doudeng8691
doudeng8691
2013-02-05 21:56
浏览 177
已采纳

如何在MySQL中保存密码的哈希值

I have the following table in my database called db_pass:

id | pass
=================
1  | dalmation123

I understand that I cannot store any password in plain text format in my database, how do I go about setting up a hash? This is the code I am using below. I would appreciate some help on how to change my table db_pass as well.

if(isset($_POST['pmsubmit']))
{
  LoginSubmit('pm', 'pmname', 'pmpass');
}

if(isset($_POST['tssubmit']))
{
  LoginSubmit('ts', 'dept', 'tspass');
}

function LoginSubmit($pm_or_ts, $the_name_input, $the_pass_input)
{
  global $pdo;
  $posted_name = $_POST[$the_name_input];
  $posted_pass = $_POST[$the_pass_input];
  // check if password matches the one in the table
  $query = $pdo->prepare("SELECT * FROM db_pass WHERE pass = :pass");
  $query->execute(array(":pass" => $posted_pass));
  // if there is a match then we log in the user
  if ($query->rowCount() > 0)
  {
    // session stuff
    $_SESSION[$the_name] = $posted_name;
    // refresh page
    header( 'Location: ' . $pm_or_ts . '/index.php' ) ;
    exit;
  } 
  // if there is no match then we present the user with an error
  else
  {
    echo "error";
    exit;
  }
}
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dongluxin2452
    dongluxin2452 2013-02-05 22:19
    已采纳
    $query = $pdo->prepare("SELECT * FROM db_pass WHERE pass = :pass");
    $query->execute(array(":pass" => crypt($posted_pass)));
    

    Don't ask me which algorithm crypt actually uses. The manual entry is totally nonsensical - apparently just checking the value of a constant changes the algorithm used by crypt() which is ridiculous ....

    And it's alright people saying bcrypt. But bcrypt isn't a core PHP function. If they mean write your own, then it's a stupid idea - because your implementation would undoubtedly have flaws. If they mean a library they need to point one out - PHPass is commonly recommended, but I have no knowledge to recommend it myself.

    It's hardly surprising most people still use sha1 is it?

    点赞 评论
  • dongtang1966
    dongtang1966 2013-02-05 22:06

    In MySQL you could use the BINARY type to actually store hashes. A simple hash table in MySQL could look like:

    CREATE TABLE IF NOT EXISTS `hastable` (
      `hash` binary(20) NOT NULL,
      `value` blob NOT NULL,
      PRIMARY KEY (`hash`)
    );
    

    For example a SHA1 hash is always 160 bits/20 bytes long and could be stored such a binary column. Using PHP, you could get the hash as follows: hash( 'sha1', $key, true );

    But that has nothing to do with storing passwords…

    点赞 评论
  • douyi8732
    douyi8732 2013-02-05 22:15

    It all comes down to this. you need to perform an operation on the user password before you save it to the database. you then perform the same operation on the submitted password before checking the if that password is valid for the username/password combination.

    in most cases the "operation" is a hashing or encryption process such as MD5 or bcrypt

    点赞 评论

相关推荐