PHP 和 MySQL 中的加盐
我一直在使用 CodeIgniter 为网站开发登录库。验证码如下:
function signin($username, $password)
{
$CI =& get_instance();
$query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password));
if($query_auth->num_rows()!=1)
return 2;
else
{
if($query_init->row()->banned==1)
return 3;
else
{
$CI->load->library('session');
$this->session->set_userdata('gauid', $query_auth->row()->user_id);
return 1;
}
}
}
返回值表示成功、失败或禁止。每个用户都有一个唯一的盐存储在数据库中。
最初我从数据库中获取盐,用PHP将用户输入的密码和数据库中的盐结合起来,然后用组合值再次查询数据库。我认为这会加快速度,因为只需要访问一次数据库并且代码更少。我还认为它同样安全,但是在阅读了对此问题的最佳回复后 用 PHP 和 MySQL 为我的哈希加盐 ...
首先,您的 DBMS (MySQL) 确实 不需要任何支持 加密哈希值。你可以做所有的事 PHP 方面的内容,那就是 以及你应该做什么。
...我开始怀疑是否存在我忽略发现的安全问题。
这段代码实际上有什么问题吗?
I have been developing a login library for a website using CodeIgniter. The authentication code is as follows:
function signin($username, $password)
{
$CI =& get_instance();
$query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password));
if($query_auth->num_rows()!=1)
return 2;
else
{
if($query_init->row()->banned==1)
return 3;
else
{
$CI->load->library('session');
$this->session->set_userdata('gauid', $query_auth->row()->user_id);
return 1;
}
}
}
The return values signifying success, failure or banned. Each user has a unique salt stored in the database.
Originally i grabbed the salt from the database, combined the users inputted password and salt from the database in PHP, then queried the database again with the combined value. I thought that this would speed things up as only one trip to the database is required and there is less code. I also thought that it would be equally secure, however after reading the top reponse to this question
Salting my hashes with PHP and MySQL ...
First of all, your DBMS (MySQL) does
not need to have any support for
cryptographic hashes. You can do all
of that on the PHP side, and that's
also what you should do.
...I started to wonder if there was a security problem i had neglected to spot.
Is there actually anything wrong this code?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
本身并没有什么错。请记住,任何携带未加密/未散列密码的流量都是可疑的。因此,例如,当服务器是远程服务器并且在与该服务器通信时未使用加密时,则又是尝试拦截密码的时刻。另外,如果查询记录在某处(默认情况下,或者因为它们很慢),那么在您经历了不存储明文密码的所有麻烦之后,您将拥有一个纯密码+您在这些服务器日志中使用的盐某处。如果您在自己的代码中私下执行此操作,则不会发生这种情况。
这完全取决于你有多偏执。还有更容易滥用且经常被遗忘的弊端,例如会话固定。
Not anything wrong per se. Keep in mind any traffic carrying the unencrypted/unhashed password is suspect. So, for instance, when the server is a remote one, and not working with encryption in communicating with that server, it is yet another moment to try to intercept a password. Also, if queries are logged somewhere (either by default, or because they're slow), you have a plain password + the salt you're using sitting in those serverlogs, after all the trouble you went through NOT to store a plaintext password somewhere. If you did it privately in your own code, that wouldn't happen.
It all depends on how paranoid you like to be. There are far easier to abuse and often forgotten evils, like session-fixation.