问题描述
我需要了解此功能的基础知识.对于河豚算法,php.net 文档指出:
I need to get the basics of this function. The php.net documentation states, for the blowfish algorithm, that:
Blowfish 用盐散列如下:$2a$",一个两位数的成本参数,$",以及来自字母表./0-9A-Za-z"的 22 个基数 64 位.在盐中使用此范围之外的字符将导致 crypt() 返回零长度字符串
Blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 base 64 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string
因此,根据定义,这不应该起作用:
So this, by definition, should not work:
echo crypt('rasmuslerdorf', '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringforsalt$');
然而,它吐出来了:
$2a$07$usesomadasdsadsadsadaeMTUHlZEItvtV00u0.kb7qhDlC0Kou9e
crypt() 似乎将盐本身的长度减少到 22.有人可以解释一下吗?
Where it seems that crypt() has cut the salt itself to a length of 22. Could somebody please explain this?
这个功能的另一个我无法理解的方面是当他们使用 crypt() 来比较密码时.http://php.net/manual/en/function.crypt.php(看看例子.#1).这是否意味着如果我使用相同的盐来加密所有密码,我必须先对其进行加密?即:
Another aspect of this function I can't get my head around is when they use crypt() to compare passwords. http://php.net/manual/en/function.crypt.php (look at ex. #1). Does this mean that if I use the same salt for all encrypting all my passwords, I have to crypt it first? ie:
$salt = "usesomadasdsadsadsadae";
$salt_crypt = crypt($salt);
if (crypt($user_input, $salt) == $password) {
// FAIL WONT WORK
}
if (crypt($user_input, $salt_crypt) == $password) {
// I HAVE TO DO THIS?
}
感谢您的时间
推荐答案
以下代码示例可能会回答您的问题.
Following code example may answer your questions.
要使用 Blowfish 生成散列密码,您首先需要生成一个盐,它以 $2a$ 开头,然后是迭代计数和 22 个 Base64 字符串字符.
To generate hashed password using Blowfish, you first need to generate a salt, which starts with $2a$ followed by iteration count and 22 characters of Base64 string.
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt('rasmuslerdorf', $salt);
将整个 $digest 存储在数据库中,它包含盐和摘要.
Store the whole $digest in database, it has both the salt and digest.
比较密码时,就这样做,
When comparing password, just do this,
if (crypt($user_input, $digest) == $digest)
您将摘要作为盐重用.crypt 从算法标识符中知道盐的长度.
You are reusing the digest as salt. crypt knows how long is the salt from the algorithm identifier.
这篇关于用 PHP 中的 crypt() 比较密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!