PHP-密碼和token
阿新 • • 發佈:2019-01-03
密碼
直接md5和sha1不安全!!!
crypt()和hash_equals():
http://php.net/manual/zh/function.crypt.php
<?php // crypt()和hash_equals() $pwds = ['123456', '123456', '123456', 'aaa', '_123456789zxcvbnmasdfghjklqwertyuiop']; function get_random_bytes($size){ return function_exists('random_bytes') ? random_bytes($size) : mcrypt_create_iv($size); } function get_salt($size){ return substr(strtr(base64_encode(get_random_bytes(32)), '+', '.'), 0, $size); } /** MD5:12位的salt,只有8位隨機($1$ + 8位 + $) */ $t_s = microtime(true); foreach ($pwds as $key => $pwd) { $t1 = microtime(true); $hashed_pwd = crypt($pwd, '$1$'.get_salt(8)); $t2 = microtime(true); var_dump($pwd, $hashed_pwd); if (hash_equals($hashed_pwd, crypt($pwd, $hashed_pwd))) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } $t3 = microtime(true); var_dump($t2-$t1, $t3-$t2); echo "<hr>"; } $t_e = microtime(true); $t = $t_e - $t_s; echo "一共 $t 秒";
password_hash()和password_verify()(挺慢的,做安全需求非常高的時候用。。):
http://php.net/manual/zh/function.password-hash.php
<?php // password_hash()和password_verify() $pwds = ['123456', '123456', '123456', 'aaa', '_123456789zxcvbnmasdfghjklqwertyuiop']; /** * 我們想要使用預設演算法雜湊密碼 * 當前是 BCRYPT,並會產生 60 個字元的結果。 * * 請注意,隨時間推移,預設演算法可能會有變化, * 所以需要儲存的空間能夠超過 60 字(255字不錯) */ $t_s = microtime(true); foreach ($pwds as $key => $pwd) { $t1 = microtime(true); $hashed_pwd = password_hash($pwd, PASSWORD_DEFAULT); $t2 = microtime(true); var_dump($pwd, $hashed_pwd); if (password_verify($pwd, $hashed_pwd)) { echo 'Password is valid!'; } else { echo 'Invalid password.'; } $t3 = microtime(true); var_dump($t2-$t1, $t3-$t2); echo "<hr>"; } $t_e = microtime(true); $t = $t_e - $t_s; echo "一共 $t 秒";
token和sale
http://php.net/manual/zh/function.random-bytes.php#118932
I used below function to create random token, and also a salt from the token. I used it in my application to prevent CSRF attack.
<?php function RandomToken($length = 32){ if(!isset($length) || intval($length) <= 8 ){ $length = 32; } if (function_exists('random_bytes')) { return bin2hex(random_bytes($length)); } if (function_exists('mcrypt_create_iv')) { return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); } if (function_exists('openssl_random_pseudo_bytes')) { return bin2hex(openssl_random_pseudo_bytes($length)); } } function Salt(){ return substr(strtr(base64_encode(hex2bin(RandomToken(32))), '+', '.'), 0, 44); } echo (RandomToken()); echo "<hr>"; echo Salt(); echo "<hr>"; /* This function is same as above but its only used for debugging */ /* function RandomTokenDebug($length = 32){ if(!isset($length) || intval($length) <= 8 ){ $length = 32; } $randoms = array(); if (function_exists('random_bytes')) { $randoms['random_bytes'] = bin2hex(random_bytes($length)); } if (function_exists('mcrypt_create_iv')) { $randoms['mcrypt_create_iv'] = bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); } if (function_exists('openssl_random_pseudo_bytes')) { $randoms['openssl_random_pseudo_bytes'] = bin2hex(openssl_random_pseudo_bytes($length)); } return $randoms; } echo "\n"; print_r (RandomTokenDebug()); ?> */