php 在登录页面上使用 MD5
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18072466/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using MD5 on login page
提问by user2655462
<?php
include("connect.php");
session_start();
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Username and password sent from form in HTML
$myusername = $_POST['username'];
$mypassword = $_POST['password'];
$sql = "SELECT id FROM users WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if ($count == 1) {
session_register("myusername");
$_SESSION['login_user'] = $myusername;
header("location: welcome.php");
} else {
$error = "Your username or password is invalid";
}
}
?>
This is my current login code. On my registration page, I have it so that when it injects into the database, it injects the passwords already encrypted in MD5. However, I cannot seem to convert:
这是我当前的登录代码。在我的注册页面上,我有它,以便当它注入数据库时,它会注入已经在 MD5 中加密的密码。但是,我似乎无法转换:
$mypassword=$_POST['password'];
Into MD5 to confirm to see if the password exists in the database. With this code, the passwords must not be encrypted. What should I change to make it so that it checks with the database encrypted?
进入MD5确认,查看密码是否存在于数据库中。使用此代码,不得对密码进行加密。我应该更改什么以使其与加密的数据库一起检查?
回答by Nerius
Simply wrap $_POST['password']into md5()like so:
简单地包装$_POST['password']成md5()这样:
$mypassword = md5 ($_POST['password']);
Needless to say, you have a number of other problems, like feeding the database an unescaped username, and hashing passwords without a salt, not to mention using md5()in the first place; use the built-in crypt(), pbkdf2, bcrypt or scrypt function for that, or any other key derivation function, preferably one that uses an up to date hash method and a large count (number of iterations). PHP 5.5 also introduced a simplified pasword hashing API, which you can look into here. For even more PHP hashing-related tips, see here.
不用说,您还有许多其他问题,例如为数据库提供未转义的用户名,以及不加盐的散列密码,更不用说md5()首先使用了;crypt()为此使用内置的pbkdf2、bcrypt 或 scrypt 函数,或任何其他密钥派生函数,最好使用最新的散列方法和大量计数(迭代次数)。PHP 5.5 还引入了一个简化的密码散列 API,您可以在此处查看。有关更多 PHP 散列相关的提示,请参见此处。
Overall, as a developer, you can not live without giving this fascinating posta thorough read. Skip to the tl;dr at the bottom if you can't be bothered (and are okay with killing kittens).
总的来说,作为一名开发人员,你不能不仔细阅读这篇引人入胜的文章。如果您不介意(并且可以杀死小猫),请跳到底部的 tl; dr。
回答by garrettmurray
PHP recommends you not use MD5 to hash passwords: http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
PHP 建议您不要使用 MD5 来散列密码:http: //www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
To answer your question directly, however, you can md5 a string using md5(). Example:
但是,要直接回答您的问题,您可以使用 md5() 对字符串进行 md5。例子:
$mypassword = md5($_POST['password']);
And you can compare it later using the same thing:
您可以稍后使用相同的东西进行比较:
"SELECT... WHERE password = '".md5(mysqli_real_escape_string($someValue))."'"
回答by Christian Mark
Traditionally you can put it like this:
传统上你可以这样写:
$myPassword = md5(mysqli_real_escape_string($_POST['password']));
But since there are proven vulnerabilities in MD5 hash, you can use other hash algorithm in here. Ideally, you can use SHA-512 like this:
但是由于MD5 散列中存在已证明的漏洞,因此您可以在此处使用其他散列算法。理想情况下,您可以像这样使用 SHA-512:
$myPassword = hash('sha512',mysqli_real_escape_string($_POST['password']));
Take note that mysqli_real_escape_stringis also important in making such queries to prevent sql injectionsthen you can simply compare the hashed password when logging in.
请注意,mysqli_real_escape_string进行此类查询以防止sql 注入也很重要,然后您可以在登录时简单地比较散列密码。
回答by Shashi
First wrap your variable into md5 function like this
首先将您的变量包装成这样的 md5 函数
$myPassword = md5($_POST['password']);
how are you using just $myusername it must me some associative array because you are accessing a table ex(you also have to select *allnot just id from db):-*
你是如何只使用 $myusername 它必须是一些关联数组,因为你正在访问一个表 ex(你还必须选择 * all而不仅仅是来自 db 的 id):-*
$_SESSION['login_user'] = $row['username'];
then change this
然后改变这个
if ($_SERVER["REQUEST_METHOD"] == "POST")
to this:-
对此:-
if (isset($_POST["submit"]))
回答by user2655462
Thanks for the help everyone! Okay so I was really stupid... put a limit in the database for the encrypted password. Also, thanks for the recommendations on how to hash my passwords and stuff.
感谢大家的帮助!好吧,我真的很愚蠢……在数据库中为加密密码设置一个限制。另外,感谢关于如何散列我的密码和内容的建议。
回答by Sankalp Mishra
As far as i understand the question. If you are storing password md5 encrypted in db you just need to compare like this $myPassword = md5($_POST['password'])
据我了解这个问题。如果您在 db 中存储加密的密码 md5,您只需要像这样进行比较$myPassword = md5($_POST['password'])
