PHP Authentication Schemes
- May 6, 2003
- Sample Chapter is provided courtesy of Prentice Hall Professional
Sorry, this author hasn't posted any blogs.
This chapter is from the book
Advanced PHP for Web Professionals
Generating Passwords
The md5() and crypt() functions encrypt passwords, but they cannot be unencrypted. These are one-way algorithms. You can verify that the users' password matches the password they were initially given by comparing the md5() or crypt() output of the password they use to subsequently enter the site. The two encrypted versions of the same string match (assuming that the same "salt" is used to create the password using the crypt() function).
This is good, because you never store a user's actual password. If your password file falls into the wrong hands, there is little that anybody can do with it. It is very hard to unencrypt a password encrypted by md5() or crypt(). Since you don't store the user's actual password, malicious hackers who may get their hands on your password file can't take that password and easily use it to attempt to break into other sites that your user may visit, since, unfortunately, most people don't use a different password for every site they visit.
Later scripts in this chapter assume that you have already created some sort of file containing usernames and passwords. The general convention for storing passwords in text files is to put one username/password combination on each line, and to separate the user and password with a colon. For example:
user1:sih2hDu1acVcA user2:aSP2C8UUWnxjA
The first script in this chapter creates an md5() encrypted password and a crypt() encrypted password for any string you enter. As shown in Figure 7-1, you can use this script to easily generate encrypted passwords and display them on the screen so that you can copy and paste them into a text file. The crypt() encrypted password generated from the script is the same as encrypting a password using Apache's htpasswd program.
Script 7-1 generating_passwords.php
1. <html>
2. <head>
3. <title>Password Creator</title>
4. </head>
5. <body>
6. <form action=generate_passwords.php method=post>
7. <h3>Enter a password to create MD5 and Crypt based passwords.</h3>
8. Password: <input type="text" name="password">
9. <input type="submit" name="create" value="Create Passwords!">
10. </form>
11. <?
12. if(isset($password)) {
13. ?>
14. <h3>The passwords for the string "<?=$password?>" are:</h3>
15. <ul>
16. <li><b>MD5:</b> <?=md5($password)?>
17. <li><b>Crypt:</b> <?=crypt($password)?>
18. </ul>
19. <?
20. }
21. ?>
22. </body>
23. </html>
)
Figure 7-1 generating_passwords.php
Script 7-1. generating_passwords.php Line-by-Line Explanation
|
LINE |
DESCRIPTION |
|
1–10 |
Create an HTML form with one text input field, named "password," and a submit button. |
|
11 |
Start parsing the page as PHP. |
|
12 |
Check to see if the $password variable has been set. If it has, continue to line 13; if not, continue on line 20. |
|
13–19 |
Stop parsing the page as PHP. Print out the values of the password after it has been encrypted by the md5() and crypt() functions. Start parsing the page as PHP again. |
|
20 |
End the if statement started on line 12. |
|
21 |
Stop parsing the page as PHP. |
|
23 |
Print out the closing HTML for the page. |
Account Sign In
View your cart