在存储到数据库之前加密密码？

发布于 2024-09-28 12:16:09 字数 231 浏览 1 评论 0原文

我有一个密码通过 php 脚本 user.php 从我的 iPhone 应用程序传递到数据库。

变量 $pass 由以下内容填充：

$pass = str_replace("'", "", $_REQUEST['pass']);

在将其插入数据库之前如何对其进行加密？我已经阅读了一些有关不同技术的内容，但正在寻找管理此问题的最佳方法。

谢谢大家。

原文

I have a password being passed from my iPhone app to the database via a php script, user.php.

The variable $pass is populated by the following:

$pass = str_replace("'", "", $_REQUEST['pass']);

How can I encrypt this before it's inserted into my database? I've read a little about the different techniques, but looking for the best way to manage this.

Thanks to everyone.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

你曾走过我的故事 2024-10-05 12:16:09

虽然下面的答案在技术上仍然是正确的，但 php 对于要使用的哈希算法有新的建议。他们的建议，截至 php >= 5.5 .0，就是使用 password_hash 和 password_verify 函数进行哈希和验证散列密码。作为一个额外的好处，这些函数会自动包含个性化的盐作为返回的哈希的一部分，因此您无需明确担心这一点。

If you don't care about retrieving the actual password's value (from the database encrypted value), you can run a one-way hash algorithm on it (such as sha1). This function will return a specific length string (hash) which cannot be used to find the original string (theoretically). It is possible that two different strings could create the same hash (called a collision) but this shouldn't be a problem with passwords.
Example:


$pass = sha1($_REQUEST['pass']);

有一件事，为了使它更安全一点，就是在哈希中添加盐并再次运行哈希函数。这使得恶意生成密码哈希变得更加困难，因为盐值仅在服务器端处理。
示例：
<代码>
$pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

While the answer below is technically still correct, php has new recommendations with regards to the hashing algorithms to use. Their recommendation, as of php >= 5.5.0, is to use the password_hash and password_verify functions to hash and verify hashed passwords . As an added benefit, these functions automatically include an individualized salt as part of the returned hash, so you don't need to worry about that explicitly.


$pass = sha1($_REQUEST['pass']);

One thing, to make it a little more secure is to add a salt to the hash and run the hash function again. This makes it more difficult to generate a password hash maliciously since the salt value is handled server-side only.
Example:
$pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

回复收藏 0 原文

面犯桃花 2024-10-05 12:16:09

使用 php 的 crypt 库。 md5不是加密，而是散列。

另外，给你的密码加盐。为什么？

回复收藏 0 原文

悟红尘 2024-10-05 12:16:09

首先，您应该创建一个随机用户盐。然后您应该将其和密码哈希存储在数据库中。

$salt = md5(unique_id().mt_rand().microtime());
$pass = sha1($salt.$_REQUEST['pass']);

并将 $salt 和 $pass 保存在数据库中。然后，当他们登录时，您查找他们的行并检查哈希值：

$user = query('SELECT * FROM `user` WHERE username = ?', array($_REQUEST['username']));

if($user)
{
    // If the password they give maches
    if($user->pass === sha1($user->salt. $_REQUEST['pass']))
    {
        // login
    }
    else
    {
        // bad password
    }
}
else
{
    // user not found
}

为每个帐户创建用户盐可确保彩虹表毫无用处，并且任何闯入您服务器的人都必须暴力破解每个密码。

First, you should create a random user salt. Then you should store that and the password hash in the database.

$salt = md5(unique_id().mt_rand().microtime());
$pass = sha1($salt.$_REQUEST['pass']);

and save the $salt and $pass in the database. Then when they go to login you look up their row and check the hash:

$user = query('SELECT * FROM `user` WHERE username = ?', array($_REQUEST['username']));

if($user)
{
    // If the password they give maches
    if($user->pass === sha1($user->salt. $_REQUEST['pass']))
    {
        // login
    }
    else
    {
        // bad password
    }
}
else
{
    // user not found
}

Creating a user salt for each account insures rainbow tables are useless and anyone that broken into your server would have to brute-force each password.

回复收藏 0 原文

想挽留 2024-10-05 12:16:09

使用 crypt 和一些盐。例如

$user = strip_tags(substr($_REQUEST['user'],0,32));
$plain_pw = strip_tags(substr($_REQUEST['pass'],0,32));

$password = crypt(md5($plain_pw),md5($user));

http://www.ibm.com/developerworks/开源/库/os-php-加密/

Use crypt with some salt. Such as

$user = strip_tags(substr($_REQUEST['user'],0,32));
$plain_pw = strip_tags(substr($_REQUEST['pass'],0,32));

$password = crypt(md5($plain_pw),md5($user));

as on http://www.ibm.com/developerworks/opensource/library/os-php-encrypt/

回复收藏 0 原文

月光色 2024-10-05 12:16:09

最基本的：使用 MD5 或 SHA1 对其进行哈希处理

$newpass = md5($_REQUEST['pass']);

，或者

$newpass = sha1($_REQUEST['pass']);

最近我也开始存储经过哈希处理的用户名，因此仅使用哈希数据进行比较来登录尝试是安全的。

您可以使用额外的数据“加盐”哈希值，因此如果它们被泄露，则无法找到它的值（尝试谷歌搜索一些简单的哈希词）。即使用站点范围的字符串只是为了更改标准哈希值，例如 md5( “mySiteSalt!!” $_REQUEST['pass']); 或更高级的内容。

Most basic: Hash it with MD5 or SHA1

$newpass = md5($_REQUEST['pass']);

$newpass = sha1($_REQUEST['pass']);

Recently I started storing the username hashed as well, so login attempts are secure using only hashed data for comparisons.

You can "salt" the hashes with extra data so if they are compromised, it's value cannot be found (try googling some simple hashed words).. i.e. use a site-wide string just to alter the standard hash like md5("mySiteSalt!!" . $_REQUEST['pass']); or something more advanced.

回复收藏 0 原文

浅紫色的梦幻 2024-10-05 12:16:09

您应该使用 SHA1 对密码进行哈希处理以存储在数据库中。这是存储密码的最简单但最有效的方法：

$password = sha1($password);

它也非常安全。尽管它的完整性开始下降，但将此函数升级到 SHA-256（非常安全）相当容易。

You should use SHA1 to hash your passwords for storage in the database. It's the simplest, yet most effective way to store passwords:

$password = sha1($password);

It's also exceptionally safe. Though the integrity of it is beginning to creep, it's rather easy to upgrade this function to SHA-256 (which is incredibly secure).

回复收藏 0 原文