在存储到数据库之前先加密密码? [英] Encrypt password before storing in database?

问题描述

我有一个密码通过php脚本user.php从iPhone应用程序传递到数据库.

I have a password being passed from my iPhone app to the database via a php script, user.php.

变量$ pass由以下内容填充:

The variable $pass is populated by the following:

$pass = str_replace("'", "", $_REQUEST['pass']);

在将其插入数据库之前如何加密?我已经阅读了一些有关不同技术的文章，但是正在寻找最佳的方法来管理它.

How can I encrypt this before it's inserted into my database? I've read a little about the different techniques, but looking for the best way to manage this.

谢谢大家.

推荐答案

虽然以下答案在技术上仍然正确，但是php对于使用的哈希算法提出了新的建议. 他们的建议，自php> = 5.5起. 0，是使用 password_hash 和 password_verify 函数用于哈希和验证哈希密码.另外一个好处是，这些函数会自动在返回的哈希中包含一个单独的盐，因此您不必为此担心.

---

如果您不希望从数据库加密值中检索实际密码的值，则可以在其上运行单向哈希算法(例如sha1).此函数将返回特定长度的字符串(哈希)，该字符串不能用于(从理论上)查找原始字符串.两个不同的字符串可能会创建相同的哈希(称为冲突)，但这对于密码来说应该不是问题.
示例: $pass = sha1($_REQUEST['pass']);

While the answer below is technically still correct, php has new recommendations with regards to the hashing algorithms to use. Their recommendation, as of php >= 5.5.0, is to use the password_hash and password_verify functions to hash and verify hashed passwords . As an added benefit, these functions automatically include an individualized salt as part of the returned hash, so you don't need to worry about that explicitly.

---

If you don't care about retrieving the actual password's value (from the database encrypted value), you can run a one-way hash algorithm on it (such as sha1). This function will return a specific length string (hash) which cannot be used to find the original string (theoretically). It is possible that two different strings could create the same hash (called a collision) but this shouldn't be a problem with passwords.
Example: $pass = sha1($_REQUEST['pass']);

要使它更安全一点，是在哈希中添加盐，然后再次运行哈希函数.这使得恶意生成密码哈希值变得更加困难，因为salt值仅在服务器端进行处理.
示例: $pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

One thing, to make it a little more secure is to add a salt to the hash and run the hash function again. This makes it more difficult to generate a password hash maliciously since the salt value is handled server-side only.
Example: $pass = sha1(sha1($_REQUEST['pass']).sha1("mySalt@$#(%"));

这篇关于在存储到数据库之前先加密密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！