douyinjiao9351 2014-11-28 17:23
浏览 85
已采纳

使用PHP和MySQL的SHA256盐 - 插入错误

I'm using the following code to salt and hash passwords in a MySQL database:

<?php
function make($string, $salt = '') {
    return hash('sha256', $string . $salt);
}
function salt($length) {
    return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
}

$salt = salt(32);
$password = make('password', $salt);
?>

However when I attempt to insert the generated salt into the database, there are some cases where this error occurs:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ÜöOòƒ·¡]ŽÖ', 1)' at line 1

I assume that is because of unrecognized characters being generated. What would be a solution for this?

  • 写回答

1条回答 默认 最新

  • dpps0715 2014-11-28 17:27
    关注

    You're inserting raw binary garbage. That will naturally (and semi-randomly) contain SQL metachatacters, like a '. This means your query is vulnerable to sql injection attacks.

    You don't show any of your actual PHP code, but you should either be using a prepared statement, or doing manual escaping, e.g.

    $stmt = mysqli_prepare($conn, "INSERT .... (password_hash) VALUES (?)");
$stmt->execute(array($raw_hash));

    or

    $quoted = mysql_real_escape_string($raw_hash);
$sql = "INSERT ... (password_hash) VALUES ('$quoted')";

    Alternatively, you could encode that hash string, e.g. use base64, so that the encoded hash becomes a relatively harmless string. But even then you should be using proper query construction techniques.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?