使用哈希密码进行单元测试
现在我正在使用 Zend Framework 并使用它和 phpunit。这是我的困境。
当我创建用户时,我会在用户表中散列密码。我添加了两种盐,一种是应用程序中的静态盐,另一种是随机生成的。我使用数据库 SHA 函数,然后使用 UNHEX 将密码存储在二进制列中。为了告诉数据库如何对密码进行哈希处理,我使用 Zend_Db_Expr,如下所示:
protected function _createPasswordDbExpression( $password )
{
$quoted = $this->getDbTable()->getAdapter()->quoteInto( 'UNHEX( SHA1( ? ) )', $password );
$binaryPassword = new Zend_Db_Expr( $quoted );
return $binaryPassword;
}
到目前为止,我一直在使用 xml 数据集来指定预期结果,但现在,使用哈希密码,我不知道该怎么做。
我看到了一个解决方案,但必须有更好的方法。
我可以预先哈希一个或多个密码,并且仅在测试期间和 xml 文件中使用它。
还有其他可能更好且更可测试的解决方案吗?
我不知道当 phpunit 尝试直接插入“散列”密码时,这个二进制列会如何影响事物。
Right now I'm using the Zend Framework and messing around with that and phpunit. Here is my dilemma.
When I create a user I hash the password in the user table. I add two salts, a static one from the application and one that is randomly generated. I use the database SHA function and then UNHEX that to store the password in a binary column. In order to tell the database how to hash the password I use a Zend_Db_Expr like so :
protected function _createPasswordDbExpression( $password )
{
$quoted = $this->getDbTable()->getAdapter()->quoteInto( 'UNHEX( SHA1( ? ) )', $password );
$binaryPassword = new Zend_Db_Expr( $quoted );
return $binaryPassword;
}
Up till now I've been using xml datasets to specify the expected results but now, with the hashed passwords, I don't know what to do.
I see a solution to this but there has to be a better way.
I could prehash a password, or passwords, and only use that during my testing and in my xml files.
Is there any other solution that might be better and more testable?
I don't know exactly how this binary column would affect things when phpunit tries to insert a "hashed" password directly.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,永远不要这样做。任何有权访问数据库查询历史记录的人都可以看到原始密码(它们将存储在二进制日志中)。相反,请在应用程序中对它们进行哈希处理,以便销毁原始密码。通过这样做,您的数据库功能就变成了一个价值存储,而不是需要单元测试的东西。
一旦您将其设为 PHP 函数,单元测试就变得很简单(只需使用标准 测试向量以确保其正确散列。
但是,我强烈建议使用盐和派生函数来存储密码您可以在此答案中了解原因。至于确切的算法,我建议实施 PBKDF2。如果您愿意,您可以对 PHP 实现进行逆向工程 这里(该库尚未准备好生产,但该算法已经准备好)。
最后,我建议使用其中一种 SHA2 算法而不是 SHA1(SHA256 或 SHA512 应该足够了)。 。它更耐碰撞,并且往往被视为更坚固......
First off, never do that. Anyone with access to the database query history can see the raw passwords (they will be stored in the binary logs). Instead, hash them in the application so that the raw passwords are destroyed. By doing that, your database functionality just becomes a value store rather than something that needs unit testing.
Once you make it a PHP function, it's trivial to unit test (simply use any one of the number of the standard test vectors to ensure it was hashed correctly.
However, I would highly suggest using a salt and a derivation function for storing the password securely. You can see why in this answer. And as far as the exact algorithm, I'd suggest implementing PBKDF2. I have a PHP implementation that you could reverse engineer if you'd like here (the library is not production ready yet, but that algorithm is).
Finally, I'd suggest using one of the SHA2 algorithms instead of SHA1 (either SHA256 or SHA512 should suffice well). It's more collision resistant, and tends to be seen as being significantly stronger...