Data encryption has become more and more important in our lives, especially considering the large number of transactions that occur on the Internet and the large amount of data transmitted. If you are interested in using security measures, you will also be interested in understanding the series of security functions provided by PHP. In this article, we will introduce these functions and provide some basic usage so that you can add security features to your application software.
Preliminary knowledge
Before introducing the security functions of PHP in detail, we need to take some time to introduce some basic knowledge about cryptography to readers who have not been exposed to this aspect. If you are already very familiar with the basic concepts of cryptography, you can skip this part. .
Cryptozoology can be loosely described as the study and experiment of encryption/decryption. Encryption is the process of converting easy-to-understand data into incomprehensible data, and decryption is the process of converting incomprehensible data into original easy-to-understand data. Information that is difficult to understand is called a code, and information that is easy to understand is called a clear code.
Encryption/decryption of data requires certain algorithms. These algorithms can be very simple, such as the famous Caesar code, but current encryption algorithms are relatively more complex, and some of them are even undecipherable using existing methods.
PHP’s encryption function
Anyone who has a little experience using non-Windows platforms may be familiar with crypt(). This function completes a function called one-way encryption. It can encrypt some plain codes, but it cannot convert the password into the original plain code. Although this may seem like a useless feature on the surface, it is widely used to ensure the integrity of system passwords. Because once the one-way encrypted password falls into the hands of a third party, it cannot be restored to plain text, so it is of little use. When verifying the password entered by the user, the user's input also uses a one-way algorithm. If the input matches the stored encrypted password, the entered password must be correct.
PHP also provides the possibility to complete one-way encryption using its crypt() function. I'll briefly introduce the function here:
string crypt (string input_string [, string salt])
The input_string parameter is the string that needs to be encrypted, and the second optional salt is a bit string that can affect the encrypted password, further ruling out the possibility of what is called a precomputation attack. By default, PHP uses a 2-character DES interference string. If your system uses MD5 (I will introduce the MD5 algorithm later), it will use a 12-character interference string. By the way, you can discover the length of the interference string your system will use by executing the following command:
print "My system salt size is: ". CRYPT_SALT_LENGTH;
The system may also support other encryption algorithms. crypt() supports four algorithms. The following are the algorithms it supports and the length of the corresponding salt parameters:
Algorithm Salt length
CRYPT_STD_DES 2-character (Default)
CRYPT_EXT_DES 9-character
CRYPT_MD5 12-character beginning with $
CRYPT_BLOWFISH 16-character beginning with $
Use crypt() to implement user authentication
As an example of the crypt() function, consider a situation where you wish to create a PHP script that restricts access to a directory to only users who can provide the correct username and password. I will store the data in a table in MySQL, my favorite database. Let's start our example by creating this table called members:
mysql>CREATE TABLE members (
->username CHAR(14) NOT NULL,
->password CHAR(32) NOT NULL,
->PRIMARY KEY(username)
->);
Then, we assume that the following data is already stored in the table:
Username Password
clark keloD1C377lKE
bruce ba1T7vnz9AWgk
peter paLUvRWsRLZ4U
The plain codes corresponding to these encrypted passwords are kent, banner and parker respectively. Pay attention to the first two letters of each password. This is because I used the following code to create a interference string based on the first two letters of the password:
$enteredPassword.
$salt = substr($enteredPassword, 0, 2);
$userPswd = crypt($enteredPassword, $salt);
// $userPswd is then stored in MySQL together with the username
I will be using Apache's password-response authentication configuration to prompt the user for a username and password. A little-known fact about PHP is that it recognizes usernames and passwords entered by the Apache password-response system as $PHP_AUTH_USER and $PHP_AUTH_PW. I will use these two variables in the authentication script. Take some time to read the script below carefully and pay more attention to the explanations to better understand the code below:
Application of crypt() and Apache's password-response verification system
$host = "localhost";
$user = "zorro";
$pswd = "hell odolly";
$db = "users";
// Set authorization to False
$authorization = 0;
// Verify that user has entered username and password
if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW)) :
mysql_pconnect($host, $user, $pswd) or die("Can't connect to MySQL
server!");
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
