Current Location: Home> Latest Articles> Storing crypt() in database encryption password

Storing crypt() in database encryption password

M66 2025-06-02

In web development, the secure storage of user passwords is crucial. Although there are multiple encryption methods in PHP that can be used for password protection, the crypt() function is still a classic and effective tool. It allows developers to use different hashing algorithms such as Blowfish to generate irreversible encrypted strings. This article will explain how to combine the crypt() function with the database to achieve secure user password storage.

1. Understand the basic usage of crypt() function

PHP's crypt() function is used for one-way encryption, which accepts two parameters:

 string crypt ( string $string , string $salt )

  • $string is the original string to be encrypted (usually a password)

  • $salt is a string that affects the encryption result. Different salts will produce different encryption results.

To encrypt using the Blowfish algorithm, you need to format salt, for example:

 $salt = '$2y$10$' . bin2hex(random_bytes(11));
$hashed_password = crypt('user_password', $salt);

$2y$10$ means using the Blowfish algorithm and 10 rounds of encryption.

2. Connect to the database and store the encrypted password

To store the encrypted password into the database, a user table is required. Here is a simple user table structure:

 CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) NOT NULL UNIQUE,
    password VARCHAR(255) NOT NULL
);

Then use PHP to connect to the database and insert user data:

 <?php
$pdo = new PDO("mysql:host=localhost;dbname=testdb;charset=utf8", "dbuser", "dbpass");

$username = 'testuser';
$password = 'mypassword';

// generatesaltAnd encrypt the password
$salt = '$2y$10$' . bin2hex(random_bytes(11));
$hashed_password = crypt($password, $salt);

// Insert into the database
$stmt = $pdo->prepare("INSERT INTO users (username, password) VALUES (:username, :password)");
$stmt->execute([
    ':username' => $username,
    ':password' => $hashed_password
]);
?>

3. Verify user password

When logging in, you cannot simply compare the plain text password. We need to use the crypt() function again with the stored encrypted password in the user table as salt.

 <?php
$input_password = 'mypassword';
$username = 'testuser';

$stmt = $pdo->prepare("SELECT password FROM users WHERE username = :username");
$stmt->execute([':username' => $username]);
$stored_hash = $stmt->fetchColumn();

if (crypt($input_password, $stored_hash) === $stored_hash) {
    echo "Password verification succeeded。";
} else {
    echo "Error password。";
}
?>

4. Safety supplementary suggestions

Although the crypt() function is safe, it has gradually been replaced by password_hash() and password_verify() . crypt() is more suitable for scenarios where backward compatibility with old systems is required.

However, be sure to pay attention when using crypt() :

  1. Always use strong random salts and avoid using fixed values.

  2. Control the number of encryption rounds (such as 10 of $2y$10$ ) to increase brute force cracking costs.

  3. Use HTTPS to connect the front-end and back-end to prevent the password during transmission from being intercepted.

  4. Avoid passing sensitive data in URLs, for example:

Related