用于密码PHP的哈希算法 [英] Which hashing algorithm to use for Password PHP

问题描述

可能重复：

安全的哈希和盐为PHP密码

为了加密php文件中的密码，我想更改为 sha256 或 md5 ，而不是使用 sha1 作为 iIwent 在线研究，他们说 sha1 不是那么安全。

For the encrypting of the password in the php file, I want to change to sha256 or md5 instead of using sha1 as iIwent to research online and they say sha1 is not so secure.

如何更改 php 文件？

<?php

class DB_Functions {

private $db;

//put your code here
// constructor
function __construct() {
    require_once 'DB_Connect.php';
    // connecting to database
    $this->db = new DB_Connect();
    $this->db->connect();
}

// destructor
function __destruct() {

}

/**
 * Storing new user
 * returns user details
 */
public function storeUser($name, $nric, $email, $license, $address, $postal_code, $password) {
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt
    $result = mysql_query("INSERT INTO users(name, nric, email, license, address, postal_code, encrypted_password, salt, created_at) VALUES('$name', '$nric', '$email', '$license', '$address', '$postal_code', '$encrypted_password', '$salt', NOW())");
    // check for successful store
    if ($result) {
        // get user details 
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE uid = $uid");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

/**
 * Get user by nric and password
 */
public function getUserByNricAndPassword($nric, $password) {
    $result = mysql_query("SELECT * FROM users WHERE nric = '$nric'") or die(mysql_error());
    // check for result 
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysql_fetch_array($result);
        $salt = $result['salt'];
        $encrypted_password = $result['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);
        // check for password equality
        if ($encrypted_password == $hash) {
            // user authentication details are correct
            return $result;
        }
    } else {
        // user not found
        return false;
    }
}

/**
 * Check user is existed or not
 */
public function isUserExisted($nric) {
    $result = mysql_query("SELECT nric from users WHERE nric = '$nric'");
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        // user existed 
        return true;
    } else {
        // user not existed
        return false;
    }
}

/**
 * Encrypting password
 * @param password
 * returns salt and encrypted password
 */
public function hashSSHA($password) {

    $salt = sha1(rand()); //algorithm hash
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(sha1($password . $salt, true) . $salt);

    return $hash;
}

}

?> 

推荐答案

哈希密码最安全的方式是使用 BCrpyt

MD5，SHA1，SHA256被认为不安全。

The most secure way of hashing passwords, would be to use BCrpyt
MD5, SHA1, SHA256 is considered not secure.

有关此事宜的更多信息，请参阅此文章的安全性：
https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

For more information on this matter, see this post on security: https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

为了实现BCrpyt密码哈希，请参阅：如何您是否在PHP中使用bcrypt进行哈希密码？

For implementing BCrpyt password hashing see: How do you use bcrypt for hashing passwords in PHP?

这篇关于用于密码PHP的哈希算法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！