PHP crypt() Function
Definition and Usage
The crypt() function returns a string encrypted with DES, Blowfish, or MD5 algorithms.
The behavior of the function varies on different operating systems, with some supporting more than one algorithm type. During installation, PHP checks which algorithms are available and which one to use.
The specific algorithm depends on the format and length of the salt parameter. Salt can make encryption more secure by increasing the number of strings generated by a specific encryption method.
Here are some constants used with the crypt() function. These constant values are set by PHP during installation.
Constants:
| [CRYPT_SALT_LENGTH] | Default encryption length. Standard DES encryption is used, with a length of 2. |
| [CRYPT_STD_DES] | Hash based on the standard DES algorithm uses two characters from the "./0-9A-Za-z" characters as the salt. Using illegal characters in the salt will cause the crypt() function to fail. |
| [CRYPT_EXT_DES] | An extended hash based on the DES algorithm. The salt is a string of 9 characters, consisting of 1 underscore followed by 4 bytes of iteration count and 4 bytes of salt. They are encoded into printable characters, each with 6 bits, with the least significant bits taking precedence. The numbers 0 to 63 are encoded as "./0-9A-Za-z". Using illegal characters in the salt will cause the crypt() function to fail. |
| [CRYPT_MD5] | The MD5 hash uses a 12-character string salt starting with $1$. |
| [CRYPT_BLOWFISH] | The Blowfish algorithm uses the following salt: "$2a$", a two-digit cost parameter, "$", and a 64-bit string composed of characters from "./0-9A-Za-z". Using characters outside this range in the salt will cause crypt() to return an empty string. The two-digit cost parameter is the logarithm of the number of iterations to the base 2, with a range of 04-31. Values outside this range will cause crypt() to fail. |
| CRYPT_SHA256 | The SHA-256 algorithm uses a 16-character string salt starting with $5$ for hashing. If the salt string starts with "rounds=<N>$", the numeric value of N will be used to specify the number of hash iterations, similar to the cost parameter of the Blowfish algorithm. The default number of iterations is 5000, the minimum is 1000, and the maximum is 999,999,999. N values outside this range will be rounded to the nearest value. |
| CRYPT_SHA512 | The SHA-512 algorithm uses a 16-character string salt starting with $6$ for hashing. If the salt string starts with "rounds=<N>$", the numeric value of N will be used to specify the number of hash iterations, similar to the cost parameter of the Blowfish algorithm. The default number of iterations is 5000, the minimum is 1000, and the maximum is 999,999,999. N values outside this range will be rounded to the nearest value. |
On systems that support multiple algorithms, if the above constants are supported, set them to "1", otherwise set them to "0".
Note:There is no corresponding decryption function. The crypt() function uses a one-way algorithm.
Syntax
crypt(str,salt)
| Parameters | Description |
|---|---|
| str | Required. Specifies the string to be encoded. |
| salt | Optional. A string used to increase the number of encoded characters to make encoding more secure. If the salt parameter is not provided, PHP will generate a random one each time the function is called. |
Technical Details
| Return Value: | Returns the encrypted string or a string less than 13 characters, to distinguish from the salt in case of failure. |
| PHP Version: | 4+ |
Update Log
| Version | Description |
|---|---|
| 5.3.2 | Based on Ulrich Drepper's implementation, added crypt based on SHA-256 and SHA-512 algorithms. |
| 5.3.2 | Fixed the issue with the Blowfish algorithm due to illegal loops, returning the 'failed' string ('*0' or '*1') instead of switching to the DES algorithm. |
| 5.3.0 | PHP now includes its own MD5 crypt implementation, including standard DES, extended DES, and Blowfish algorithms. If the system lacks the corresponding implementation, PHP will use its own implementation. |
Instance
Example 1
In this example, we will test different algorithms:
<?php
// 2-character salt
if (CRYPT_STD_DES == 1)
{
echo "Standard DES: ".crypt('something','st')."\n<br>";
}
else
{
echo "Standard DES not supported.\n<br>";
}
// 4-character salt
if (CRYPT_EXT_DES == 1)
{
echo "Extended DES: ".crypt('something','_S4..some')."\n<br>";
}
else
{
echo "Extended DES not supported.\n<br>";
}
// Starting with $1$, 12 characters
if (CRYPT_MD5 == 1)
{
echo "MD5: ".crypt('something','$1$somethin$')."\n<br>";
}
else
{
echo "MD5 not supported.\n<br>";
}
// Salt starting with $2a$. Double-digit cost parameter: 09. 22 characters
if (CRYPT_BLOWFISH == 1)
{
echo "Blowfish: ".crypt('something','$2a$09$anexamplestringforsalt$')."\n<br>";
}
else
{
echo "Blowfish DES not supported.\n<br>";
}
// The 16-character salt starts with $5$. The default number of rounds is 5000.
if (CRYPT_SHA256 == 1)
{
echo "SHA-256: ".crypt('something','$5$rounds=5000$anexamplestringforsalt$')."\n<br>";
else
{
echo "SHA-256 not supported.\n<br>";
}
// The 16-character salt starts with $5$. The default number of rounds is 5000.
if (CRYPT_SHA512 == 1)
{
echo "SHA-512: ".crypt('something','$6$rounds=5000$anexamplestringforsalt$');
}
else
{
echo "SHA-512 not supported.";
}
?>
The output of the above code (depending on the operating system):
Standard DES: stqAdD7zlbByI Extended DES: _S4..someQXidlBpTUu6 MD5: $1$somethin$4NZKrUlY6r7K7.rdEOZ0w. Blowfish: $2a$09$anexamplestringforsaleLouKejcjRlExmf1671qw3Khl49R3dfu SHA-256: $5$rounds=5000$anexamplestringf$KIrctqsxo2wrPg5Ag/hs4jTi4PmoNKQUGWFXlVy9vu9 SHA-512: $6$rounds=5000$anexamplestringf$Oo0skOAdUFXkQxJpwzO05wgRHG0dhuaPBaOU/ oNbGpCEKlf/7oVM5wn6AN0w2vwUgA0O24oLzGQpp1XKI6LLQ0.
