当前位置: 文江博客话题详情

尝试了解 PHP 密码盐/加密

发布于 2024-12-08 16:52:43 字数 624 浏览 0 评论 0原文

现在我正在开发一个允许在线注册的应用程序。对于开发来说,密码检查仅检查 MySQL 行以确保该值与输入字段中的值匹配。

此代码检查该行是否存在:

$res = mysql_query("SELECT * FROM `users` WHERE `username` = '".$username."' AND `password` = '".$password."'");
                    $num = mysql_num_rows($res);
                    //check if there was not a match
                    if($num == 0){
                        //if not display error message
                        echo "<center>The <b>Password</b> you supplied does not match the one for that username!</center>";

我对实现盐系统感到困惑。我将如何更改此脚本来检查加密的密码?我还没有找到详细解释这一点的优秀教程。

原文

Right now I am developing an application that will allow online registration. For development, the password check just checks a MySQL row to make sure the value matches the value in the input field.

This code checks to see that the row exists:

$res = mysql_query("SELECT * FROM `users` WHERE `username` = '".$username."' AND `password` = '".$password."'");
                    $num = mysql_num_rows($res);
                    //check if there was not a match
                    if($num == 0){
                        //if not display error message
                        echo "<center>The <b>Password</b> you supplied does not match the one for that username!</center>";

I'm confused about implementing a salt system. How would I alter this script to check for the encrypted password? I haven't found a great tutorial that explains this in detail.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

燃情 2024-12-15 16:52:43

盐是在加密和解密之前添加到密码开头或结尾的一组字符,以使其更难以运行暴力攻击。

您首先创建盐,它只是一系列随机的固定字符,然后将其添加到密码之前,然后对其进行哈希处理。您还应该在将数据放入查询之前对其进行转义,以防止 MySQL 注入攻击。

将通行证输入数据库时​​执行此操作

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
$pass_hash = md5($SALT.$password);
mysql_query(*query to insert $username and $pass_hash into db*)

检查密码是否正确

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
$res = mysql_query(*query to extract $pass_hash from db where username==$username)
//get the password from the $res and put it in a var
if(md5($SALT.$pass_hash_from_db) == $password){*correct pass*} else {*invalid login*}

将 $SALT 设置为一些大型随机静态字符串,例如 $SALT="WEHGFHAWEOIfjo;cewrxq#$%";

A salt is a set of characters added to the beginning or end of the password before encryption and unencryption to make it harder to run a brute force attack.

Your first create the salt which is just a random fixed series of characters and then prepend it to the password before hashing it. You should also escape your data before putting it into the query to prevent MySQL injection attacks.

Do this when entering the pass into the database

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
$pass_hash = md5($SALT.$password);
mysql_query(*query to insert $username and $pass_hash into db*)

To check if the password is correct

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['pass']);
$res = mysql_query(*query to extract $pass_hash from db where username==$username)
//get the password from the $res and put it in a var
if(md5($SALT.$pass_hash_from_db) == $password){*correct pass*} else {*invalid login*}

Set $SALT to some large random static string such as $SALT="WEHGFHAWEOIfjo;cewrxq#$%";

回复 原文
时光清浅 2024-12-15 16:52:43

如果用户注册并将其保存在数据库中,您将必须生成新的盐。

// you save this in the database
$encPass = encFunction( $password.$salt );

当某个用户想要登录时,您检查该密码是否是该用户的密码列。

注:
- encFunction 是你的加密函数

You would have to generate a new salt if the user registers and save it in your database.

// you save this in the database
$encPass = encFunction( $password.$salt );

and when some user wants to logint you check if this password is a the password column of this user.

Note:
- encFunction is your encryption function

回复 原文
~没有更多了~

关于作者

对岸观火

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文