为什么PHP crypt()函数针对两个不同的字符串返回相同的内容? [英] Why is the PHP crypt() function returning the same thing for two different strings?
问题描述
我正在使用PHP的crypt函数进行密码哈希/加密,但是我认为这样做不对,因为"nathan12"和"nathan123"都允许我登录系统上的帐户(实际密码是"nathan123",因此"nathan12"或其他不允许允许我登录).
I'm using PHP's crypt function for password hashing/encryption, but I don't think I am doing it right because "nathan12" and "nathan123" both allow me to login to my account on my system (the actual password is "nathan123", and therefore "nathan12" or anything else should NOT allow me to login).
当用户注册时,这是我的系统执行的操作:
Here's what my system does when a user registers:
[...]
$salt = uniqid(mt_rand(), true);
$password = crypt($password, $salt); // '$password' is the inputted password
$insertUserStmt = $mysqli->prepare("INSERT INTO users (name,
username,
password,
password_salt,
email,
created) VALUES (?, ?, ?, ?, ?, ?)");
$insertUserStmt->bind_param("sssssi", $name, $username, $password, $salt, $email, time());
$insertUserStmt->execute();
[...]
它将散列/加密的密码($password)与$salt一起插入数据库.
It inserts the hashed/encrypted password ($password) into the database along with the $salt.
当某人尝试登录时,将执行以下操作来检查用户是否为他们输入的用户名输入了正确的密码:
When someone tries to login, the following is done to check if the user has inputted the correct password for the username they inputted:
[...]
// $password_salt is from DB; $password is inputted password
$password_crypt = crypt($password, $password_salt);
// $login_password is from DB
if($password_crypt == $login_password) {
[...]
我可能甚至没有正确使用crypt函数,但是根据PHP文档,第一个参数是字符串(密码),第二个参数是salt.
I'm probably not even using the crypt function properly, but according to the PHP docs the first parameter is a string (the password) and second is the salt.
推荐答案
基于DES的标准
crypt()[...]仅使用str的前八个字符,因此以相同的八个字符开头的较长字符串将产生相同的结果(使用相同的盐时)
The standard DES-based
crypt()[...] only uses the first eight characters ofstr, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
使用以$<algo>$开头的盐代替DES.有关详细信息,请参见crypt()文档.
Use a salt that starts with $<algo>$ to use something other than DES. See the crypt() documentation for details.
这篇关于为什么PHP crypt()函数针对两个不同的字符串返回相同的内容?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
