如何在PHP中使用盐检查mysql加密值? [英] How to check a mysql encrypt value with a salt in PHP?
问题描述
对于我的网站,我已经使用以下MySQL函数将用户密码存储在数据库中:
ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
现在我的用户可以登录了,我需要检查他们提供的密码以及数据库中的值.
我认为这将像这样简单:
SELECT user FROM users WHERE id = $id AND password = ENCRYPT('$password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
但是,由于RAND()函数,这显然不起作用...
那么我该如何在PHP(或mysql)中重新创建此密码以使其与加密密码匹配?我以为我需要使用crypt()或hash(),但是老实说,我不确定是否应该使用PHP或MySQL.
我正在使用MySQL版本5.5,PHP版本5.3
ENCRYPT()使用的盐(更好地称为crypt()函数)存储为哈希的一部分,并且可以用作哈希的一部分.哈希:
SELECT ... FROM users WHERE ... AND password = ENCRYPT('swordfish', password);
(也就是说,如果用户输入的密码是"swordfish".我避免使用"password",因为它也是列名.)
您可以(并且应该)通过检查以下内容在PHP中执行相同的操作:
crypt($user_password, $hashed_password) == $hashed_password
请注意,crypt()并不是一种特别安全的密码存储方法.有关详细信息,请参见保护PHP密码的哈希值和盐值. >
For my website I've stored my user passwords in the database using this MySQL function:
ENCRYPT('password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
Now for my users to login I need to check the password they supply with the value in the database.
I assumed it would be as easy as this:
SELECT user FROM users WHERE id = $id AND password = ENCRYPT('$password', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
However, it became apparent this would not work due to the RAND() function...
So how would I recreate this password in PHP (or mysql) to match it against encrypted password? I assume I would need to make use of crypt() or hash(), but I'm honestly not sure if PHP should be used or MySQL.
I am using MySQL version 5.5, PHP version 5.3
The salt used by ENCRYPT() (better known as the crypt() function) is stored as part of the hash, and can be used as part of the hash:
SELECT ... FROM users WHERE ... AND password = ENCRYPT('swordfish', password);
(That is, if the password the user entered was "swordfish". I'm avoiding "password" because it's also a column name.)
You can (and should) do the same thing in PHP by checking:
crypt($user_password, $hashed_password) == $hashed_password
Note that crypt() is not a particularly secure method of password storage. Please see Secure hash and salt for PHP passwords for details.
这篇关于如何在PHP中使用盐检查mysql加密值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
