PHP 5.3推荐使用哪种bcrypt? [英] Which implementation of bcrypt is recommended for PHP 5.3?
问题描述
好吧,我终于明白了bcrypt,它是如何工作的,以及如何将它存储在数据库中,所以我几乎可以走了。现在的问题是挑选哪一个bcrypt的实现用于PHP 5.3 。
我会疯狂地看着所有不同的解决方案,我不确定哪一个是最值得推荐和最安全的使用,所以我再次转向你们。
这里是我发现的那些:
1) https://gist.github.com/marcoarment/1053158
2) http://www.openwall.com/phpass/
3)https://stackoverflow.com/a/6337021/869849
4)...某事其他?
这些是可以互换的,还是它们产生不同的哈希值?我想认为,因为他们都是bcrypt,他们会得到相同的结果,但我不知道(我测试 1)和<$ c $因为由 1)生成的散列在 2)上签出,所以它们看起来是可以互换的 / code>)。
那么推荐PHP解决方案 5.3 ?
最佳解决方案:您应该使用PHP 5.5内置的密码库。他们已经发布了针对PHP 5.3和5.4的后向兼容版本,称为 password_compat 。但请注意,您需要5.3.7或更高版本。在5.3.7之前bcrypt存在一个安全问题,这意味着新的库不起作用。
如果您使用的是5.3.7之前的版本,那么下一个最佳选择是同一作者密码库。但我建议升级PHP,而不是更好的选择。
安装
这两个库都可以简单地通过下载来安装,将它们复制到您的站点文件夹,并在您的代码中包含它们的主文件 - 即 require('password.php');
如果您正在使用,通过Composer安装也是一个选项。
/ strong>(假设你正在使用password_compat):
创建密码:
$ hash = password_hash($ password,PASSWORD_BCRYPT);
验证密码:
<$ p $如果(密码_验证($密码,$哈希)){
/ *有效* /
}其他{
/ *无效* /
}
这基本上是您所需要知道的。该库为你处理所有其他细节,比如提供密码等。
如果您需要根据您的评论更改算法的成本然后在 password_hash()调用中添加一个额外的参数来指定它,如下所示:
password_hash($ password,PASSWORD_BCRYPT,array(cost=> 11));
完整的文档可以在我上面链接的下载页面上找到。
使用password_compat库的真正好处在于,它专门设计为具有与PHP 5.5中标准化相同的API和功能。因此,如果您在使用PHP 5.3或5.4时使用password_compat,那么当您移至PHP 5.5时,您的系统中已经拥有正确的代码以使用新的内置密码功能。唯一的区别是你不需要 include 库。
OK, I finally understand bcrypt, how it works, and how to store it in the DB, so I'm almost good to go. The problem now is picking which implementation of bcrypt to use with PHP 5.3.
I'm going crazy looking at all the different solutions, and I'm not sure which one is the most recommended and safest to use, so I'm once again turning to you guys.
Here are the ones I've found:
1) https://gist.github.com/marcoarment/1053158
2) http://www.openwall.com/phpass/
3) https://stackoverflow.com/a/6337021/869849
4) ...something else?
Are these interchangeable, or do they produce different hashes? I would like to think that since they are all "bcrypt", they would yield the same results, but I'm not sure (I tested 1) and 2) above and they seem to be interchangeable since the hash produced by 1) checked out on 2)).
So which is the recommended solution for PHP 5.3?
Best solution: you should use the password library that is being built-in for PHP 5.5. They've released a backward-compatibility version for PHP 5.3 and 5.4 called password_compat. However note that you'll need 5.3.7 or higher. There was a security issue with bcrypt prior to 5.3.7 which means that the new library won't work.
If you are on a version prior to 5.3.7, then the next best option is Password Lib by the same author. But I'd suggest upgrading PHP instead would be the better option.
Installing
Both libraries can be installed simply by downloading them, copying them to your site folder, and including their main file in your code - ie require('password.php');.
Installing via Composer is also an option if you are using it.
Usage (Assuming you're going with password_compat):
To create a password:
$hash = password_hash($password, PASSWORD_BCRYPT);
To verify a password:
if (password_verify($password, $hash)) {
/* Valid */
} else {
/* Invalid */
}
And that's basically all you need to know. The library handles all the other details for you like salting the password, etc.
[EDIT] If you need to change the algorithm 'cost', as per your comment, then add an additional parameter to the password_hash() call to specify it, like this:
password_hash($password, PASSWORD_BCRYPT, array("cost" => 11));
Full documentation is available on the download page I linked above.
The really good thing about using the password_compat library is that it is specifically designed to have the same API and functionality that is being built into PHP as standard in PHP 5.5. Therefore, if you use password_compat while you're on PHP 5.3 or 5.4, when you move to PHP 5.5 you'll already have the right code to in your system to use the new built-in password functions. The only difference will be that you won't need to include the library.
这篇关于PHP 5.3推荐使用哪种bcrypt?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
