首先看下zencart的原代码在includes\functions\password_funcs.php文件中。
////验证密码是否正确:
// This function validates a plain text password with an encrpyted password
function zen_validate_password($plain, $encrypted) {
if (zen_not_null($plain) && zen_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) return false;
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
////密码加密
// This function makes a new password from a plaintext password.
function zen_encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= zen_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
举个例子:
用户密码是:123456,对应的md5(UFT8 encode)值为 E10ADC3949BA59ABBE56E057F20F883E ,并且,随机数假设为 F2。
那么zencart存到数据库的密码应该为: E10ADC3949BA59ABBE56E057F20F883E:F2
这里需要强调的是,研究PHP zencart的md5函数用的encode是UTF8格式的。
这里列出C#代码的md5加密算法(encode 采用UTF8格式):
/// <summary>
/// Encrypts a string to using MD5 algorithm
/// </summary>
/// <param name="val"></param>
/// <returns>string representation of the MD5 encryption</returns>
public string EncodeToMD5String(string str)
{
// First we need to convert the string into bytes, which
// means using a text encoder.
Encoder enc = System.Text.Encoding.UTF8.GetEncoder();
// Create a buffer large enough to hold the string
byte[] unicodeText = new byte[str.Length];
enc.GetBytes(str.ToCharArray(), 0, str.Length, unicodeText, 0, true);
// Now that we have a byte array we can ask the CSP to hash it
MD5 md5 = new MD5CryptoServiceProvider();
byte[] result = md5.ComputeHash(unicodeText);
// Build the final string by converting each byte
// into hex and appending it to a StringBuilder
StringBuilder sb = new StringBuilder();
for (int i = 0; i < result.Length; i++)
{
sb.Append(result[i].ToString("X2"));//这里输出大写,要是写成x2,则输出小写
}
// And return it
return sb.ToString();
}
像这种MD5+SALT的方法,逻辑都暴露了,安全性也就这样了,增加麻烦罢了。
怎么增加安全性了,大家可以讨论下。