如何使用 Pgcrypto 和 Python 从 Postgresql 数据库中选择哈希值
我正在使用 Postgresql 中的 pgcrypto 扩展对数据库中用户密码的存储进行加密和加盐,但在检索它们时遇到问题。
具体来说,用户的插入语句如下所示:
INSERT INTO Users (username, password) VALUES ('test1', crypt('Password1234', gen_salt('bf', 8)));
这工作正常,但是当我尝试从数据库检索时,此查询:
SELECT username, password FROM Users WHERE username = 'test1' AND password = crypt('Password1234', gen_salt('bf', 8));
不返回任何结果,查询不会失败,只是没有结果。
目前,我没有使用 python 与数据库交互(将来我会这样做),我只是在终端中使用 psql。我知道这个查询有问题,但我不确定是什么以及如何修复它。是否还有其他方式可以构建此结构,或者我做错了什么?感谢您的帮助!
I am using the pgcrypto extension in Postgresql to encrypt and salt the storage of user passwords in a database and I am having trouble retrieving them.
Specifically, the insert statement for a user looks like this:
INSERT INTO Users (username, password) VALUES ('test1', crypt('Password1234', gen_salt('bf', 8)));
This works fine however when I try to retrieve from the database, this query:
SELECT username, password FROM Users WHERE username = 'test1' AND password = crypt('Password1234', gen_salt('bf', 8));
returns no results, the query does not fail, just no results.
Currently, I am not using python to interact with the database (I will be in the future) I am just using psql in the terminal. I know something is wrong with this query but I am not sure what and how to fix it. Is there some other way that this should be structured or what am I doing wrong? Thanks for any help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您正在使用新的盐对密码重新加盐,这当然会导致与以前不同的答案。这就是腌制的全部意义。
您需要在新的哈希中重用第一个盐,您可以通过输入密码哈希来代替 gen_salt(...) 来实现这一点。 (存储的散列密码中嵌入了盐,并且 crypt 知道如何提取和重用它)。
但是,你为什么选择“密码”?一旦你验证了哈希值是正确的,查看它还有什么进一步的用处呢?
You are re-salting the password with a new salt, which of course leads to a different answer than before. That is the whole point of salting.
You need to reuse the first salt in the new hashing, which you do by feeding the password hash in place of
gen_salt(...). (The stored hashed password has the salt embedded within it, and crypt knows how to extract and reuse it).But, why are you selecting "password"? Once you have verified that is hashes correctly, what further use is there in seeing it?