duangu6588 2015-02-24 03:25
浏览 16

如何有效地一次散列多个密码?

I have a mysql table with columns userid, password, hashedpassword. I used to store passwords as plain text in the password column. I now realize that is unacceptable and want to now hash all of them and store them the right way in the hashedpassword field.

You're going to get mad at the script below because it's horrifically inefficient. As you might guess, it timed out on my server. Can someone help an obviously inexperienced programmer with the proper way to update all of these fields in the database? Clearly connecting to the database for EACH record is idiotic :(...

$sql = "SELECT * 
        FROM users";
            $result = mysqli_query($connection, $sql);
            if (!$result) {
            die("Database query failed: " . mysqli_error($connection));
            } else {
                while ($row=mysqli_fetch_array($result)) {
                    $userid=$row['userid'];
                    $passwordhashed=password_hash($row['password'], PASSWORD_DEFAULT);
                    $sql = "UPDATE users
                        SET hashedpassword='$passwordhashed'
                        WHERE userid='$userid'
                        LIMIT 1";
                            $update = mysqli_query($connection, $sql);
                            if (!$update) {
                            die("Database query failed: " . mysqli_error($connection));
                            } else {
                                //we good
                            }

                }

            }
  • 写回答

2条回答 默认 最新

  • douchao1864 2015-03-16 17:28
    关注

    out of curiosity how many users rows do you have in your table?

    I worked a system on mine made a while back when upgrading to the password_hash function (from - similarly- unwise plain text storage) whereby I made a script to update the password with a new one, using this hashing method.

    The difference is deployment - I emailed all clients (~1600) and told them to click the link in the email to update their password as a precaution, entering their current password and a new (different) password, therefore each password is individually updated AND the plain text password is not used as a hashed password, if someone already has a copy of your table and can look up the plain text passwords then just converting them to hashes will not lock that door, instead they can still get in and mess around on the users accounts.

    (And in case you think "oh it's ok no one will have a copy of my table", this thought-logic will also mean that you don't need to encrypt your plain text passwords in the first place! -- MySQL can be hacked and you need not know about it if the hacker is careful and considerate rather than someone showing off their spamhack skills)

    This also will mean only clients who did not follow the emailed advise would be at risk from any current or future breach. I also included similar conversion code to the site login, forcing a new password selection in the process.

    评论

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度