如何使用md5哈希值?
好吧,所以我正在学习 php、html 和 mysql 来学习网站开发(为了好玩)。我仍然不明白的一件事是如何使用 md5 或 sha1 哈希值。我知道如何对纯文本进行哈希处理,但假设我想制作一个登录页面。既然密码是经过哈希处理且无法逆转的,那么mysql如何知道用户插入的密码与数据库中的哈希密码相匹配呢?我的意思是:
$password = md5($_POST['password']);
$query = ("INSERT INTO `users`.`data` (`password`) VALUES ('$password')");
我知道这个脚本片段对密码进行了哈希处理,但是我将如何使用这段代码并制作一个登录页面?任何可行的例子都会很棒。
这是我的脚本:
<?php
session_start();
include("mainmenu.php");
$usrname = mysql_real_escape_string($_POST['usrname']);
$password = md5($_POST['password']);
$con = mysql_connect("localhost", "root", "g00dfor@boy");
if (!$con) {
die(mysql_error()); }
mysql_select_db("users", $con) or die(mysql_error());
$login = "SELECT * FROM `data` WHERE (`usrname` = '$usrname' AND `password` = '$password')";
$result = mysql_query($login);
if (mysql_num_rows($result) == 1) {
$_SESSION['logged_in'] = true;
header('Location: indexlogin.php');
exit;
}
else {
echo "Wrong username or password.";
}
?>
但我仍然收到 else 语句,“用户名或密码错误。有人帮忙!”
Okay, so I'm learning php, html, and mysql to learn website development (for fun). One thing I still don't get is how to use md5 or sha1 hashes. I know how to hash the plain text, but say I want to make a login page. Since the password is hashed and can't be reversed, how would mysql know that the user-inserted password matches the hashed password in the database? Here is what I mean:
$password = md5($_POST['password']);
$query = ("INSERT INTO `users`.`data` (`password`) VALUES ('$password')");
I know that this snippet of script hashes the password, but how would I use this piece of code and make a login page? Any working examples would be great.
Here is my script:
<?php
session_start();
include("mainmenu.php");
$usrname = mysql_real_escape_string($_POST['usrname']);
$password = md5($_POST['password']);
$con = mysql_connect("localhost", "root", "g00dfor@boy");
if (!$con) {
die(mysql_error()); }
mysql_select_db("users", $con) or die(mysql_error());
$login = "SELECT * FROM `data` WHERE (`usrname` = '$usrname' AND `password` = '$password')";
$result = mysql_query($login);
if (mysql_num_rows($result) == 1) {
$_SESSION['logged_in'] = true;
header('Location: indexlogin.php');
exit;
}
else {
echo "Wrong username or password.";
}
?>
But I still get the else statement, "Wrong username or password. Someone help plz!"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
答案很简单:数据库中有一个散列,因此您需要对用户提供的密码进行散列来比较它们。
因此,当用户尝试登录时,您将获取
$_POST['password']
或其他内容,并创建它的哈希值。然后,您只需在数据库中查询哈希值,SELECT * FROM users WHERE password = 'hashgoeshere'
我还建议您阅读有关密码安全存储的更多信息。例如,这是一个好的开始: 您可能错误地存储了密码 - 编码恐怖
The answer is quite simple: You have a hash in the database, so you need to hash the user-provided password to compare them.
So when the user attempts to log in, you take the
$_POST['password']
or whatever, and create a hash of it. Then, you simply query the database for the hash,SELECT * FROM users WHERE password = 'hashgoeshere'
I would also recommend you read more about secure storage of passwords. For example this is a good start: You're probably storing passwords incorrectly - Coding Horror
请使用 SHA1/256。 MD5 不再具有加密安全性,并且不鼓励将其用于加密(对于文件哈希等来说没问题)。
我不会发布代码,而是解释该技术:
首先,在注册时,获取密码的 SHA1/256 哈希值并将其存储在数据库中。下次用户登录时,您将获取他/她再次输入的密码的 SHA1/256 哈希值,并将其与数据库中存储的哈希值进行匹配。这是有效的,因为密码的 SHA1 哈希对于该密码来说是半唯一的(重复的可能性很小)。
Please use SHA1/256. MD5 is not cryptographically secure anymore and it's discouraged to use it for cryptography (it's fine for file hashes ETC).
I'm not posting code, but explaining the technique:
First, on the registration, take the SHA1/256 hash of the password and store it in the database. The next time the user logs in you take the SHA1/256 hash of the password he/she entered again and match it against the hash stored in your database. This works because the SHA1 hash for the password is semi-unique (the chances for duplicates are small) for that password.
与其插入 SQL 数据库,不如将一些查询分配给变量并根据用户给出的 md5 检查它
well instead of inserting into the SQL database, assign some query into a variable and check it against the md5 given by the user
当用户尝试使用其密码登录时,您将获取他们输入的 md5 并将其与已存储在数据库中的内容进行比较。如果匹配,您就知道他们输入了正确的密码。
When the user tries to login using their password, you take the md5 of what they enter and compare it with what you've already stored in the database. If it matches, you know they entered the right password.
它对密码进行哈希处理,因此不会以明文形式保存
例如 mylongpassword 变为 9a995d3f6a3d69c1a9b4344bed4f2c87
首先使用数据库选择散列密码
然后应首先在 PHP 中对 ($_POST['password']) 中的密码进行散列,然后与数据库中存储的值进行比较
It hashes the password so it is not save in clear text
e.g mylongpassword becomes 9a995d3f6a3d69c1a9b4344bed4f2c87
Select the hashed password using the db First
Then password from the ($_POST['password']) should be hashed first in PHP then compared to the valued stored in the DB
已编辑
你的代码看起来没问题。
检查数据库中的密码字段是否至少有 32 个字符。
如果您使用 phpMyAdmin,请尝试在 phpMyAdmin 中执行此查询(将变量更改为真实字符串)。
Edited
Your code seems okay.
Check if your password field in the database is at least 32 characters.
And try to execute this query (changing variables to real string) in phpMyAdmin if you use one.
你也有一个重大的加密问题。
问题在于,所有具有相同密码的人都将拥有相同的哈希值,因此,如果(何时?)有人闯入您的网站,他们会运行一次字典攻击,然后将攻击中的哈希值与数据库中的哈希值进行比较。结果,他们破坏了您网站上的每一个帐户,而花费的成本与破坏一个帐户的成本基本相同。
至少,你应该给它加盐,像这样:
但即使这样也有令人惊讶的弱点,所以最好将它散列两次,也许像这样:
当然,最好的方法是使用由了解的人编写的东西关于正确进行加密的内容比我多得多:)
(请记住,身份验证系统中的不良性能是一个功能。)
You have a major crypto problem, too.
The problem there is that all the people with identical passwords will have identical hashes, so if (when?) someone breaks into your site, they run one dictionary attack, and then compare the hashes from the attack to the hashes from your DB. As a result, they break every single account on your site for essentially the same cost as breaking one.
At a very minimum, you should salt it, something like this:
But even that has surprising weaknesses, so it's better to hash it twice, maybe like this:
Of course, the best way of all is to use something written by someone who knows far more about doing crypto properly than I do :)
(And remember that bad perf in your authentication system is a feature.)