Using crypt() in PHP to implement user authentication_PHP tutorial

The crypt() function returns a string encrypted using DES, Blowfish, or MD5. This function behaves differently on different operating systems, and some operating systems support more than one algorithm type. At installation time, PHP checks what algorithms are available and what algorithms are used. ​

Learn about crypt()

Readers who have a little experience in using non-Windows platforms may be quite familiar with crypt(). This function completes a function called one-way encryption. It can encrypt some plain codes, but it cannot conversely convert the password into The original plain code. The crypt() function is defined as follows.

　string crypt (string input_string [, string salt])

Among them, the input_string parameter is a plaintext string that needs to be encrypted, and the second optional salt is a bit string, which can affect the encrypted password and further eliminate the possibility of being cracked. By default, PHP uses a 2-character DES interference string. If the system uses MD5 (see the next section), PHP will use a 12-character interference string. The length of the interference string that the system will use can be found by executing the following command.

print "My system salt size is: ". CRYPT_SALT_LENGTH;

crypt() supports 4 encryption algorithms. Table 19.1 shows the supported algorithms and the length of the corresponding salt parameter.

Table crypt() supports four encryption algorithms
Algorithm Salt length
CRYPT_STD_DES 2-character (Default)
CRYPT_EXT_DES 9-character
CRYPT_MD5 12-character beginning with $1$
CRYPT_BLOWFISH 16-character beginning with $2$

On the surface, the crypt() function seems to be of little use, but this function is indeed widely used to ensure the integrity of system passwords. Because even if the one-way encrypted password falls into the hands of a third party, it will not be of much use since it cannot be restored to plain text.
Use crypt() to implement user authentication
The previous part briefly introduced the function of the crypt() function. Next, we will use it to implement user authentication. The goals to be achieved are the same as those introduced in Section 19.2.3.


$user_name=$_POST["user_name"];
require_once("sys_conf.inc"); //System configuration file, including database configuration information
//Connect to database
$link_id=mysql_connect($DBHOST,$DBUSER,$DBPWD);
mysql_select_db($DBNAME); //Select database my_chat
//Query whether there is logged in user information
$str="select name,password from user where name ='$user_name'";
$result=mysql_query($str,$link_id); //Execute query
@$rows=mysql_num_rows($result); //Number of records obtained from query results
$user_name=$_SESSION["user_name"];
$password=$_POST["password"];
$salt = substr($password, 0, 2);
$password_en=crypt($password,$salt); //Use crypt() to encrypt user password
//For old users
if($rows!=0)
{
list($name,$pwd)=mysql_fetch_row($result);
//If the password is entered correctly
if($pwd==$password_en)
{
$str="update user set is_online =1 where name ='$user_name' and password='$password_en'";
$result=mysql_query($str, $link_id);//Execute query
require("main.php"); //Go to the chat page
}
//Password input error
else
{
require("relogin.php");
}
}
//For new users, write their information to the database
else
{
$str="insert into user (name,password,is_online) values('$user_ name','$password_en',1)";
$result=mysql_query($str, $link_id); //Execute query
require("main.php"); //Go to the chat page
}
//Close the database
mysql_close($link_id);
?>

The example is very similar to the use of XOR encryption algorithm to protect user information introduced in the previous section. The core part is to use the crypt() function to obtain the encrypted password on lines 16 and 17, and compare the database on line 25 The password in and the encrypted password are equal to check whether the user is legitimate.

Next, let’s take an example to see what the encrypted password will look like.

For example, if the username is rock and the password is 123456, the encrypted password is:

　12tir.zIbWQ3c

A simple user authentication system is implemented above. When using crypt() to protect important confidential information, it should be noted that using crypt() in the default state is not the most secure and can only be used in systems with lower security requirements.