maintain these libraries. If you need to make a decision, you're doing it wrong. Instead, just use a library. Several exist depending on your requirements. LibrariesHere is a breakdown of some of the more common APIs. PHP 5.5 API - (Available for 5.3.7+)Starting in PHP 5.5, a new API for hashing passwords is being introduced. There is also a shim compatibility library maintained (by me) for 5.3.7+. This has the benefit of being a peer-reviewed and simple to use implementation. function register($username, $password) { $hash = password_hash($password, PASSWORD_BCRYPT); save($username, $hash); } function login($username, $password) { $hash = loadHashByUsername($username); if (password_verify($password, $hash)) { //login } else { // failure } }Really, it's aimed to be extremely simple. Resources:
Zend\Crypt\Password\Bcrypt (5.3.2+)This is another API that's similar to the PHP 5.5 one, and does a similar purpose. function register($username, $password) { $bcrypt = new Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($password); save($user, $hash); } function login($username, $password) { $hash = loadHashByUsername($username); $bcrypt = new Zend\Crypt\Password\Bcrypt(); if ($bcrypt->verify($password, $hash)) { //login } else { // failure } }Resources:
PasswordLibThis is a slightly different approach to password hashing. Rather than simply supporting bcrypt, PasswordLib supports a large number of hashing algorithms. It's mainly useful in contexts where you need to support compatibility with legacy and disparate systems that may be outside of your control. It supports a large number of hashing algorithms. And is supported 5.3.2+ function register($username, $password) { $lib = new PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($password, '$2y$', array('cost' => 12)); save($user, $hash); } function login($username, $password) { $hash = loadHashByUsername($username); $lib = new PasswordLib\PasswordLib(); if ($lib->verifyPasswordHash($password, $hash)) { //login } else { // failure } }References:
PHPASSThis is a layer that does support bcrypt, but also supports a fairly strong algorithm that's useful if you do not have access to PHP >= 5.3.2... It actually supports PHP 3.0+ (although not with bcrypt). function register($username, $password) { $phpass = new PasswordHash(12, false); $hash = $phpass->HashPassword($password); save($user, $hash); } function login($username, $password) { $hash = loadHashByUsername($username); $phpass = new PasswordHash(12, false); if ($phpass->CheckPassword($password, $hash)) { //login } else { // failure } }Resources
Note: Don't use the PHPASS alternatives that are not hosted on openwall, they are different projects!!! About BCryptIf you notice, every one of these libraries returns a single string. That's because of how BCrypt works internally. And there are a TON of answers about that. Here are a selection that I've written, that I won't copy/paste here, but link to:
Wrap UpThere are many different choices. Which you choose is up to you. However, I would HIGHLY recommend that you use one of the above libraries for handling this for you. Again, if you're using crypt() directly, you're probably doing something wrong. If your code is using hash() (or md5() or sha1()) directly, you're almost definitely doing something wrong. Just use a library... |