问题描述
这是我第一次安全地存储密码,我想确保一切都正确完成。我建议使用SHA-256 hashing盐。
假设用户提交了完整的密码,我们通过
$ password = $ _POST [password];
什么是正确的方法来加密$密码并使用SHA-256哈希值,所以它可以被存储在数据库中的密码字段password CHAR(64)中?
一旦完成并存储,我将如何比较存储在数据库中的值与输入的一个用户在登录表单中?假设 $ loginPassword = $ _POST [loginPassword]; 是用户输入的内容。 / div>
不使用SHA家族方法,您可以使用 这是一个使用PDO的示例脚本(保存并登录)。 将密码保存在数据库中 登录脚本 This is my first attempt in securely storing passwords and I would like to make sure that everything is done correctly. I was advised to use SHA-256 hashing alongside salt. Assuming user submitted their password thorough form, we get the password via What is correct way to salt $password and use SHA-256 hashing on it, so it can than be stored in a password field "password CHAR(64)" in a database? Once done and stored how would I than compare value stored in a database to one user entered in a login form? Lets assume Instead of using SHA family methods, you can use the Here is an example script (save and login) using PDO. Save password in DB Login script 这篇关于正确的方式来存储和检索SHA-256哈希和盐渍密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! crypt()
<?php
//设置密码
$ password ='mypassword';
//获取哈希,让salt自动生成
$ hash = crypt($ password);
echo $ hash; //仅用于测试目的
$ mysql_username ='username'; //用于DB
$ mysql_password ='密码'; //对于DB
$ dbh =新的PDO('mysql:host = localhost; dbname = database_name',$ mysql_username,$ mysql_password);
$ stmt = $ dbh-> prepare(INSERT INTO table_name(name,pass)VALUES(:name,:pass));
$ stmt-> bindParam(':name',$ name);
$ stmt-> bindParam(':pass',$ pass);
//插入行
// $ name = $ _POST ['name'];
// $ name = $ _POST ['pass'];
$ name =username;
$ pass = $ hash;
$ stmt-> execute();
<?php
$ mysql_username ='username'; //用于DB
$ mysql_password ='密码'; //对于DB
$ dbh =新的PDO('mysql:host = localhost; dbname = database_name',$ mysql_username,$ mysql_password);
/ *
$ username = $ _POST ['username'];
$ password = $ _POST ['password'];
* /
$ username =username;
$ password =mypassword;
$ sql =SELECT * FROM table_name WHERE name =:username;
$ statement = $ dbh-> prepare($ sql);
$ statement-> bindValue(':username',$ username,PDO :: PARAM_STR);
if($ statement-> execute())
{
if($ statement-> rowCount()== 1)
{
$ row = $ statement-> fetch(PDO :: FETCH_ASSOC);
$ b $ if(crypt($ password,$ row ['pass'])=== $ row ['pass'])
{
$ username = $行[ '名称'];
$ email = $ row ['email'];
回声阶段1;
echo< hr noshade size = \1 \>;
echoHello。$ username;
出口;
}
else
{
// includeerror_login.php;
回声第2阶段 - 错误;
}
}
else
{
// includeerror_login.php;
回声第3阶段错误;
}
}
$password = $_POST["password"];
$loginPassword = $_POST["loginPassword"]; is what user entered.crypt() function to salt it for you.<?php
// Set the password
$password = 'mypassword';
// Get the hash, letting the salt be automatically generated
$hash = crypt($password);
echo $hash; // for testing purposes only
$mysql_username = 'username'; // for DB
$mysql_password = 'password'; // for DB
$dbh = new PDO('mysql:host=localhost;dbname=database_name', $mysql_username, $mysql_password);
$stmt = $dbh->prepare("INSERT INTO table_name (name,pass) VALUES (:name,:pass)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':pass', $pass);
// insert rows
// $name = $_POST['name'];
// $name = $_POST['pass'];
$name = "username";
$pass = $hash;
$stmt->execute();
<?php
$mysql_username = 'username'; // for DB
$mysql_password = 'password'; // for DB
$dbh = new PDO('mysql:host=localhost;dbname=database_name', $mysql_username, $mysql_password);
/*
$username = $_POST['username'];
$password = $_POST['password'];
*/
$username = "username";
$password = "mypassword";
$sql = "SELECT * FROM table_name WHERE name=:username";
$statement = $dbh->prepare($sql);
$statement->bindValue(':username',$username,PDO::PARAM_STR);
if($statement->execute())
{
if($statement->rowCount() == 1)
{
$row = $statement->fetch(PDO::FETCH_ASSOC);
if (crypt($password, $row['pass']) === $row['pass'])
{
$username = $row['name'];
$email = $row['email'];
echo "Stage 1";
echo "<hr noshade size=\"1\">";
echo "Hello " .$username;
exit;
}
else
{
// include "error_login.php";
echo "Stage 2 - ERROR";
}
}
else
{
// include "error_login.php";
echo "Stage 3 error";
}
}