php php5.3.0如何使用sha256
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1752477/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use sha256 in php5.3.0
提问by SUN Jiangong
I'm using sha256 to encrypt the password. I can save the sha256 encrypted password in mysql. But i can't login with the same clause.
我正在使用 sha256 来加密密码。我可以在mysql中保存sha256加密密码。但我无法使用相同的条款登录。
Insert code:
插入代码:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$username = $_POST['uusername'];
$passcode = $_POST['ppasscode'];
$userflag = $_POST['uuserflag'];
//$passcodeen = hash('sha256',$passcode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
$conn = mysql_connect("localhost","charles","charles") or die("connection failed with DB:".mysql_error());
mysql_select_db("sessiondb");
$query = "INSERT INTO users(username,passcode,userflag) values('$username','$passcodeen','$userflag')";
Select code:
选择代码:
<?php
error_reporting(E_ALL ^ E_NOTICE);
@mysql_connect("localhost","charles","charles") or die("Connection failed".mysql_error());
@mysql_select_db("sessiondb") or die("Database doesn't exist".mysql_error());
//get user input
$username = $_POST['username'];
$ppasscode = $_POST['ppasscode'];
//$passcodeen = hash('sha256', $ppasscode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
//get session value from mysql
$query = @mysql_query("select username, userflag from users where username ='$username' and passcode = '$passcodeen'") or die("Query execution failed".mysql_error());
Is there something wrong? I'm very confused. Thanks.
有什么不对?我很困惑。谢谢。
回答by Jeremy Morgan
Could this be a typo? (two Ps in ppasscode, intended?)
这可能是一个错字吗?(ppasscode 中的两个 P,是有意的吗?)
$_POST['ppasscode'];
I would make sure and do:
我会确保并做到:
print_r($_POST);
and make sure the data is accurate there, and then echo out what it should look like:
并确保那里的数据准确无误,然后回显它应该是什么样子:
echo hash('sha256', $_POST['ppasscode']);
Compare this output to what you have in the database (manually). By doing this you're exploring your possible points of failure:
将此输出与数据库中的内容进行比较(手动)。通过这样做,您正在探索可能的故障点:
- Getting password from form
- hashing the password
- stored password
- comparison of the two.
- 从表单中获取密码
- 散列密码
- 存储密码
- 两者的比较。
回答by Yannick Motton
First of all, sha256 is a hashing algorithm, not a type of encryption. An encryption would require having a way to decrypt the information back to its original value (collisions aside).
首先,sha256 是一种散列算法,而不是一种加密。加密需要有一种方法将信息解密回其原始值(不考虑冲突)。
Looking at your code, it seems it should work if you are providing the correct parameter.
查看您的代码,如果您提供正确的参数,它似乎应该可以工作。
Try using a literal string in your code first, and verify its validity instead of using the
$_POST[]variableTry moving the comparison from the database query to the code (get the hash for the given user and compare to the hash you have just calculated)
首先尝试在代码中使用文字字符串,并验证其有效性而不是使用
$_POST[]变量尝试将比较从数据库查询移动到代码(获取给定用户的哈希值并与您刚刚计算的哈希值进行比较)
But most importantly before deploying this in any kind of public fashion, please remember to sanitize your inputs. Don't allow arbitrary SQL to be insert into the queries. The best idea here would be to use parameterized queries.
但最重要的是,在以任何一种公共方式部署它之前,请记住清理您的输入。不允许将任意 SQL 插入到查询中。这里最好的想法是使用参数化查询。
回答by Edwin M
You should use Adaptive hashing like http://en.wikipedia.org/wiki/Bcryptfor securing passwords
您应该使用像http://en.wikipedia.org/wiki/Bcrypt这样的自适应散列来保护密码
回答by Braian Coronel
The first thing is to make a comparison of functions of SHAand opt for the safest algorithm that supports your programming language (PHP).
首先是对SHA的功能进行比较,并选择支持您的编程语言(PHP)的最安全算法。
Then you can chew the official documentation to implement the hash()function that receives as argument the hashing algorithm you have chosen and the raw password.
然后你可以阅读官方文档来实现hash()接收你选择的哈希算法和原始密码作为参数的函数。
sha256 => 64 bitssha384 => 96 bitssha512 => 128 bits
sha256 => 64 bitssha384 => 96 bitssha512 => 128 bits
The more secure the hashing algorithm is, the higher the cost in terms of hashing and time to recover the original value from the server side.
哈希算法越安全,在哈希和从服务器端恢复原始值的时间方面的成本就越高。
$hashedPassword = hash('sha256', $password);
回答by Luis Ferro
A way better solution is to just use the excelent compatibility script from Anthony Ferrara:
更好的解决方案是使用 Anthony Ferrara 的优秀兼容性脚本:
https://github.com/ircmaxell/password_compat
https://github.com/ircmaxell/password_compat
Please, and also, when checking the password, always add a way (preferibly async, so it doesn't impact the check process for timming attacks) to update the hash if needed.
另外,在检查密码时,请始终添加一种方法(最好是异步的,这样它不会影响定时攻击的检查过程)以在需要时更新哈希。
