对于(PHP 5 <5.5.0),password_hash() 的替代方法是什么? [英] what is an alternative to password_hash() for (PHP 5 < 5.5.0)?
问题描述
根据手册:password_hash这个函数可以用于(PHP 5 >= 5.5.0)
According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
在寻找替代方法后,我从这里找到了这个简单的函数:http://www.sitepoint.com/password-hashing-in-php/
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
我可以在使用前使用 function_exists 来管理我的代码,但我的问题是关于上述替代代码是否安全,或者在旧版本的 PHP 中是否有任何替代方法?
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
推荐答案
适用于 PHP 版本 <5.3.7,我建议:
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
对于 PHP 版本 >= 5.3.7,使用:
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
生成自己的盐需要很多知识,因为好的、合适的盐需要大量的熵.在 PHP 中生成这个盐是很麻烦的,这就是为什么你通常最终依赖其他资源来为你提供这个字符串,例如 /dev/urandom 或 openssl_random_pseudo_bytes.相信我,如果没有认真的研究和考虑,这不是您想亲自尝试的事情.
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
建议使用新的 password_* API,但如果您需要支持旧版本的 PHP,这可能会出现问题,这是 PHPass 的用武之地.我讨厌那些每月 1 美元的托管计划PHP 5.2
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
这篇关于对于(PHP 5 <5.5.0),password_hash() 的替代方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
