基本安全,PHP mySQl [英] Basic security, PHP mySQl
问题描述
所以我正在做一个基本的登录页面。我有一个很好的做法,但我仍然不确定某些事情。
So I am making a basic log-in page. I have a good idea of what to do, but I'm still unsure of some things.
我有一个数据库充满了学生和密码列当然。我知道我将在该列中使用md5加密。学生输入他们的电子邮件和学生证,如果正确,他们会收到电子邮件的密码。
I have a database full of students and a password column of course. I know I'm going to use md5 encryption in that column. The student enters their e-mail and student ID, and they get e-mailed a password if correct.
但是,我在哪里创建密码?我必须手动向所有学生手动添加mySQL中的密码(这是一个随机生成的字符串)吗?我想把密码发给学生;如果密码加密,我将如何知道发送学生?
But, where do I create the password? Do I have to manually add the password (which is just a randomly generated string) in mySQL to all the students? And I am suppose to send the password to the student; how will I know what to send the student if the password is encrypted?
我在考虑在学生首次输入电子邮件和学生证号码时生成密码。他们得到一个随机字符串的电子邮件,同时,我加上相同的随机字符串到数据库,加密。
I was thinking about generating the password when the student first enters their e-mail and student ID. They get an e-mail of the random string, and at the same time, I add the same random string to the database, encrypted.
这是怎么回事工作虽然?在同一页上感觉不安全。
Is that how it's suppose to work though? And it feels unsafe doing that all on the same page.
对于长期以来的新生问题,抱歉。我同时发现这一切都是正确的(AES和RSA加密:O)
Sorry for the long-winded, newbish question. I find this all facisnating at the same time as well (AES and RSA encryption :O)
推荐答案
这里有几件事: / p>
A few things here:
-
你没有真正加密它,你是哈希。容易的事情让新手混淆,但只是想让它的方式。
You aren't really encrypting it, you're hashing it. Easy thing for newbies to confuse, but just wanted to get that out of the way.
不要使用MD5,它只是不是一个非常安全的哈希。如果可能,请使用其中一种SHA变体。
Don't use MD5, it's just not a very secure hash. Use one of the SHA variants instead if possible.
不要只是哈希密码,你也想盐。基本上,这涉及在将哈希值添加到密码之前添加一个随机字符串,并将该随机字符串存储在稍后可以检索的位置(这样您可以在用户输入密码时验证哈希值)。这有助于防止预先计算的字典攻击。
Don't just hash the password, you'll want to "salt" it too. Basicly this involves adding a random string to the password before you hash it, and storing that random string somewhere where you can retrieve it later (so that you can validate the hash when the user enters their password). This helps prevent against pre-computed dictionary attacks.
至于生成密码,我觉得你在右边轨道 - 我只会在创建帐户时发送邮件,将其发送给他们,然后将其哈希并将哈希(和随机盐)存储在数据库中的用户记录上。
As for generating the password, I think you are on the right track - I would just generate it when they create their account, email it to them, then hash it and store the hashed (and a random salt) on the user record in the DB.
这篇关于基本安全,PHP mySQl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
