PHP& MySQL比较密码 [英] PHP & MySQL compare password

问题描述

如何检查用户是否输入了正确的密码登录?

How does one check to see if a user has typed in the right password to log in?

这就是我(从很多组合中...)正在做的事情:

This is what (out of a bunch of combinations...) I am doing:

<?

$login = $_POST['login'];
$password = $_POST['password'];

mysql_connect('localhost', 'root', 'abc123');

mysql_select_db('aun_vox') or die(mysql_error());

$q = mysql_query("SELECT password FROM customer WHERE login='$login'");
$db_pass = mysql_result($q, 0);

if(md5($password) == $db_pass)
{
    echo "You did it.";
}

else echo "Wrong.";

?>

从输出中可以看到，mysql_result位有问题，但是我找不到正确的方法.

As I can see from the ouput, there's something wrong in the mysql_result bit, but I can't figure out the right way.

有人可以帮忙吗?

推荐答案

我看到您正在数据库中存储密码的哈希，但是为了其他读者的利益，从不将密码存储在数据库中的纯文本.您不想成为

I see you are storing a hash of the password in the database, but for the benefit of other readers, never store passwords in plain text in the database. You don't want to be like Monster.com.uk!

您应使用比MD5()更强大的哈希函数.理想情况下，您应该使用SHA256.在PHP中，可以使用 hash() 函数使用此哈希方法.

You should use a stronger hashing function than MD5(). Ideally you should use SHA256. This hash method is available in PHP using the hash() function.

您还应该对密码应用随机的盐.为每个用户的帐户存储不同的盐值.这有助于克服字典攻击和彩虹表攻击.

You should also apply a random salt to the password. Store a different salt value for each user's account. This helps to defeat dictionary attacks and rainbow table attacks.

您应该学会使用 mysqli 扩展名，而不要使用旧的mysql扩展名. Mysqli支持参数化查询，因此您可以减少对某些SQL注入攻击的脆弱性.

You should learn to use the mysqli extension instead of the old mysql extension. Mysqli supports parameterized queries, so you can reduce vulnerability to some SQL injection attacks.

这是一些示例代码.我还没有测试过，但是它应该已经可以正常工作了:

Here is some example code. I haven't tested it, but it should be pretty close to working:

$input_login = $_POST['login'];
$input_password = $_POST['password'];

$stmt = $mysqli->prepare("SELECT password, salt FROM customer WHERE login = ?");
$stmt->bind_param("s", $input_login);
$stmt->execute();
$stmt->bind_result($password_hash, $salt);

while ($stmt->fetch()) {
  $input_password_hash = hash('sha256', $input_password . $salt);
  if ($input_password_hash == $password_hash) {
    return true;
  }
  // You may want to log failed password attempts here,
  // for security auditing or to lock an account with
  // too many attempts within a short time.
}
$stmt->close();

// No rows matched $input_login, or else password did not match
return false;

---

其他一些人建议查询应该测试login = ? AND password = ?，但是我不喜欢这样做.如果这样做，您将无法知道查找是否由于登录名不存在或用户提供了错误的密码而失败.

---

Some other people suggest the query should test for login = ? AND password = ? but I don't like to do that. If you do this, you can't know if the lookup failed because the login didn't exist, or because the user provided a wrong password.

您当然不应该向导致失败的登录的用户透露，但是您可能需要知道您，以便您记录可疑活动.

Of course you shouldn't reveal to the user which caused the failed login attempt, but you may need to know, so you can log suspicious activity.

@Javier在他的回答中说，您不应该从数据库中检索密码(在这种情况下为密码哈希).我不同意

@Javier says in his answer that you shouldn't retrieve the password (or password hash in this case) from the database. I don't agree.

Javier显示了用PHP代码调用md5()并将生成的哈希字符串发送到数据库.但这不支持轻易添加密码.您必须做一个单独的查询来检索此用户的salt，然后才能在PHP中进行哈希处理.

Javier shows calling md5() in PHP code and sending that the resulting hash string to the database. But this doesn't support salting the password easily. You have to do a separate query to retrieve this user's salt before you can do the hash in PHP.

另一种方法是通过网络将 plaintext 密码从您的PHP应用程序发送到数据库服务器.窃听网络的任何人都可以看到此密码.如果您正在记录SQL查询，则有权访问日志的任何人都可以看到密码.有动机的黑客甚至可以潜入垃圾堆中以查找旧的文件系统备份介质，并可能以这种方式读取日志文件！

The alternative is sending the plaintext password over the network from your PHP app to your database server. Anyone wiretapping your network can see this password. If you have SQL queries being logged, anyone who gains access to the logs can see the password. Motivated hackers can even dumpster-dive to find old filesystem backup media, and might read the log files that way!

较小的风险是将密码哈希字符串从数据库中提取到PHP应用程序中，并将其与用户输入的哈希(同样在PHP代码中)进行比较，然后丢弃这些变量.

The lesser risk is to fetch the password hash string from the database into the PHP app, compare it to the hash of the user's input (also in PHP code), and then discard these variables.

这篇关于PHP& MySQL比较密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！