php crypt密码和postgresql数据库

I'm new in PHP. I'm doing authentication, where I'm checking password with password stored in database PostgreSQL. On db site i used this function to crypt my password:

update ucty set psswd =  crypt('some_pswd',gen_salt('md5')) where uid='1';

In my PHP srcipt I'm using this code:

$query = "SELECT meno, priezvisko, nickname, psswd, uid 
          FROM ucty 
          where nickname='$nickname' and psswd=crypt('$password', psswd)";

Everything works fine, but I'm not sure , that this is correct way to secure my password.

Any advice?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
drasebt1835 2014-02-18 15:16
关注
You're correct; this isn't the correct way to secure your password.

You're encrypting the password as part of the query. This can be logged (in plaintext), so it's very possible for intruders (or anyone listening to your traffic) to see users' passwords in plaintext.

"How can I prevent this?" Do your hashing on the server-side, within your PHP code. You can read up on this in the PHP manual.

Essentially, you want to have your query to set a password be something like this:

UPDATE ucty SET psswd=$hashed WHERE uid=1;

You're putting variables directly into the SQL statement. You didn't mention what method you're using to query the database, but you'll want to use prepared statements. This is a safe way to slide in user-supplied data (which $nickname and $password are).

This would be an example of a good way to use prepared statements:

$query = "SELECT meno, priezvisko, nickname, psswd, uid" . " FROM ucty" . " WHERE nickname=? and psswd=?"; $stmt = $dbh->prepare($query); $stmt->execute(array($nickname, $hashedPassword));
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

golang相当于PHP crypt（） php
2018-07-01 01:09

回答 1 已采纳 Although I haven't found an exact "Go crypt function" equivalent of PHP's crypt function, I found
使用php和doveadm创建密码 php
2017-01-13 14:08

回答 2 已采纳 You must call it with shell_exec method: $password = shell_exec('/usr/bin/doveadm pw -s SHA512-CR
PHP crypt函数和算法 php
2013-01-09 11:27

回答 4 已采纳 Depends on the system as the documentation says. To determine what your system supports, you can
php加密数据库工具,关于php：加密数据库
2021-04-12 17:17

头发乱乱先生的博客我有一个用PHP编写的网站，支持MySql数据库。我想要整个数据库。基本上我想要的是，如果任何人获得数据库登录凭证，就不能读取数据。我读过mysql ENCODE()和AES_ENCRYPT()函数。但是这种方式会导致PHP脚本中的大量...
无法使用php将数据输入数据库 mysql php
2015-04-05 07:46

回答 2 已采纳 mysql_connect will not take the database name. So try the following commands for connection. <
PHP在将密码存储到数据库之前加密密码 php
2012-01-28 12:38

回答 4 已采纳 crypt is a one-way function and returns a string that already contains the salt, When comparing t
即使密码后缀后缀，PHP crypt也会返回true php
2014-04-11 15:06

回答 1 已采纳 crypt as you're using it is limited to 8 character passwords: php > echo crypt('1234567', 'abc
linux apache php postgresql,Apache + php3 + PostgreSQL的安装_PHP
2021-05-05 04:52

weixin_39533742的博客 PostgreSQLApache以下将说明使用Apache+PHP3+PostgreSQL作为基于Web的数据库平台的安装和配置方法。关于Apache、PHP3和PostgreSQL的更多内容可以从软件的附带文档、Linux的HOWTO文件以及以下站点处找到：Apache: ...
在crypt密码之后，验证功能不佳 php
2017-03-30 04:59

回答 2 已采纳 PHP's crypt function only uses the first eight characters, that's by design (http://php.net/manual
用PHP比较MySql密码（） mysql php
2014-03-20 22:21

回答 1 已采纳 Are you really sure the passwords where hashed with the MySql Password() function, because this fu
如何在php中恢复加密密码 php
2013-10-08 20:43

回答 3 已采纳 The crypt() function uses one-way encryption, which means that there is no decrypt() function. Ba
PHP打开Apache数据库,[转]Apache+PHP3+PostgreSQL作为基于Web的数据库平台的安装
2021-04-11 14:02

weixin_39939918的博客信区: Linux标题: Apache+PHP3+PostgreSQL作为基于Web的数据库平台的安发信站: BBS 水木清华站 (Thu Jan 20 16:00:28 2000)以下将说明使用Apache+PHP3+PostgreSQL作为基于Web的数据库平台的安装和配置方法。...
使用PHP查询从Sagepay的SQL数据库返回值 database mysql php
2015-06-30 13:07

回答 2 已采纳 I've managed to find a solution by using similar code used for another gateway for the website. Th
PHP服务器端脚本语言
2023-06-20 14:43

Aɢ꯭ᴏ꯭ɴ꯭ɪ꯭嫑忈的博客学习数据库可以帮助你存储和管理数据，并且可以让你的Web应用程序更加强大和灵活。学习Web开发技术学习Web开发技术可以帮助你更好地理解PHP的应用场景。通过不断地学习和实践，你可以成为一名优秀的PHP开发者。PHP...
php horde,安装Horde步骤或方法
2021-04-14 02:42

我吃掉了一辆奔驰的博客安装Horde步骤或方法保证PHP模块，HTTP是好的,下列包被正确安装mysql-4.1.20-1.RHEL4.1.i386.rpmmysqlclient10-3.23.58-4.RHEL4.1.i386.rpmmysqlclient10-devel-3.23.58-4.RHEL4.1.i386.rpmmysql-devel-4.1.20-1....
PostgreSQL数据库学习手册之libpq - C 库--介绍
2014-11-11 09:16

An_angel_of_joy的博客 PostgreSQL数据库介绍 PostgreSQL是一种运行在Unix和Linux操作系统(在NT平台借助Cygnus也可以运行)平台上的免费的开放源码的关系数据库。最早是由美国加州大学伯克利分校开发的，开始只是作为一个演示系统发表，...
php基础语法了解,php基础语法
2021-04-08 12:30

Ems Yan的博客 php基础教程 (PHP for the Web: Visual QuickStart Guide (4th Edition) )此文只是上书的阅读笔记,不适合他人做参考学习.本书进阶版:PHP与MySQL动态网站开发(第4版)(同一作者)1 变量名所有的变量名必须以美元符号($)...
PHP手册第 28 章 数据库安全
2012-08-31 09:25

zhangzhizhen1988的博客由于非常敏感和机密的数据有可能保存在数据库中，所以对数据库实施保护就显得尤为重要了。要从数据库中提取或者存入数据，就必须经过连接数据库、发送一条合法查询、获取结果、关闭连接等步骤。目前，能完成这一...
PHP 5.6 Beta结束
2020-08-28 11:19

culi4814的博客 On June 5th 2014, the PHP group announced the fourth and final beta of the 5.6 version. This milestone ends the beta program and begins the RC program (currently planned for June 19th), which will fro...
php人气代码,全面解读PHP的人气开发框架Laravel
2021-03-26 11:20

yan-mika的博客 Laravel的主要技术特点：1、Bundle是Laravel的扩展包组织形式或称呼。Laravel的扩展包仓库已经相当成熟了，可以很容易的帮你把扩展包(bundle)...2、在Laravel中已经具有了一套高级的PHP ActiveRecord实现 -- Eloque...
没有解决我的问题, 去提问

悬赏问题

¥15 如何在scanpy上做差异基因和通路富集？
¥20 关于#硬件工程#的问题，请各位专家解答！
¥15 关于#matlab#的问题：期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707，使系统具有较小的超调量
¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
¥30 截图中的mathematics程序转换成matlab
¥15 动力学代码报错，维度不匹配
¥15 Power query添加列问题
¥50 Kubernetes&Fission&Eleasticsearch
¥15 報錯：Person is not mapped，如何解決？
¥15 c++头文件不能识别CDialog

php crypt密码和postgresql数据库

1条回答 默认 最新

悬赏问题

1条回答默认最新