md5和哈希问题
[英]Problem with md5 and hash
问题描述
<form action="inc/login/login.php" method="post" id="userLogon">
<div class="field required">
Username: <input type="text" name="regduser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="password" name="regdpass" tabindex="2" /><br />
</div>
<input type="submit" name="submitUser" />
</form>
PHP 
的PHP
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="ureviewdu"; // Database name
$tbl_name="Student"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['regduser'];
$mypassword=$_POST['regdpass'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("regduser");
session_register("regdpass");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
DB Submission 数据库提交
When I click submit for entering joe joe for user and pass. 当我单击提交为用户输入joe joe并通过时。 How do I get php to recognize joe for pass is actually '55abd89cb7ab6742370f0ad912fef335' ? 我如何获取php来识别joe通过的实际上是'55abd89cb7ab6742370f0ad912fef335'? How do i get php to be able to decipher this? 我如何获得php才能破译?
Anyone? 任何人?
3 个解决方案
解决方案1
4 已采纳 2011-08-05 01:01:03
SELECT * FROM $tbl_name WHERE uname='$myusername' and upass=MD5('$mypassword')
However, I need to advise you to read the blog by fearless leader about using salted passwords and stronger hashing functions . 但是,我需要建议您由无所畏惧的领导者阅读有关使用咸密码和更强大的哈希函数的博客。 Don't implement weak security. 不要实施弱安全性。
If the password in the database is already salted, you need to combine the plaintext password with the same salt before hashing. 如果数据库中的密码已经过盐处理,则需要在散列之前将纯文本密码与相同的盐结合使用。 Ideally, each user has its own unique random salt, stored in the same row with the uname and upass. 理想情况下,每个用户都有自己独特的随机盐,与uname和upass一起存储在同一行中。 Then you can do this: 然后,您可以执行以下操作:
SELECT * FROM $tbl_name WHERE uname='$myusername'
AND upass=MD5(CONCAT(usalt, '$mypassword'))
解决方案2
1 2011-08-05 00:59:06
Hash the password on the way in as well: 也将密码哈希入:
$sql = "SELECT * FROM $tbl_name
WHERE uname = '$myusername' and upass = MD5('$mypassword')";
By the way, if your system isn't in production yet, I strongly advise you look for a more secure hashing algorithm such as SHA256. 顺便说一句,如果您的系统尚未投入生产,我强烈建议您寻找一种更安全的哈希算法,例如SHA256。 Not much of a change is required, as long as you have the ability to flush your current password records: 只要您有能力刷新当前的密码记录,就不需要进行太多更改:
$sql = "SELECT * FROM $tbl_name
WHERE uname = '$myusername' and upass = SHA2('$mypassword', 256)";
解决方案3
0 2011-08-05 01:27:52
To answer your question directly, without giving an opinion on what is more secure: 直接回答您的问题,而不对更安全的问题发表意见:
When I click submit for entering joe joe for user and pass.
$mypassword = md5(stripslashes($mypassword));
$sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
$result=mysql_query($sql);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.