|
użytkowników online: 27
|
OPINIE UŻYTKOWNIKÓW
|
Uważam, że serwis jest najlepszy na świecie. Wykonany rzetelnie, a wszystkie skrypty sa dopracowane. Zamieszczony materiał godny mistrza. Jestem programistą od wielu lat i bez tego serwisu nie istnieje. Upraszacza życie każdemu programiście. Imponujący jest fakt, że do twórcy serwisu zawsze można się zwrócić z prośbą o pomoc i uzyskuje się ją w bardzo krótkim czasie. Najważniejsze w tym wszystkim jest to, że można korzystać z witryny za symboliczną opłatą.
Marcin Kowalski
Multinet Polska
|
|
PODRĘCZNIK PHP 5.x, 4.x, 3.x - częściowo spolszczony / źródło: www.php.net
[Spis]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[X]
[W]
[Z]
md5 (PHP 3, PHP 4, PHP 5) md5 -- Calculate the md5 hash of a string Descriptionstring md5 ( string str [, bool raw_output] )
Calculates the MD5 hash of str using the
RSA Data Security, Inc.
MD5 Message-Digest Algorithm, and returns that hash.
The hash is a 32-character hexadecimal number. If the optional
raw_output is set to TRUE, then the md5 digest
is instead returned in raw binary format with a length of 16.
Notatka:
The optional raw_output parameter was added in
PHP 5.0.0 and defaults to FALSE
Przykład 1. A md5() example |
<?php
$str = 'apple';
if (md5($str) === '1f3870be274f6c49b3e31a0c6728957f') {
echo "Would you like a green or red apple?";
exit;
}
?>
|
|
See also crc32(), md5_file(),
and sha1().
User Contributed Notesmina86 at projektcode dot org
24-Jan-2006 09:01
Re: Andrew Nelless
I believe that HMAC was designed for some reason. I believe the reason was that <?php hmac_md5($salt, $password); ?> is more secure then <?php md5($salt . $password); ?>
Re: nathan at nathanbolender dot com
The 'Salt & Pepper Encrypter' is no more secure then standard sha1() function. It only adds some random chars to the hash but does nothing with the password's hash. In particular, its enought to remove 32 or 40 characters (depending on the length of the whole hash - 74 or 82 characters acordingly) from the hash starting with the character at position stored at the end of hash (last two digits). We get a 42-char long string which first 40 characters are SHA-1 of the password.
rick.gaither
20-Dec-2005 06:14
This is a nifty function to help in securing your web-forms.
If no argument is passed the function will return an encrypted hex code representing the second it was called. If the same hex code is passed to the function it will return the number of seconds that have elapsed. The php script can then check the time between accessing the web-page and submitting the POST. This thwarts script ran web-form submissions. The program can verify a suitable period has elapsed for expected manual entries. The time check can be from 1 second to about 17 hours.
The function requires the latest PEAR Blowfish Encryption module.
This would go in the form:
<?php print "<input type='hidden' value='" . FormTimer() . "' name='FormCode'>"; ?>
This would go in the main php (post) script:
<?php
$seconds = FormTimer($_POST['FormCode']);
if (($seconds < 10) || ($seconds > 1900)) { die "Your entry time took less than 10 seconds or more than 30 minutes"; }
?>
Function...
<?php
function FormTimer($CodeID="") {
require ('Blowfish.php');
require ('Blowfish/DefaultKey.php');
$key = "Secret^Word";
$bf = new Crypt_Blowfish($key);
$current = substr(sprintf("%d", (time()+1)),-8);
if (!$CodeID) { return bin2hex($bf->encrypt($current)); }
$len = strlen($CodeID); $cValue = -1;
for ($i=0;$i<$len;$i+=2) $Crypt.=chr(hexdec(substr($CodeID,$i,2)));
if ($Crypt) {
$time_called = $bf->decrypt($Crypt);
if ($time_called) { $cValue = (intval($current) - intval($time_called)); }
}
return $cValue;
}
?>
Andrew Nelless ( anelless _ gmail _com )
17-Dec-2005 07:04
"mina86 at tlen dot pl"'s (19-Sept-05) HMAC-MD5 implementation is correct but his example usage provides little practical advantage over the simple concatenation and hash approach to salting.
$hash = md5($salt . $password);
On the other hand, a good use for a MAC (with a server side private key) would be to store one in the users cookie in order to verify that cookie's (or parts of them) you issue haven't been changed manually (or for that matter, by any other website (maybe via a XSS browser exploit?), MITM attack or evil proxy).
Such a trick allows you to put mildly critical data about a user, that you don't want changed by anyone but you, in their cookie rather than in your database. This could have advantages (openness, not needing to store user email addresses at the server side once they have been verified by email, even do away with the need to store data about a poster in a server side database altogether but still being able to allow these almost anonymous posters to come along and edit their submissions with confidence) and be rather entertaining (users trying to crack their cookie code to elevate their stats and/or permissions).
This is like issueing a passport. The traveller can see all of it, get it stamped (~customise parts of it) but can also invalidate it and have it revoked. It can also save on expensive and time consuming nationality/immigration checks (~using the database) at the airport (~the server side).
Jon Watte
03-Dec-2005 05:11
Scrambling the md5 adds no security, because it only adds obscurity. md5 is a reasonably strong hash function, although it's recently been shown to be weaker than previously thought. If hashing your password with md5 isn't good enough for you, then you should use a stronger hash like Tiger instead -- not apply amateurish obfuscation that only serves to give you a false sense of security.
I don't know of an implementation of Tiger for PHP, but the algorithm is pretty simple (and secure) so you could probably write it in plain PHP code.
karig at karig dot net
30-Nov-2005 03:38
Scramble your hashes.
If you are worried about whether these hash functions are "good enough" for security and are tempted to combine hash functions to try to increase security, but you know that combining hashes might be counterproductive, then why not use md5() to get your hash string, then use a custom scramble function to rearrange the digits in that hash string?
Use this scramble function whenever a user is logging in: Encrypt the password with md5(), then with your scramble function, and compare the result with the pre-encrypted password stored on your server for that user.
Here is an example (you might decide to scramble the digits in a different order):
<?php
function scramble($p) {
$q = $p{13} . $p{30} . $p{5} . $p{17} . $p{23} . $p{0}
. $p{28} . $p{4} . $p{18} . $p{25} . $p{6} . $p{20}
. $p{14} . $p{9} . $p{31} . $p{11} . $p{24} . $p{29}
. $p{10} . $p{3} . $p{15} . $p{26} . $p{8} . $p{12}
. $p{21} . $p{27} . $p{1} . $p{16} . $p{22} . $p{7}
. $p{19} . $p{2};
return $q;
}
$p = $_POST['password'];
$p = scramble(md5($p));
?>
You could even make the scramble function more elaborate by repeating certain arbitrary characters an arbitrary number of times, e.g., having scramble() insert $p(19) into $q three or four times, thus producing a string longer than 32 characters.
__PPS__
20-Oct-2005 07:19
nathan at nathanbolender dot com
16-Oct-2005 09:31
If you're a security freak you might want to take a look at the 2 functions I have posted at http://code.nathanbolender.com/PHP/salt_pepper/ . It uses a hardcoded "key" and hashes it one of 2 ways, so you are always left with a random 'hash' to store in your database. The other function will check the hash against the original string to make sure that it is correct. If you want to see an example of the debug output you can at http://code.nathanbolender.com/PHP/salt/ . Note that on that page the "key" is random only to demonstrate the possibility for so much variations.
I know that a simple md5() would normally be enough, but I came up with this and I wanted to share it.
mina86 at tlen dot pl
19-Sep-2005 10:41
It seems that the best solution would be to use HMAC-MD5. An implementation of HMAC-SHA1 was posted by mark on 30-Jan-2004 02:28 as a user comment to sha1() function (-> http://php.net/manual/function.sha1.php#39492). Here's how it would look like (some other optimizations/modifications are included as well):
<?php
function hmac($key, $data, $hash = 'md5', $blocksize = 64) {
if (strlen($key)>$blocksize) {
$key = pack('H*', $hash($key));
}
$key = str_pad($key, $blocksize, chr(0));
$ipad = str_repeat(chr(0x36), $blocksize);
$opad = str_repeat(chr(0x5c), $blocksize);
return $hash(($key^$opad) . pack('H*', $hash(($key^$ipad) . $data)));
}
function pw_encode($password) {
$seed = substr('00' . dechex(mt_rand()), -3) .
substr('00' . dechex(mt_rand()), -3) .
substr('0' . dechex(mt_rand()), -2);
return hmac($seed, $password, 'md5', 64) . $seed;
}
function pw_check($password, $stored_value) {
$seed = substr($stored_value, 32, 8);
return hmac($seed, $password, 'md5', 64) . $seed==$stored_value;
}
$password = 'foobar';
$encoded = pw_encode($password);
$result = pw_check ($password, $encoded) ? 'true' : 'false';
echo<<<END
password: $password
encoded : $encoded
rsult : $result
END;
?>
eric at opelousas dot org
31-Jul-2005 11:57
Setting raw_output to TRUE has the same effect using pack('H*', md5($string)) in php 4
pack( 'H*' , md5( $string) ) ) == md5($string, TRUE)
Helpful Harry
30-Jun-2005 08:29
check out these functions to fake a sha1 entry using md5. Very, very secure if attackers get your password file...
also, it encrypts differently for the same string, every time
function pw_encode($password)
{
for ($i = 1; $i <= 8; $i++)
$seed .= substr('0123456789abcdef', rand(0,15), 1);
return md5($seed.$password).$seed;
}
function pw_check($password,$stored_value)
{
$stored_seed = substr($stored_value,32,8);
if (md5($stored_seed.$password).$stored_seed == $stored_value)
return TRUE;
else
return FALSE;
}
tommiboy
03-May-2005 09:32
Regarding those many posts about MD5 and this-or-that hash function being "broken" or insecure because it has collisions, please note the following:
1. Every hash function has collisions, that is what hash functions are made for. MD5, as an example, turns N bits of input into 128 bits of output. Obviously, whenever N > 128 bits, then there MUST be collisions. This does not mean the function is broken, it means that the function does EXACTLY what you want it to do - it makes a secret unrecoverable.
The important thing about "secure" hash functions is that it is hard to calculate an input that will produce a certain output (e.g. the same output as another user's password). It is impossible to reconstruct a password from a hash if the password has more than 128 bits since several passwords necessarily map to the same hash. No matter which supercomputers you use, you have a set of equations with several unknowns. It is possible to find SOME password that produces a valid hash, though.
For every reasonable scenario, however, MD5 will do just fine. If you are concerned, store the password length as well.
2. Chaining the hash function means 128 bits of input producing 128 bits of output, this does not make sense, really. In fact, you greatly increase the likelihood of finding SOME password that produces the same double-hash.
3. Chaining MD5 with SHA makes little sense, too, as you feed 128 bits into a function that returns 256 bits. So the information that you keep around is 50% redundant. Security is in no way enhanced.
4. You can add "salt", i.e. a constant or variable string (for example calculated from the user id) that is concatenated to the input of the hash function, but that does not really make things a lot better. It does make a dictionary attack against a stolen password database harder, if nothing else.
5. Concerns about this-or-that hash being not good enough are rather silly since there are a lot of other ways which are by several orders of magnitude cheaper and easier to break into your system. It is not likely that any sane person will attempt to find collisions of a hash function to break into one single account. Users are only too happy to give out their password to "the administator who must verify that their password is correct".
6. What happens if two users accidentially choose passwords that have a hash collision? First, this will probably never happen, and second, if it does happen, then there is not much harm. Two users can have the same password and none of them will ever notice.
terry _at_ scribendi_com
29-Apr-2005 04:39
Do not use the hex strings returned by md5() as a key for MCrypt 256-bit encryption. Hex characters only represent four bits each, so when you take 32 hex characters, you are only really using a 128-bit key, not a 256-bit one.
Using an alphanumeric key generator [A-Za-z0-9] will also only provide a 192-bit key in 32 characters.
Two different MD5s concatenated in raw binary form, or mcrypt_create_iv(32,MCRYPT_DEV_RANDOM) will give you a true 256-bit key string.
gigabyte0 at NOSPAM dot gmail dot com
06-Mar-2005 08:22
I would think that this would create a slightly mode secure hash by using this:
<?php
function hash($text){
$hashtext = "string";
return md5($text.$hashtext)
}
?>
If you can keep the $hashtext secure.
whateverever
05-Mar-2005 06:04
hkmaly has updated his crypt/decrypt code at http://adela.karlin.mff.cuni.cz/~hkmaly/crypt_using_md5.php.txt
and made a sha1 version.
Note that if you crypt_md5 twice, you get back the first 16 characters.
<?
$time= 1110039695; $key= "secret key";
print crypt_md5(crypt_md5('This is a very long etc.',$key,$time),$key,$time);
?>
Produces:
This is a very lfk
|
