PHP password protection: md5 to sha512_问答_开发者

开发者 https://www.devze.com 2022-12-25 05:54 出处：网络

How do I use the开发者_StackOverflow中文版 sha512 function for PHP? Can I replace all my md5 functions with the sha512 function?

相关专题：php security

How do I use the开发者_StackOverflow中文版 sha512 function for PHP?

Can I replace all my md5 functions with the sha512 function?

Do I have to download something if so what?

Can anyone provide examples?

The hash() function, provided with PHP >= 5.1, should be able to generate sha512 hashes -- you can verify this calling the hash_algos() function, that lists the supported hashing algorithms.

For example, you could use :

$sha512 = hash('sha512', "Hello, World!");
var_dump($sha512);

And you'd get :

string '374d794a95cdcfd8b35993185fef9ba368f160d8daf432d08ba9f1ed1e5abe6cc69291e0fa2fe0006a52570ef18c19def4e617c33ce52ef0a6e5fbe318cb0387' (length=128)

And, on my system, the following portion of code :

$supported = hash_algos();
var_dump($supported);

Indicates that 42 hashing algorithms are supported :

array
  0 => string 'md2' (length=3)
  ...
  6 => string 'sha384' (length=6)
  7 => string 'sha512' (length=6)
  8 => string 'ripemd128' (length=9)
  9 => string 'ripemd160' (length=9)
  ...
  40 => string 'haval224,5' (length=10)
  41 => string 'haval256,5' (length=10)

Also, with PHP >= 5.3, you should be able to use the openssl_digest() function :

$sha512 = openssl_digest("Hello, World!", 'sha512');
var_dump($sha512);

(Yep, the parameters are not in the same order as with hash() -- the magic of PHP, here...)

And, to get the list of supported algorithms, you could use openssl_get_md_methods().

On my system, this one gives me 22 supported algorithms.

Checksums are for generating checksums, HMAC is perhaps the preferred way for generating salted hashes of strings requiring securing hashing.

hash_hmac('sha512', 'important string', 'salt');

Just out of curiosity, why do you want to replace the MD5 function?

It is relatively efficient. If you add a salt, it is really annoying to reverse engineer. Someone would have to perform a brute force encoding of all passwords looking for a match. Without a salt, common short strings lower case all letter strings have been cracked and stored in a database.

I would just add a salt and call it good.