Using crypt() with strings is similar to creating a checksum of something: It can be easily determined whether a string matches the checksum; however, it is not (easily) possible to re-create the original string from the checksum. Checking Logins Using SHA1 and MD5 Hashes (checksum.php)<?php $pass = (isset($_GET['pass'])) ? $_GET['pass'] : ''; $md5pass = '6958b43cb096e036f872d65d6a4dc01b'; $sha1pass = '61c2feed11e0e53eb8e295ab8da78150be12 f301'; if (sha1($pass) === $sha1pass) { echo 'Login successful.'; } else { echo 'Login failed.'; } // Alternatively, using MD5: // if (md5($pass) === $md5pass) { // echo 'Login successful.'; // } else { // echo 'Login failed.'; // } ?> Two algorithms whose purpose is to do exactly this checksumming are Secure Hash Algorithm 1 (SHA1) and Message Digest Algorithm 5 (MD5). They create such a checksum, or hash. The main difference between these two algorithms and the one used in DES/crypt() is: The SHA1 or MD5 checksum of a string is always the same, so it is very easy to verify data. As Figure 1.2 shows, even the PHP distributions have a MD5 checksum mentioned on the website to validate the downloads. Figure 1.2. The PHP downloads page shows MD5 hashes of the PHP distributions.Again, the goal is to validate a password the user provides using GET. The correct password is, once again, 'TopSecret' with the following hashes:
|