douyinjiao9351 2014-11-28 17:23
浏览 84
已采纳

使用PHP和MySQL的SHA256盐 - 插入错误

I'm using the following code to salt and hash passwords in a MySQL database:

<?php
function make($string, $salt = '') {
    return hash('sha256', $string . $salt);
}
function salt($length) {
    return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
}

$salt = salt(32);
$password = make('password', $salt);
?>

However when I attempt to insert the generated salt into the database, there are some cases where this error occurs:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ÜöOòƒ·¡]ŽÖ', 1)' at line 1

I assume that is because of unrecognized characters being generated. What would be a solution for this?

  • 写回答

1条回答 默认 最新

  • dpps0715 2014-11-28 17:27
    关注

    You're inserting raw binary garbage. That will naturally (and semi-randomly) contain SQL metachatacters, like a '. This means your query is vulnerable to sql injection attacks.

    You don't show any of your actual PHP code, but you should either be using a prepared statement, or doing manual escaping, e.g.

    $stmt = mysqli_prepare($conn, "INSERT .... (password_hash) VALUES (?)");
$stmt->execute(array($raw_hash));

    or

    $quoted = mysql_real_escape_string($raw_hash);
$sql = "INSERT ... (password_hash) VALUES ('$quoted')";

    Alternatively, you could encode that hash string, e.g. use base64, so that the encoded hash becomes a relatively harmless string. But even then you should be using proper query construction techniques.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 随机森林与房贷信用风险模型
  • ¥50 buildozer打包kivy app失败
  • ¥30 在vs2022里运行python代码
  • ¥15 不同尺寸货物如何寻找合适的包装箱型谱
  • ¥15 求解 yolo算法问题
  • ¥15 虚拟机打包apk出现错误
  • ¥15 用visual studi code完成html页面
  • ¥15 聚类分析或者python进行数据分析
  • ¥15 三菱伺服电机按启动按钮有使能但不动作
  • ¥15 js,页面2返回页面1时定位进入的设备