什么是 password_hash() 的替代方案(PHP 5 <5.5.0)?
根据手册:password_hash 这个函数可以用于(PHP 5 >= 5.5.0)
According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
在寻找替代方法后,我从这里找到了这个简单的函数:http://www.sitepoint.com/password-hashing-in-php/
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
我可以在使用前通过使用 function_exists
来管理我的代码,但我的问题是关于上述替代代码是否安全,或者在旧版本的 PHP 中是否有其他替代代码?
I can manage my code by using function_exists
before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
推荐答案
对于 PHP 版本
5.3.7,我推荐:
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
对于 PHP 版本 >= 5.3.7,使用:
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
生成自己的盐需要很多知识,因为好的、合适的盐需要大量的熵.在 PHP 中生成这个 salt 很麻烦,这就是为什么你通常最终依赖其他资源为你提供这个字符串,例如 /dev/urandom
或 openssl_random_pseudo_bytes
.相信我,如果没有认真的研究和考虑,这不是你想自己尝试的事情.
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom
or openssl_random_pseudo_bytes
. Believe me, this isn't something you want to try yourself without serious research and consideration.
建议使用新的 password_*
API,但如果您需要支持旧版本的 PHP,这可能会出现问题,这就是 PHPass 的用武之地.必须讨厌那些每月 1 美元的托管计划PHP 5.2
Using the new password_*
API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
相关文章