使用md5加密的PHP和Mysql查询出现问题 [英] Trouble with PHP and Mysql queries using md5 encryption

问题描述

我正在使用普通的php/mysql插入查询，并使用md5加密密码

这是INSERT查询:

$sql = mysql_query("INSERT INTO user (username, password, role, approved) values ('".$username."', '".md5($password)."', 'user', '0')");

这是我用于登录检查的SELECT查询:

$sql = "SELECT id, username, password, role, approved FROM user WHERE username = '".$username."' AND password = '".md5($password)."'";

$result = mysql_query($sql);

但是当我检查插入的密码和登录密码时，即使我提供了相同的值，它也会返回2个不同的值.

有人可以帮助我解决此问题吗?

解决方案

这里有许多典型的警告……提及它们无伤大雅.

首先，用于密码哈希处理的vanilla md5当然不是在数据库中保护用户密码的最佳方法.关于stackoverflow的许多问题都记录了更好的方法，尽管存在意见分歧，但与常规的md5无盐哈希相比，它们都更加安全.

保护PHP密码的哈希值和盐值

为什么不在PHP中使用AES进行密码加密?

此外，您不对SQL输入进行任何清理，使数据库容易受到SQL注入攻击.杂乱无章的用户可以操纵您的用户插入来删除表或修改您的数据结构.您需要使用mysql_real_escape_string()来转义这些值，或者采用完全不同的数据库访问系统(例如PDO)，该系统已对sql参数化.

如何防止PHP中的SQL注入?

也就是说，您的查询应检查是否存在具有正确用户名和密码的User行，通常通过首先执行COUNT查询并确保用户以有效的登录凭据在数据库中存在来实现. /p>

您应确保数据库列的长度和数据类型正确，以存储密码的哈希值.截断其中任何一个都可能破坏数据.

我希望这会有所帮助-SQL注入可能特别讨厌！

I am using a normal php/mysql insert query and use md5 to encrypt the password

This is the INSERT query:

$sql = mysql_query("INSERT INTO user (username, password, role, approved) values ('".$username."', '".md5($password)."', 'user', '0')");

And this is my SELECT query which I use for my login check:

$sql = "SELECT id, username, password, role, approved FROM user WHERE username = '".$username."' AND password = '".md5($password)."'";

$result = mysql_query($sql);

But when I check the inserted password and the login password, it returns 2 different values even though if I give same values.

Can anybody help me to fix this problem?

解决方案

Many of the typical caveats here apply... it can't hurt to mention them.

First, vanilla md5 for your password hashing is certainly not the best way to secure your user password within the database. There are numerous questions on stackoverflow that document better approaches, and though there are differences of opinion, they are all more secure that a regular md5, unsalted hash.

Secure hash and salt for PHP passwords

Why not use AES for password encryption in PHP?

Also, you are doing no sanitization of your sql inputs, leaving your database open to sql injection attacks. A meddlesome user could manipulate your user insert to drop tables or modify your data structure. You need to escape these values using mysql_real_escape_string() or adopt a totally different database access system like PDO that has parameterized sql.

How can I prevent SQL injection in PHP?

That being said, your query should check for the existence of a User row that has the correct username and password, usually achieved by doing a COUNT query first and ensuring that the user is present in the database with valid login creds.

You should ensure that your database columns are proper length and datatype to store the hashes for passwords. Truncation of either could destroy the data.

I hope this helps - SQL injection can be especially nasty!

这篇关于使用md5加密的PHP和Mysql查询出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！