English
English
During the development process, it is very important to ensure the integrity and security of configuration files, especially when it comes to sensitive information such as database passwords, API keys, etc. PHP provides a built-in function crypt() , which is mainly used for password encryption, but it can also be used to help us verify the integrity of file content. This article will introduce in detail how to use PHP's crypt() function to implement this function, and combine actual code examples to demonstrate specific operations.
crypt() is a function used in PHP to encrypt strings and is often used for password hashing. It supports a variety of encryption algorithms (such as DES, Blowfish, SHA-256, SHA-512, etc.) and allows you to increase security by specifying salt values. Although it is not specifically designed for file integrity verification, with its irreversibility and salt value mechanisms, we can use it to generate hash values of configuration files and compare them during subsequent verification.
Irreverability : The hash generated by crypt() is irreversible, ensuring the security of the file content.
Salt value mechanism : increases the uniqueness and security strength of hashing to avoid collision problems with simple hashing.
Built-in support : PHP is built-in, no additional extensions required, and is easy to deploy.
Read the contents of the configuration file.
Generates a hash value of the content (using crypt() and saves the salt value).
Save hash values to a secure location (database or separate file).
When verifying later, read the configuration file content again, generate a hash value, and compare it with the saved hash value.
If the hash value is consistent, it means that the configuration file has not been tampered with; otherwise, it indicates that the file may be modified.
<?php
// Configuration file path
$configFile = 'config.ini';
// Read the configuration file content
$configContent = file_get_contents($configFile);
if ($configContent === false) {
die("Unable to read the configuration file。");
}
// Generate salt value(For example Blowfish algorithm,The length of salt is22)
$salt = '$2y$12$' . substr(str_replace('+', '.', base64_encode(random_bytes(16))), 0, 22);
// Generate hash value
$hash = crypt($configContent, $salt);
// Save hash value to a secure file
file_put_contents('config_hash.txt', $hash);
echo "The configuration file hash has been generated and saved。\n";
// -------------- Verification phase --------------
// 重新Read the configuration file content
$newContent = file_get_contents($configFile);
if ($newContent === false) {
die("Unable to read the configuration file。");
}
// Read saved hash
$savedHash = file_get_contents('config_hash.txt');
if ($savedHash === false) {
die("无法Read saved hash值。");
}
// Encrypt new content using saved hash as salt value
$newHash = crypt($newContent, $savedHash);
// Compare the hash values twice
if (hash_equals($savedHash, $newHash)) {
echo "Configuration file integrity verification passed,Not tampered with。\n";
} else {
echo "Configuration file integrity verification failed,The file content may have been modified!\n";
}
?>
This takes advantage of the characteristics of the crypt() function: if the second parameter is an existing hash, crypt() will use the same salt value to generate a new hash.
hash_equals() is used to prevent timing attacks and safely compare hash strings.
You can save the hash value to a database or other secure storage medium to avoid being easily modified.
crypt() supports multiple algorithms. The above example uses the Blowfish ( $2y$ ) algorithm. You can also choose other algorithms as needed, but the salt value format needs to correspond.
Combined with the permission settings of the configuration file, improve security.
Verify configuration files regularly, especially after automated deployment.
Combined with the log system, record the results of each verification.
