比较加密的密码mysql / php
[英]Compare encrypted password mysql/php
问题描述
Database encrypts password in the following way: 
数据库通过以下方式加密密码:
encrypt('password', CONCAT('$', MD5(RAND()))));
I'm selecting this value in PHP, and I would like to compare it to user input. 我正在PHP中选择此值,我想将其与用户输入进行比较。 So how would I recreate above in PHP? 那么如何在PHP中重新创建以上内容? What I don't get is this, if encrypted password relies on random number, how is it possible to generate same string in php and compare it to original? 我不明白的是,如果加密密码依赖于随机数,那么如何在php中生成相同的字符串并将其与原始字符串进行比较呢?
3 个解决方案
解决方案1
0 2014-03-20 14:49:08
Best way would be to use stored procedure or function on the database site that will return true/false for user/pass query. 最好的方法是在数据库站点上使用存储过程或函数,该存储过程或函数将为用户/通过查询返回true / false。 That way you'll have only one function in one pleace. 这样一来,您只有一个功能就能拥有一个功能。
Even if you don't want to create one of those than use same funcions inside db query produced by php. 即使您不想创建其中之一,也不想在 php产生的db查询中使用相同的功能。
解决方案2
0 2014-03-20 14:50:25
You are right, theres no way to recreate the password in php since the salt is not being provided in the mysql function. 没错,由于在mysql函数中未提供盐,因此无法在php中重新创建密码。 What I sugest is providing the same salt in both mysql and php. 我的建议是在mysql和php中提供相同的盐。 Make sure to keep this value in a safe place. 确保将此值保存在安全的地方。
Per mysql encrypt documentation: 每个mysql加密文档:
Encrypts str using the Unix crypt() system call and returns a binary string. 使用Unix crypt()系统调用对str进行加密,并返回一个二进制字符串。 The salt argument must be a string with at least two characters or the result will be NULL. salt参数必须是至少包含两个字符的字符串,否则结果将为NULL。 If no salt argument is given, a random value is used. 如果未给出salt参数,则使用随机值。
Note the last part: if no salt argument is given, a random value is used (your case). 请注意最后一部分:如果未给出salt参数,则使用随机值(您的情况)。
解决方案3
0 已采纳 2014-03-20 15:04:22
It seems that the MySql function encrypt() uses the Unix crypt() function. 似乎MySql函数encrypt()使用Unix crypt()函数。 In this case you most likely create unsafe DES hashes and the "salt" will be stored as part of the resulting hash-value. 在这种情况下,您很可能会创建不安全的DES哈希,并且“盐”将作为结果哈希值的一部分存储。 For verification you could use the PHP crypt() function like this: 为了进行验证,您可以使用PHP crypt()函数,如下所示:
$isPasswordCorrect = crypt($password, $existingHashFromDb) === existingHashFromDb;
Please note that it is very unsafe to store passwords in this form, because this hash algorithm is ways too fast for hashing passwords. 请注意,以这种形式存储密码是非常不安全的 ,因为这种哈希算法对于哈希密码而言太快了。 Instead you should use a key-derivation function like BCrypt, PHP has it's own function password_hash() for this: 相反,您应该使用像BCrypt这样的键派生函数,PHP为此具有自己的函数password_hash() :
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.