douyinjiao9351 2014-11-28 17:23
浏览 84
已采纳

使用PHP和MySQL的SHA256盐 - 插入错误

I'm using the following code to salt and hash passwords in a MySQL database:

<?php
function make($string, $salt = '') {
    return hash('sha256', $string . $salt);
}
function salt($length) {
    return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
}

$salt = salt(32);
$password = make('password', $salt);
?>

However when I attempt to insert the generated salt into the database, there are some cases where this error occurs:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ÜöOòƒ·¡]ŽÖ', 1)' at line 1

I assume that is because of unrecognized characters being generated. What would be a solution for this?

  • 写回答

1条回答 默认 最新

  • dpps0715 2014-11-28 17:27
    关注

    You're inserting raw binary garbage. That will naturally (and semi-randomly) contain SQL metachatacters, like a '. This means your query is vulnerable to sql injection attacks.

    You don't show any of your actual PHP code, but you should either be using a prepared statement, or doing manual escaping, e.g.

    $stmt = mysqli_prepare($conn, "INSERT .... (password_hash) VALUES (?)");
$stmt->execute(array($raw_hash));

    or

    $quoted = mysql_real_escape_string($raw_hash);
$sql = "INSERT ... (password_hash) VALUES ('$quoted')";

    Alternatively, you could encode that hash string, e.g. use base64, so that the encoded hash becomes a relatively harmless string. But even then you should be using proper query construction techniques.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 多址通信方式的抗噪声性能和系统容量对比
  • ¥15 winform的chart曲线生成时有凸起
  • ¥15 msix packaging tool打包问题
  • ¥15 finalshell节点的搭建代码和那个端口代码教程
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答