php 如何加密插入到 MySQL 表中的密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17797211/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to encrypt a password that is inserted into a MySQL table?
提问by Trevor Zucker
I have some code to register that works, but I don't know how to hash the password. I want to use sha512.
我有一些代码可以注册,但我不知道如何散列密码。我想使用sha512。
$con=mysqli_connect("localhost","root","","users");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql="INSERT INTO users (username, password, email)
VALUES
('$_POST[username]','$_POST[password]','$_POST[email]')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Thank you.";
mysqli_close($con);
I am aware of my mysql login having no password. This is a local mysql server just used for tests.
我知道我的 mysql 登录没有密码。这是一个仅用于测试的本地 mysql 服务器。
回答by George Cummins
You can use the hash()
function to hash your password:
您可以使用该hash()
函数来散列您的密码:
$hashed_password = hash('sha512', $_POST['password']);
Then modify your insert statement to insert your hashed password into the database:
然后修改您的插入语句以将您的哈希密码插入数据库:
INSERT INTO users (username, password, email)
VALUES ('$_POST[username]', '$hashed_password', '$_POST[email]');
Be aware that your SQL statement is vulnerable to SQL injection since you are using unsanitized user input. For improved security and to protect the integrity of your data, please consider escaping and validating the input before using it in an SQL statement. One way to accomplish this is via mysqli_real_escape_string()
:
请注意,您的 SQL 语句容易受到 SQL 注入的影响,因为您使用的是未经处理的用户输入。为了提高安全性并保护数据的完整性,请考虑在 SQL 语句中使用输入之前对其进行转义和验证。实现此目的的一种方法是通过mysqli_real_escape_string()
:
$escaped_username = mysqli_real_escape_string( $con, $_POST['username'] );
$escaped_email = mysqli_real_escape_string( $con, $_POST['email'] );
回答by Oleksi
There are a lot of problems with what you're doing here.
你在这里做的事情有很多问题。
First, you are vulnerable to SQL injections because you are not sanitizing your inputs in the SQL.
首先,您很容易受到 SQL 注入的影响,因为您没有清理 SQL 中的输入。
Second, you should avoid using a fast hash like SHA512 for this. It's not considered secure anymore. Take a look at this question. You basically want to use an adaptive hash function like bcrypt.
其次,您应该避免为此使用像 SHA512 这样的快速哈希。它不再被认为是安全的。看看这个问题。您基本上想使用像 bcrypt 这样的自适应哈希函数。
回答by Markus Hofmann
Here's an example of how to hash the password:
以下是如何散列密码的示例:
<?php
$password = hash('sha512', $_POST[password]);
I recommend salting the password. Read more about this here:
http://www.aspheute.com/english/20040105.asp
我建议对密码加盐。在此处阅读更多相关信息:http:
//www.aspeute.com/english/20040105.asp
Also read about "mysqli_real_escape_string"
另请阅读“ mysqli_real_escape_string”
…and Prepared Statements.
...和准备好的报表。
回答by tlenss
Sanitize your input data first.
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
首先清理您的输入数据。$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
Hash your password string
散列您的密码字符串
$hashedPassword = hash('sha512', $password);
A better way to hash the password would be to use the new password hash API
散列密码的更好方法是使用新密码散列 API
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);
回答by Becs Carter
Please escape your data before entering into your database. They are open to attacks.
在进入您的数据库之前,请转义您的数据。他们对攻击持开放态度。
hash('sha512', $_POST['password']);