php5.3.0中如何使用sha256
我使用 sha256 来加密密码。我可以将sha256加密的密码保存在mysql中。但我无法使用相同的条款登录。
插入代码:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$username = $_POST['uusername'];
$passcode = $_POST['ppasscode'];
$userflag = $_POST['uuserflag'];
//$passcodeen = hash('sha256',$passcode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
$conn = mysql_connect("localhost","charles","charles") or die("connection failed with DB:".mysql_error());
mysql_select_db("sessiondb");
$query = "INSERT INTO users(username,passcode,userflag) values('$username','$passcodeen','$userflag')";
选择代码:
<?php
error_reporting(E_ALL ^ E_NOTICE);
@mysql_connect("localhost","charles","charles") or die("Connection failed".mysql_error());
@mysql_select_db("sessiondb") or die("Database doesn't exist".mysql_error());
//get user input
$username = $_POST['username'];
$ppasscode = $_POST['ppasscode'];
//$passcodeen = hash('sha256', $ppasscode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
//get session value from mysql
$query = @mysql_query("select username, userflag from users where username ='$username' and passcode = '$passcodeen'") or die("Query execution failed".mysql_error());
有问题吗?我很困惑。谢谢。
I'm using sha256 to encrypt the password. I can save the sha256 encrypted password in mysql. But i can't login with the same clause.
Insert code:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$username = $_POST['uusername'];
$passcode = $_POST['ppasscode'];
$userflag = $_POST['uuserflag'];
//$passcodeen = hash('sha256',$passcode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
$conn = mysql_connect("localhost","charles","charles") or die("connection failed with DB:".mysql_error());
mysql_select_db("sessiondb");
$query = "INSERT INTO users(username,passcode,userflag) values('$username','$passcodeen','$userflag')";
Select code:
<?php
error_reporting(E_ALL ^ E_NOTICE);
@mysql_connect("localhost","charles","charles") or die("Connection failed".mysql_error());
@mysql_select_db("sessiondb") or die("Database doesn't exist".mysql_error());
//get user input
$username = $_POST['username'];
$ppasscode = $_POST['ppasscode'];
//$passcodeen = hash('sha256', $ppasscode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
//get session value from mysql
$query = @mysql_query("select username, userflag from users where username ='$username' and passcode = '$passcodeen'") or die("Query execution failed".mysql_error());
Is there something wrong? I'm very confused. Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这可能是一个错字吗? (ppasscode 中的两个 P,是有意的吗?)
我会确保并执行:
并确保数据准确,然后回显它应该是什么样子:
将此输出与数据库中的内容进行比较(手动)。通过这样做,您正在探索可能的失败点:
Could this be a typo? (two Ps in ppasscode, intended?)
I would make sure and do:
and make sure the data is accurate there, and then echo out what it should look like:
Compare this output to what you have in the database (manually). By doing this you're exploring your possible points of failure:
首先,sha256是一种哈希算法,而不是一种加密类型。加密需要有一种方法将信息解密回其原始值(不考虑冲突)。
查看您的代码,如果您提供正确的参数,它似乎应该可以工作。
首先尝试在代码中使用文字字符串,并验证其有效性,而不是使用
$_POST[]变量尝试将比较从数据库查询转移到代码(获取给定用户的哈希值并与您刚刚计算的哈希值进行比较)< /p>
但最重要的是,在以任何类型的公共方式部署此之前,请记住清理您的输入。不允许将任意 SQL 插入到查询中。这里最好的想法是使用参数化查询。
First of all, sha256 is a hashing algorithm, not a type of encryption. An encryption would require having a way to decrypt the information back to its original value (collisions aside).
Looking at your code, it seems it should work if you are providing the correct parameter.
Try using a literal string in your code first, and verify its validity instead of using the
$_POST[]variableTry moving the comparison from the database query to the code (get the hash for the given user and compare to the hash you have just calculated)
But most importantly before deploying this in any kind of public fashion, please remember to sanitize your inputs. Don't allow arbitrary SQL to be insert into the queries. The best idea here would be to use parameterized queries.
首先是SHA功能比较并选择最安全的算法支持您的编程语言 (PHP)。
然后你可以仔细阅读官方文档来实现
hash()函数,接收您选择的哈希算法和原始密码作为参数。sha256 => sha256 => 64位
sha384 => sha384 => 96位
sha512 => sha512 => 128 位
哈希算法越安全,从服务器端恢复原始值的哈希成本和时间成本就越高。
The first thing is to make a comparison of functions of SHA and opt for the safest algorithm that supports your programming language (PHP).
Then you can chew the official documentation to implement the
hash()function that receives as argument the hashing algorithm you have chosen and the raw password.sha256 => 64 bitssha384 => 96 bitssha512 => 128 bitsThe more secure the hashing algorithm is, the higher the cost in terms of hashing and time to recover the original value from the server side.
您应该使用自适应哈希,例如 http://en.wikipedia.org/wiki/Bcrypt 来确保安全密码
You should use Adaptive hashing like http://en.wikipedia.org/wiki/Bcrypt for securing passwords
更好的解决方案是使用 Anthony Ferrara 提供的出色的兼容性脚本:
https://github.com/ircmaxell/ password_compat
请注意,在检查密码时,请始终添加一种方法(最好是异步的,这样就不会影响计时攻击的检查过程)来更新哈希(如果需要)。
A way better solution is to just use the excelent compatibility script from Anthony Ferrara:
https://github.com/ircmaxell/password_compat
Please, and also, when checking the password, always add a way (preferibly async, so it doesn't impact the check process for timming attacks) to update the hash if needed.