堆栈内存溢出
  简体   繁体   English

有没有办法为php mysqli登录存储哈希密码?

[英]Is there a way to store hashed passwords for php mysqli login?

 原文  2013-01-22 14:03:49       php/ mysqli

问题描述

I usually do 我通常会 

$password = "password";
$mysqli = new mysqli("localhost", "root", $password, "database");

Is there a way to give mysqli a hashed password instead of having to save the plaintext form stored in my script? 有没有办法给mysqli一个哈希密码,而不必保存存储在脚本中的纯文本格式? Is there a good practice to avoid having plaintext passwords around my script? 有一种好的做法是避免在脚本周围使用明文密码? Is this safe 这样安全吗

I get it won't be 100% proof but it does make it slightly more cumbersome to not have the plaintext available? 我得到的不是100%的证明,但确实使没有可用的纯文本显得有些麻烦?

2 个解决方案

解决方案1
 4 已采纳  2013-01-22 14:05:47

Nope; 不; that would defy the point in using password hashing in the first place. 首先将无视使用密码哈希的意义。 If you could log in with the hashed password, then the hashed password would essentially be your password. 如果您可以使用哈希密码登录,那么哈希密码本质上就是您的密码。

You could encrypt it, but the key for decryption would also have to be stored somewhere, so you'd merely be obfuscating the password, not protecting it. 您可以对其进行加密,但是解密密钥也必须存储在某个位置,因此您只会混淆密码而不是保护密码。 Anyone who wants it can easily find it, if he has access to your script files. 只要他有权访问您的脚本文件,任何想要它的人可以轻松找到它。

Ultimately, you'll have to place some trust in the security of your server's own filesystem. 最终,您将不得不对服务器自身文件系统的安全性有所信任。 Your best bet is just to make sure it's stored outside the document root and is not readable by any user/group on the server who doesn't need to read it. 最好的选择就是确保将其存储在文档根目录之外,并且服务器上不需要读取该文件的任何用户/组都无法读取该文件。

解决方案2
 4  2013-01-22 14:12:30

Unfortunately, no. 抱歉不行。 Whatever is sent as the password is the password. 作为密码发送的密码。 Even if you were to create a small function to hash your password, you'd still have to have the password in plain text. 即使您要创建一个用于散列密码的小函数,您仍必须使用纯文本格式的密码。 Even still, that hashed password becomes your password (as you would've setup in MySQL) therefor it's still plain text. 即便如此,该哈希密码仍将成为您的密码(就像您在MySQL中所设置的一样),因此它仍然是纯文本。

Since PHP is a server-side script no one can see this password nor is it ever transferred to the client so it cannot be intercepted. 由于PHP是服务器端脚本,因此没有人可以看到该密码,也永远不会将其传输到客户端,因此无法被截获。 I'd recommend a hard to guess password and make sure your scripts are protected from MySQL injection so no one can access your database through that route. 我建议您使用一个难以猜测的密码,并确保您的脚本受到MySQL注入的保护,因此没有人可以通过该路由访问您的数据库。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用散列密码登录PHP - PHP login with hashed passwords 使用bCrypt哈希密码登录PHP - PHP Login with bCrypt Hashed Passwords PHP登录没有错误,但哈希时密码不相等 - PHP login no error but passwords are not equal when hashed 无法使用散列密码登录 - Mysqli PHP - Can't login with hashed password - Mysqli PHP 将哈希密码存储到Mysql - store hashed passwords to Mysql 正确的存储和检索SHA-256哈希密码和盐腌密码的方法 - Correct way to store and retrieve SHA-256 hashed and salted passwords 需要帮助阅读/修复 login.php 和 Angular 和哈希密码 - Need help reading/fixing login.php with Angular and Hashed Passwords 在PHP中存储密码的正确方法 - Correct way to store passwords in PHP 在wordpress中比较散列密码和PHP - Comparing hashed passwords with PHP in wordpress 在php代码中使用哈希密码 - using hashed passwords in php code
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM