加密是否可以防止sql注入?
[英]Does encryption protect against sql injection?
问题描述
does using a hash on a value before inserting it into an SQL query protect against sql injection without even having to use mysql_real_escape_string? 
在将值插入SQL查询之前使用哈希值来防止sql注入,甚至不必使用mysql_real_escape_string? (assuming you were to do this for your entire site) (假设您要为整个网站执行此操作)
Edit: to be specific the purpose is to take a key from the user and hash it before comparing it to other hashed columns in my table, then retrieve a another column value where the hashes match. 编辑:具体来说,目的是从用户获取密钥并在将其与我表中的其他散列列进行比较之前对其进行哈希处理,然后检索哈希匹配的另一个列值。 Sorry for not specifying 很抱歉没有说明
6 个解决方案
解决方案1
9 已采纳 2012-07-26 17:31:34
Yes, but it'll also make your data useless. 是的,但它也会使你的数据无用。 :P Remember, hashing is one-way, so you wouldn't be able to get the meaningful data back. :P请记住,散列是单向的,因此您将无法获得有意义的数据。 Encryption is two way, and that's probably what you really meant. 加密是双向的,这可能就是你真正的意思。
I think using prepared SQL statements is a more widely accepted solution for this sort of thing. 我认为使用准备好的SQL语句是一种更广泛接受的解决方案。 See this question . 看到这个问题 。
解决方案2
3 2012-07-26 17:31:25
Yes, but once you hash the information, you can't regenerate the information from the hash. 是的,但是一旦您对信息进行哈希处理,就无法从哈希中重新生成信息。 Use an encoding method instead. 请改用编码方法。
Also, mysql_ * functions are (or soon will be) deprecated. 此外,不推荐使用mysql_ *函数(或很快)。 You should consider switching to mysqli or PDO . 您应该考虑切换到mysqli或PDO 。 If you're a lazy bum (like me), you can use the mysqli procedural style which is almost identical to the original mysql_ functions. 如果你是一个懒惰的流浪汉(像我一样),你可以使用mysqli程序样式,它几乎与原始的mysql_函数相同。
解决方案3
1 2012-07-26 17:28:52
So long as your hashed output does not have any conflicting characters in mysql, then I would say yes, absolutely. 只要你的哈希输出在mysql中没有任何冲突的字符,那么我绝对会说是的。 base64 is a great approach for doing something like this base64是做这样的事情的好方法
解决方案4
1 2015-11-12 18:01:48
yes but only if you store the key both encrypted and as a hash. 是的,但仅当您存储加密的密钥和散列密钥时。 i just finished a tcl script that does this. 我刚刚完成了一个执行此操作的tcl脚本。 the major procedures should help you. 主要程序应该对你有帮助。 take plain text key and hash, also encrypt this plain text key and store both in the same row as the form data you are saving (also encrypted). 使用纯文本密钥和哈希,也加密此纯文本密钥并将它们存储在与保存的表单数据相同的行中(也是加密的)。
populate a dropdown or whatever with plain text keys by decrypting the key column and inserting into the box. 通过解密密钥列并插入到框中来填充下拉列表或任何带有纯文本键的内容。 now you can select plain text keys to search for. 现在您可以选择要搜索的纯文本键。
this requires an encrypt, decrypt, and hash routing that gets called every time you want to add, update, delete a record or show records but i notice no slowing though i am sure it exists at a microsecond level. 这需要加密,解密和散列路由,每次你想要添加,更新,删除记录或显示记录时都会调用它,但我注意到没有减速但我确信它存在于微秒级别。
make sure your encryption comes from a standardized and respected source like openssl or similar so you can cbc with auto padding and auto IV creation. 确保你的加密来自一个标准化和受尊重的来源,如openssl或类似的,所以你可以cbc自动填充和自动IV创建。 this way like words in the database are encrypted differently. 这种方式就像数据库中的单词加密不同。 this is also why you need to hash the key. 这也是你需要哈希密钥的原因。 otherwise it will encrypt differently and you wouldnt be able to search for anything. 否则它将以不同方式加密,你将无法搜索任何东西。
in this way, a key get hashed and checked against other hashed values. 以这种方式,一个键被散列并检查其他散列值。 try inserting a malicious group of words into a field and the wort that can happen is it gets hashed into a non-dangerous word. 尝试将一组恶意的单词插入到一个字段中,并且可能发生的麦芽汁会变成一个非危险的单词。
if using tcl it also helps to use curly braces which should prevent problems to begin with 如果使用tcl它也有助于使用花括号,这应该可以防止问题开始
解决方案5
0 2012-07-26 17:29:37
If you're thinking of md5() or sha1(), you'll never be able to decrypt the hash. 如果您考虑使用md5()或sha1(),您将永远无法解密哈希。 If you have your own encryption algo, I say go for it. 如果你有自己的加密算法,我说去吧。
解决方案6
0 2012-07-26 17:36:12
In my opinion, i think you should use both of them, here is an example: 在我看来,我认为你应该使用它们,这是一个例子:
$em = mysql_real_escape_string($_REQUEST['email']);
$pw = mysql_real_escape_string($_REQUEST['password']);
at the insert you use the password($pw) function.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.