THE WORLD'S LARGEST WEB DEVELOPER SITE

PHP Tutorial

PHP HOME PHP Intro PHP Install PHP Syntax PHP Comments PHP Variables PHP Echo / Print PHP Data Types PHP Strings PHP Numbers PHP Constants PHP Operators PHP If...Else...Elseif PHP Switch PHP Loops PHP Functions PHP Arrays PHP Superglobals

PHP Forms

PHP Form Handling PHP Form Validation PHP Form Required PHP Form URL/E-mail PHP Form Complete

PHP Advanced

PHP Date and Time PHP Include PHP File Handling PHP File Open/Read PHP File Create/Write PHP File Upload PHP Cookies PHP Sessions PHP Filters PHP Filters Advanced PHP JSON

PHP OOP

PHP What is OOP PHP Classes/Objects PHP Constructor PHP Destructor PHP Access Modifiers PHP Inheritance PHP Constants PHP Abstract Classes PHP Traits PHP Static Methods PHP Static Properties

MySQL Database

MySQL Database MySQL Connect MySQL Create DB MySQL Create Table MySQL Insert Data MySQL Get Last ID MySQL Insert Multiple MySQL Prepared MySQL Select Data MySQL Where MySQL Order By MySQL Delete Data MySQL Update Data MySQL Limit Data

PHP XML

PHP XML Parsers PHP SimpleXML Parser PHP SimpleXML - Get PHP XML Expat PHP XML DOM

PHP - AJAX

AJAX Intro AJAX PHP AJAX Database AJAX XML AJAX Live Search AJAX Poll

PHP Examples

PHP Examples PHP Quiz PHP Exercises PHP Certificate

PHP Reference

PHP Overview PHP Array PHP Calendar PHP Date PHP Directory PHP Error PHP Filesystem PHP Filter PHP FTP PHP JSON PHP Libxml PHP Mail PHP Math PHP Misc PHP MySQLi PHP Network PHP SimpleXML PHP Stream PHP String PHP Variable Handling PHP XML Parser PHP Zip PHP Timezones

PHP crypt() Function


❮ PHP String Reference

Definition and Usage

The crypt() function returns a hashed string using DES, Blowfish, or MD5 algorithms.

This function behaves different on different operating systems. PHP checks what algorithms are available and what algorithms to use when it is installed.

The salt parameter is optional. However, crypt() creates a weak password without the salt. Make sure to specify a strong enough salt for better security.

There are some constants that are used together with the crypt() function. The value of these constants are set by PHP when it is installed.

Constants:

  • [CRYPT_STD_DES] - Standard DES-based hash with two character salt from the alphabet "./0-9A-Za-z". Using invalid characters in the salt will cause this function to fail.
  • [CRYPT_EXT_DES] - Extended DES-based hash with a nine character salt consisting of an underscore followed by 4 bytes of iteration count and 4 bytes of salt. These are encoded as printable characters, 6 bits per character, least significant character first. The values 0 to 63 are encoded as "./0-9A-Za-z". Using invalid characters in the salt will cause the function to fail.
  • [CRYPT_MD5] - MD5 hashing with a 12 character salt starting with $1$
  • [CRYPT_BLOWFISH] - Blowfish hashing with a salt starting with $2a$, $2x$, or $2y$, a two digit cost parameters "$", and 22 characters from the alphabet "./0-9A-Za-z". Using characters outside of the alphabet will cause this function to return a zero-length string. The "$" parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-bashed hashing algorithmeter and must be in range 04-31. Values outside this range will cause the function to fail.
  • [CRYPT_SHA_256] - SHA-256 hash with a 16 character salt starting with $5$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.
  • [CRYPT_SHA_512] - SHA-512 hash with a 16 character salt starting with $6$. If the salt string starts with "rounds=<N>$", the numeric value of N is used to indicate how many times the hashing loop should be executed, much like the cost parameter on Blowfish. The default number of rounds is 5000, there is a minimum of 1000 and a maximum of 999,999,999. Any selection of N outside this range will be truncated to the nearest limit.

On systems where this function supports multiple algorithms, the constants above are set to "1" if supported and "0" otherwise.

Note: There is no decrypt function. The crypt() function uses a one-way algorithm.


Syntax

crypt(str,salt)

Parameter Values

Parameter Description
str Required. Specifies the string to be hashed
salt Optional. A salt string to base the hashing on


Technical Details

Return Value: Returns the encoded string or a string that is shorter than 13 characters and is guaranteed to differ from the salt on failure
PHP Version: 4+
Changelog: PHP 5.6.0 - Shows a E_NOTICE security warning if salt is omitted.
PHP 5.3.7 - Added $2x$ and $2y$ Blowfish modes.
PHP 5.3.2 - Added SHA-256 and SHA-512. Fixed Blowfish behavior on invalid rounds returns "failure" string ("*0" or "*1"), instead of falling back to DES.
PHP 5.3.0 - PHP now contains its own implementation for MD5 crypt, Standard DES, Extended DES and the Blowfish algorithms and will use that if the system lacks of support for one or more of the algorithms.

More Examples

Example

In this example we will test the different algorithms:

<?php
// 2 character salt
if (CRYPT_STD_DES == 1)
{
echo "Standard DES: ".crypt('something','st')."\n<br>";
}
else
{
echo "Standard DES not supported.\n<br>";
}

// 4 character salt
if (CRYPT_EXT_DES == 1)
{
echo "Extended DES: ".crypt('something','_S4..some')."\n<br>";
}
else
{
echo "Extended DES not supported.\n<br>";
}

// 12 character salt starting with $1$
if (CRYPT_MD5 == 1)
{
echo "MD5: ".crypt('something','$1$somethin$')."\n<br>";
}
else
{
echo "MD5 not supported.\n<br>";
}

// Salt starting with $2a$. The two digit cost parameter: 09. 22 characters
if (CRYPT_BLOWFISH == 1)
{
echo "Blowfish: ".crypt('something','$2a$09$anexamplestringforsalt$')."\n<br>";
}
else
{
echo "Blowfish DES not supported.\n<br>";
}

// 16 character salt starting with $5$. The default number of rounds is 5000.
if (CRYPT_SHA256 == 1)
{
echo "SHA-256: ".crypt('something','$5$rounds=5000$anexamplestringforsalt$')."\n<br>"; }
else
{
echo "SHA-256 not supported.\n<br>";
}

// 16 character salt starting with $6$. The default number of rounds is 5000.
if (CRYPT_SHA512 == 1)
{
echo "SHA-512: ".crypt('something','$6$rounds=5000$anexamplestringforsalt$');
}
else
{
echo "SHA-512 not supported.";
}
?>

The output of the code above could be (depending on the operating system):

Standard DES: stqAdD7zlbByI
Extended DES: _S4..someQXidlBpTUu6
MD5: $1$somethin$4NZKrUlY6r7K7.rdEOZ0w.
Blowfish: $2a$09$anexamplestringforsaleLouKejcjRlExmf1671qw3Khl49R3dfu
SHA-256: $5$rounds=5000$anexamplestringf$KIrctqsxo2wrPg5Ag/hs4jTi4PmoNKQUGWFXlVy9vu9
SHA-512: $6$rounds=5000$anexamplestringf$Oo0skOAdUFXkQxJpwzO05wgRHG0dhuaPBaOU/
oNbGpCEKlf/7oVM5wn6AN0w2vwUgA0O24oLzGQpp1XKI6LLQ0.


❮ PHP String Reference