用于密码PHP的哈希算法 [英] Which hashing algorithm to use for Password PHP
问题描述
可能重复:
安全的哈希和盐为PHP密码
为了加密php文件中的密码,我想更改为 sha256 或 md5 ,而不是使用 sha1 作为 iIwent 在线研究,他们说 sha1 不是那么安全。
For the encrypting of the password in the php file, I want to change to sha256 or md5 instead of using sha1 as iIwent to research online and they say sha1 is not so secure.
如何更改 php 文件?
<?php
class DB_Functions {
private $db;
//put your code here
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$this->db = new DB_Connect();
$this->db->connect();
}
// destructor
function __destruct() {
}
/**
* Storing new user
* returns user details
*/
public function storeUser($name, $nric, $email, $license, $address, $postal_code, $password) {
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
$result = mysql_query("INSERT INTO users(name, nric, email, license, address, postal_code, encrypted_password, salt, created_at) VALUES('$name', '$nric', '$email', '$license', '$address', '$postal_code', '$encrypted_password', '$salt', NOW())");
// check for successful store
if ($result) {
// get user details
$uid = mysql_insert_id(); // last inserted id
$result = mysql_query("SELECT * FROM users WHERE uid = $uid");
// return user details
return mysql_fetch_array($result);
} else {
return false;
}
}
/**
* Get user by nric and password
*/
public function getUserByNricAndPassword($nric, $password) {
$result = mysql_query("SELECT * FROM users WHERE nric = '$nric'") or die(mysql_error());
// check for result
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
$result = mysql_fetch_array($result);
$salt = $result['salt'];
$encrypted_password = $result['encrypted_password'];
$hash = $this->checkhashSSHA($salt, $password);
// check for password equality
if ($encrypted_password == $hash) {
// user authentication details are correct
return $result;
}
} else {
// user not found
return false;
}
}
/**
* Check user is existed or not
*/
public function isUserExisted($nric) {
$result = mysql_query("SELECT nric from users WHERE nric = '$nric'");
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
// user existed
return true;
} else {
// user not existed
return false;
}
}
/**
* Encrypting password
* @param password
* returns salt and encrypted password
*/
public function hashSSHA($password) {
$salt = sha1(rand()); //algorithm hash
$salt = substr($salt, 0, 10);
$encrypted = base64_encode(sha1($password . $salt, true) . $salt);
$hash = array("salt" => $salt, "encrypted" => $encrypted);
return $hash;
}
/**
* Decrypting password
* @param salt, password
* returns hash string
*/
public function checkhashSSHA($salt, $password) {
$hash = base64_encode(sha1($password . $salt, true) . $salt);
return $hash;
}
}
?>
推荐答案
哈希密码最安全的方式是使用 BCrpyt
MD5,SHA1,SHA256被认为不安全。
The most secure way of hashing passwords, would be to use BCrpyt
MD5, SHA1, SHA256 is considered not secure.
有关此事宜的更多信息,请参阅此文章的安全性:
https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
For more information on this matter, see this post on security: https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
为了实现BCrpyt密码哈希,请参阅:如何您是否在PHP中使用bcrypt进行哈希密码?
For implementing BCrpyt password hashing see: How do you use bcrypt for hashing passwords in PHP?
这篇关于用于密码PHP的哈希算法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!