我想到了只创建bcrypt的纯PHP端口,但是查看了 jBCrypt的来源,由于我对PHP或河豚并不十分熟悉,因此我不确定我是否应该这样做,而且这里的错误可能同时很危险,而且很难首先发现.因此,我向您提出两个(多部分)问题:我对PHP的了解不足是否使我受益匪浅?我真的可以使用已经创建的实现之一吗?我是否应该创建一个简单的循环函数,该函数反复调用sha1()或md5()多次,次数可配置?解决方案 我对PHP的了解不足是否使我受益匪浅?我真的可以使用已经创建的实现之一吗?很遗憾,您是正确的.在5.3.0之前的版本中,PHP默认不支持bcrypt.相反,它依赖于操作系统的支持(请检查CRYPT_BLOWFISH常量).正如您所指出的,在这种情况下, Suhosin 是一个选项. 我应该只创建一个简单的循环函数,以重复多次调用sha1()或md5()吗?关于密码学的最佳建议是不要自己动手".重复呼叫sha1()或md5() 可能会或可能不会提高安全性.另一方面,bcrypt的作者在本文上解释了他们的设计决定.I am contributing to a relatively mature open-source PHP project. Recently, I discovered that it stores passwords as plain MD5 hashes, which is quite bothersome to me. I figured that if I was going to fix it, I might as well Do It Right(tm), so I wanted to use bcrypt.First, what I have found for other languages: bcrypt-ruby appears to use either the original C code from OpenBSD or jBCrypt's java code. py-bcrypt is a thin wrapper around the BSD code. BCrypt.net is a direct port of jBCrypt.Now, PHP itself supports bcrypt (albeit, misleadingly called simply 'blowfish') in the crypt function. However, versions prior to 5.3 require support on the system itself, generally provided by crypt_blowfish. phpass is the same, and recommends installing either PHP 5.3 or Suhosin.Since many users of the application use standard shared hosting, I don't want to require any special configuration of the server. I was hoping to just steal the code from PHP's 5.3 release, but it is in C, and (from the small bit of reading I've just done) I cannot require the use of a C-extension for the project's users.I thought of just creating a pure-PHP port of bcrypt, but looking at the source of jBCrypt, I am not sure that I should, given that I'm not incredibly familiar with either PHP or blowfish, and a mistake here could be simultaneously dangerous and difficult to detect in the first place.So, I present to you two (multipart) questions:Is my lack of PHP knowledge getting the best of me? Can I really use one of the already-created implementations?Should I instead just create a simple loooping function that calls sha1() or md5() repeatedly for some configurable number of times? 解决方案 Is my lack of PHP knowledge getting the best of me? Can I really use one of the already-created implementations?Unfortunately, you are correct. Prior to 5.3.0 PHP didn't support bcrypt by default. Instead, it relied on the OS's support (check the CRYPT_BLOWFISH constant). As you've pointed out Suhosin is an option in that case. Should I instead just create a simple loooping function that calls sha1() or md5() repeatedly for some configurable number of times?The best advice when it comes to cryptography is "don't roll your own." Repeated calls to sha1() or md5() may or may not increase security.The authors of bcrypt on the other hand explain their design decisions on this paper. 这篇关于如何在PHP应用程序中出售bcrypt(我应该这样做)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!