問題描述

根據手冊:password_hash 這個函數可以用于(PHP 5 >= 5.5.0)

According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)

在尋找替代方法后，我從這里找到了這個簡單的函數:http://www.sitepoint.com/password-hashing-in-php/

After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/

function generateHash($password) {
    if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
        $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
        return crypt($password, $salt);
    }
}

我可以在使用前通過使用 function_exists 來管理我的代碼，但我的問題是關于上述替代代碼是否安全，或者在舊版本的 PHP 中是否有其他替代代碼?

I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?

推薦答案

對于 PHP 版本

5.3.7，我推薦:

For PHP versions < 5.3.7, I'd recommend:

http://www.openwall.com/phpass/

對于 PHP 版本 >= 5.3.7，使用:

For PHP versions >= 5.3.7, use:

https://github.com/ircmaxell/password_compat

生成自己的鹽需要很多知識，因為好的、合適的鹽需要大量的熵.在 PHP 中生成這個 salt 很麻煩，這就是為什么你通常最終依賴其他資源為你提供這個字符串，例如 /dev/urandom 或 openssl_random_pseudo_bytes.相信我，如果沒有認真的研究和考慮，這不是你想自己嘗試的事情.

Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.

建議使用新的 password_* API，但如果您需要支持舊版本的 PHP，這可能會出現問題，這就是 PHPass 的用武之地.必須討厭那些每月 1 美元的托管計劃PHP 5.2

Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2

這篇關于什么是 password_hash() 的替代方案(PHP 5 <5.5.0)?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！