dora12345678 2012-12-05 17:44
浏览 47
已采纳

问题与PHP,MySQLi登录应用程序[重复]

Possible Duplicate:
How do you use bcrypt for hashing passwords in PHP?

I am trying to create a secure login app using php and MySQLi by following this tutorial: Link To Tutorial The tutorial is using a table(members) with 5 fields as:"id", "username","email","password",and "salt". but at the very beginning there is a an SQL INSERT function which is confusing me 

INSERT INTO `secure_login`.`members` VALUES(1, 'test_user', 'test@example.com',
00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45
529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfc
db4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0
390395bae152d4ef');

I am guessing the fist long number is a sha512() salted password so I used this php code to generate my sha512 password and insert it to my members database:

$password = 'newPassword';
echo 'sha512: ' . hash('sha512', $password);

and the result is:

sha512: 6f63f637f1346149532158022899bdf424a19c3dc472e21c2068cd324d7263ed521fb1c1335afaad6bf3fd94a24c0371217086295255e7773eb8deb2c7a54e1a

Now my question is what is the the the second value which is inserting into the "salt" field?

Unforgettably I couldn't find a way to contact to tutorial person but I tought you may can help me to figure this out.so, Can you please let me know

  1. Am i doing the sha512 password salting correctly?
  2. What is the last item inserted into members table(salt) , how I can generate that one?

Thanks for you time

  • 写回答

1条回答 默认 最新

  • drqja5919276 2012-12-05 18:17
    关注

    A salt is something you mix with a password before you hash it to add to the security of what you're storing.

    That is: if each password were just SHA-512'd, anyone whose password was common would be compromised as soon as you know you the (SHA) hash of that password. Said another way: as soon as I know the hash for "password" I know every single user that used that password.

    So you should be using your salt to make the password hashes more secure and so storing it later for rehashing and comparison purposes (at every login). This way each person who's using "password" as their password is protected because each value is unique in the database.

    So to directly answer your questions:

    1. It's possible to use SHA512 hashes for salts, but they don't need to be nearly that long. Typically a 4 to 30 character string of alphanumerics is used. What you should do is combine the user-entered password with the salt which you generate separately, then hash the combination.
    2. The last item is a salt, and a reasonable way to make that is something like substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 16). That's not the best way, or only way, but it's an easy way to get a random-ish salt.

    Those things said, if you're not really sure what you're doing, it may be best that you don't build a login system. There are lots of login classes that'll keep your users more secure than the system you outline here. At a minimum, please try to read a good article on login systems (like this one, or this one) and do your best to use its recommendations.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!