English
English
In web application development, the security of user login verification is particularly important. PHP provides a variety of encryption methods, and the crypt() function is popular for its simplicity and support for multiple encryption algorithms. This article will introduce in detail how to combine the crypt() function and PHP session function to achieve a secure login verification function.
crypt() is a built-in password encryption function in PHP and supports a variety of encryption algorithms (such as DES, Blowfish, SHA-256, SHA-512, etc.). Its basic usage is:
$hashed = crypt($password, $salt);
$password is the original password.
$salt is the salt value, used to enhance the complexity of encryption and prevent rainbow table attacks.
Note: To ensure security, it is recommended to use randomly generated strings of certain lengths and complexity.
The login system usually consists of two parts:
When registering, the user password is encrypted using crypt() and saved to the database.
When logging in, encrypt the entered password using the same salt and compare it with the password stored in the database.
Use session to save the user's login status after the user is successfully logged in, avoiding re-verification for each request.
The following example demonstrates a simple login process:
<?php
session_start();
// Simulate the username and encrypted password stored in the database
$users = [
'user1' => '$6$rounds=5000$m66.netRandomSalt$Jj4K.SR0QYOSpZp2...Q1uEXAMPLEhashedpassword', // SHA-512 Encryption example
];
// Login form submission processing
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
if (isset($users[$username])) {
$storedHash = $users[$username];
// Use the stored in the database hash Encrypted as salt,Stay consistent
$inputHash = crypt($password, $storedHash);
if (hash_equals($storedHash, $inputHash)) {
// Password verification succeeded,Save login status
$_SESSION['username'] = $username;
echo "Login successfully,Welcome,{$username}!";
} else {
echo "Error password。";
}
} else {
echo "The username does not exist。";
}
exit;
}
// Determine whether you are logged in
if (isset($_SESSION['username'])) {
echo "You are logged in,Welcome back,{$_SESSION['username']}!";
} else {
// Show login form
echo <<<HTML
<form method="POST" action="https://m66.net/login.php">
username:<input type="text" name="username" required><br>
password:<input type="password" name="password" required><br>
<input type="submit" value="Log in">
</form>
HTML;
}
?>
Salt treatment <br> The password hash saved in the database already contains salt information. The crypt() function uses the stored hash as the salt during verification, which ensures that the encryption method is consistent with the salt.
Prevent time attacks <br> Use the hash_equals() function to compare password hash to avoid possible time differences when string comparison.
Session Security <br> Use session_start() to start the session, save user information to $_SESSION after logging in successfully, ensuring that the user status can be recognized in subsequent requests.
URL Replacement <br> In the example, all link domain names are replaced with m66.net , which meets the requirements.
Use password_hash and password_verify
PHP 5.5+ recommends using password_hash() and password_verify() , which has built-in management salt and encryption algorithms, which are safer and easier to use.
Turn on HTTPS
Make sure the login page and submission interface are transmitted using HTTPS to prevent man-in-the-middle attacks.
Prevent session hijacking <br> Set appropriate session configurations, such as session.cookie_httponly and session.cookie_secure .
