md5是否停止SQL注入 [英] Does md5 stop SQL Injection
问题描述
好吧
所以,我对此不太确定.
So, i'm a little unsure on this.
我有一个网址参数用户名.
我有这句话
SELECT * FROM users WHERE user_hash = md5($_GET['username'])
这安全吗?
创建帐户后,将存储用户名和密码的md5哈希版本.
Upon account creation an md5 hashed version of the username and the password are stored.
我很困惑,因为这似乎很简单,如果md5停止了sql注入,为什么用户名和密码不总是以哈希形式保存?
I'm confused as this seems so simple, if md5 stops sql injection why isn't username and password always saved in hash form?
推荐答案
是的,这将避免SQL注入,因为md5()
始终返回十六进制代码字符串.
Yes, this will avoid SQL injection, because md5()
always returns a string of hex code.
但这不是SQL注入的通用解决方案.您将必须以MD5格式对表中的几乎所有数据进行编码.例如,
But it isn't a general solution to SQL-injection. You would have to encode almost all the data in your tables in MD5 format. For instance,
$sql = "UPDATE users SET fullname = '" . md5($_GET['fullname']) . "'
WHERE id = '" . md5($_GET['id']) . "'";
但是MD5是单向哈希,因此无法显示以这种方式存储的全名.
But MD5 is a one-way hash, so there would be no way of displaying the full name that was stored this way.
这篇关于md5是否停止SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!