English
English
When developing a simple user system, encrypted storage of passwords is one of the foundations of security. PHP provides a very practical encryption function crypt() , which can help us quickly implement basic password encryption and verification functions. This article will use a concise example to describe how to build a simple user authentication system using the crypt() function.
crypt() is a function in PHP for one-way string encryption, usually used for password encryption. The basic syntax is as follows:
string crypt(string $string, string $salt)
Among them, $string is a string that needs to be encrypted, and $salt is the "salt" value used to affect the encryption results, and supports a variety of encryption algorithms (such as Blowfish, MD5, SHA-256, SHA-512, etc.).
When registering, the password needs to be encrypted and stored. Here is a simple registration example:
<?php
// Password entered by the user
$password = 'user_password123';
// use Blowfish Algorithm generates encryption password
$hash = crypt($password, '$2y$10$' . bin2hex(random_bytes(11)));
// Simulate to save to database
file_put_contents('users.txt', "username:$hash\n");
echo "User registered,Password is encrypted and saved。";
?>
Here we use the salt prefix starting with $2y$10$ , which means using the Blowfish algorithm (recommended for password encryption). random_bytes(11) generates a random salt value, ensuring that each encryption result is different, even if the password is the same.
When the user logs in, the entered password needs to be encrypted using the same salt, and then compare it with the password hash in the database:
<?php
// User input
$input_username = 'username';
$input_password = 'user_password123';
// from“database”Read information
$data = file('users.txt');
foreach ($data as $line) {
list($stored_username, $stored_hash) = explode(':', trim($line));
if ($input_username === $stored_username) {
// use存储的 hash As salt Encrypt the password entered again
if (crypt($input_password, $stored_hash) === $stored_hash) {
echo "Login successfully,Welcome back $input_username!";
} else {
echo "Error password。";
}
exit;
}
}
echo "The user does not exist。";
?>
In this way, even if the attacker steals the password hash, the original password cannot be restored directly from the hash. At the same time, since each user uses a different salt, even if multiple users use the same password, the stored hash value is different.
Although crypt() can provide basic security, PHP recommends using password_hash() and password_verify() from 5.5. They still use crypt() at the bottom, but the encapsulation is more complete and safer.
But in some restricted environments (such as old servers or systems that have to manually control salt), crypt() is still an effective tool.
Through the above content, we can see that using PHP's crypt() function, you can quickly build a simple user verification system:
Encrypt passwords and store them when registering;
Re-encrypt passwords and compare with the same salt value when logging in;
Combined with random salts to increase encryption strength and prevent rainbow table attacks.
Although password_hash() is more recommended for modern projects, understanding the underlying mechanism of crypt() is still very helpful, especially when low-level customization is required.
