(PHP) 如何正确实现 crypt()

发布于 2024-08-21 02:03:34 字数 1049 浏览 12 评论 0原文

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

为什么会这样工作？我认为 'mypassword' 是我希望实际管理员使用的密码。所以我首先对其进行加密，并将其设置为等于$password。显然，我必须将其存储在数据库中。但在接下来的几行中，它被用作盐和我要比较的内容，并且我不明白 crypt($user_input, $password) 如何可能等于 $password，如果在后一种情况下，理想情况下我有正确的密码作为 $user_input 但用 $password 与 $password 进行比较代码>. 对我来说会更有意义？

if (crypt($user_input) == $password) {
   echo "Password verified!";
}

如果最后一行是我不明白什么，

原文

Here is the example from the PHP manual page for crypt():

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

Why does this work? I take it 'mypassword' is the password I want the actual admin to use. So I crypt that first, and set it equal to $password. Obviously, I must need to store that in the DB. But in the next lines it's being used as both the salt and what I'm comparing to, and I don't understand how crypt($user_input, $password) can possibly be equal to $password, if in this latter case I have ideally the right password as $user_input but salted with $password being compared to $password. It would make more sense to me if the last line were

if (crypt($user_input) == $password) {
   echo "Password verified!";
}

What am I not understanding?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

单挑你×的.吻 2024-08-28 02:03:34

crypt 是一个单向函数，返回一个已包含盐的字符串。输出与 /etc/shadow 中存储的内容类似。

来自 php.net 的示例：

<?php
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
?>

result: $1$K2D8DGwq$b05uO37aMwO4rnDlB9Rsi1
result: $1$aPBvu2y.$213YVEs8/5m.jMCXSScly/
result: $1$dW3Xu2p6$nuCtJe2zzlgBMLxN2oZCx/

将用户输入与crypt 结果，该函数自动从字符串中提取盐。

crypt is a one-way function and returns a string that already contains the salt. The output is similar to what is stored in /etc/shadow.

Example from php.net:

<?php
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
echo 'result: ' . crypt('somepassword');
?>

result: $1$K2D8DGwq$b05uO37aMwO4rnDlB9Rsi1
result: $1$aPBvu2y.$213YVEs8/5m.jMCXSScly/
result: $1$dW3Xu2p6$nuCtJe2zzlgBMLxN2oZCx/

When comparing the user input with the crypt result, the function automatically extracts the salt from the string.

回复收藏 0 原文

~没有更多了~