Using crypt() in PHP to implement user authentication

Author：Eve Cole Update Time：2009-06-01 18:20:01

If you do not want to develop a new encryption algorithm yourself when developing PHP applications, you can also use the crypt() function provided by PHP to complete the one-way encryption function.

Understanding crypt()

Readers who have a little experience using non-Windows platforms may be quite familiar with crypt(). This function performs a function called one-way encryption. It can encrypt some plain codes, but it cannot in turn convert the password back to the original plain code. . The crypt() function is defined as follows.

string crypt (string input_string [, string salt])

Among them, the input_string parameter is a plaintext string that needs to be encrypted, and the second optional salt is a bit string, which can affect the encrypted password and further eliminate the possibility of being cracked. By default, PHP uses a 2-character DES interference string. If the system uses MD5 (see the next section), PHP will use a 12-character interference string. The length of the interference string that the system will use can be found by executing the following command.

print "My system salt size is: ". CRYPT_SALT_LENGTH;

crypt() supports 4 encryption algorithms. Table 19.1 shows the supported algorithms and the length of the corresponding salt parameter.

Table crypt() supports four encryption algorithms

Algorithm	Salt length
CRYPT_STD_DES	2-character (Default)
CRYPT_EXT_DES	9-character
CRYPT_MD5	12-character beginning with $1$
CRYPT_BLOWFISH	16-character beginning with $2$

On the surface, the crypt() function seems to be of little use, but this function is indeed widely used to ensure the integrity of system passwords. Because even if the one-way encrypted password falls into the hands of a third party, it will not be of much use since it cannot be restored to plain text.

Implementing user authentication using crypt()

The previous part briefly introduced the function of the crypt() function. Next, it is used to implement user authentication. The goals it wants to achieve are the same as those introduced in Section 19.2.3.

1 
2 <?php
3 $user_name=$_POST["user_name"];
4 require_once("sys_conf.inc"); //System configuration file, including database configuration information
5
6 //Connect to the database
7 $link_id=mysql_connect($DBHOST,$DBUSER,$DBPWD);
8 mysql_select_db($DBNAME); //Select database my_chat
9
10 //Query whether there is logged in user information
11 $str="select name,password from user where name ='$user_name'";
12 $result=mysql_query($str,$link_id); //Execute query
13 @$rows=mysql_num_rows($result); //The number of records obtained from the query results
14 $user_name=$_SESSION["user_name"];
15 $password=$_POST["password"];
16 $salt = substr($password, 0, 2);
17 $password_en=crypt($password,$salt); //Use crypt() to encrypt the user password
18
19 //For old users
20 if($rows!=0)
twenty one {
22 list($name,$pwd)=mysql_fetch_row($result);
twenty three
24 //If the password is entered correctly
25 if($pwd==$password_en)
26 {
27 $str="update user set is_online =1 where name ='$user_name' and password='$password_en'";
28 $result=mysql_query($str, $link_id);//Execute query
29 require("main.php"); //Go to the chat page
30}
31 //Password input error
32 else
33 {
34 require("relogin.php");
35}
36
37 }
38 //For new users, write their information into the database
39 else
40 {
41 $str="insert into user (name,password,is_online) values('$user_ name','$password_en',1)";
42 $result=mysql_query($str, $link_id); //Execute query
43 require("main.php"); //Go to the chat page
44}
45 //Close the database
46 mysql_close($link_id);
47?＞

The example is very similar to the use of the XOR encryption algorithm to protect user information introduced in the previous section. The core part is that the crypt() function is used to obtain the encrypted password on lines 16 and 17, and the password in the database is compared on line 25. and the encrypted password are equal to check whether the user is legitimate.

Next, let’s take an example to see what the encrypted password will look like.

For example, if the username is rock and the password is 123456, the encrypted password is:

12tir.zIbWQ3c

The above implements a simple user authentication system. When using crypt() to protect important confidential information, it should be noted that using crypt() in the default state is not the most secure and can only be used in systems with lower security requirements.