我应该使用mysql_real_escape_string在注册表中输入的密码吗? [英] Should I mysql_real_escape_string the password entered in the registration form?

问题描述

当用户注册时，我使用mysql_real_escape_string如下所述 clean 密码

When a user registers I clean the password with mysql_real_escape_string as follow

$password = clean($_POST['password']); 

在将其添加到数据库之前，我使用:

Before adding it into database I use :

$hashedpassword = sha1('abcdef'.$password);

并将其保存到mySQL中.

and save it into mySQL.

我的问题是我应该清理密码，还是在将密码添加到数据库之前保护密码已被散列?

My question is should I clean it or am I protected that the password is hashed before adding it into the DB ?

推荐答案

嗯，有一个主要的误解.

Well, there is one major misunderstanding.

mysql_real_escape_string()不 干净 任何事情.与安全性完全无关.

mysql_real_escape_string() does not clean anything. It has nothing to do with security at all.

此函数仅用于转义定界符，仅此而已.它可以帮助您将字符串数据放入SQL查询中.

This function is used just to escape delimiters and nothing more. It can help you to put string data into SQL query - that's all.

因此，要查询的每个字符串(将其用引号引起来)，都必须使用此函数进行准备.在所有其他情况下，它将是无用的，甚至是有害的.

So, every string you're going to put into query (by putting it in quotes), you have to prepare it with this function. In all other cases it would be useless or even harmful.

因此，
出于这种误解，您在这里犯了两个主要错误:

Thus,
out of this misunderstanding, you're doing 2 major mistakes here:

• 您正在使用此功能，而不是用于实际要查询的数据
• 您可以通过在密码上添加一些符号来破坏密码，从而使其无法使用

此外，请注意，此功能应始终与mysql_set_charset结合使用，否则此功能的"_real_"部分将变得无用

Also, as a side note, please bear in mind that this function should be always used in conjunction with mysql_set_charset, or otherwise a "_real_" part of this function become useless

这篇关于我应该使用mysql_real_escape_string在注册表中输入的密码吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！