与MySQL数据库之间的密码加密/解密 [英] Encrypting/Decrypting Passwords to and from a MySQL database

问题描述

我开始为我的网站创建一个用户系统，我要做的是对密码进行加密，而不是明文加密.我使用的是PHP/MySQL，因此我认为crypt()是一个不错的起点.但是，我是这种密码学的新手，我无法确切了解其工作原理.有没有人知道如何在最简单的级别上实现将密码存储为加密字符串但始终能够解密而又没有安全性问题的方法?

I'm starting to create a user system for my website, and what I want to do is to have the passwords encrypted, rather than plaintext. I'm using PHP/MySQL, so I figured crypt() is a good place to start. However, I'm brand new to cryptography like this, and I'm having trouble understanding exactly how it works. Does anybody know how to implement, at the simplest level, a way for passwords to be stored as an encrypted string, but always be able to be decrypted, without a security issue?

推荐答案

密码应该是散列的，而不是加密的.也就是说，您不应该能够解密密码.相反，您应该比较哈希值.

Passwords should be hashed, not encrypted. That is, you should not be able to decrpyt the password. Instead, you should compare hashes.

1. 用户设置密码$password = 'hX4)1z'
2. 您将获得密码的哈希并存储到数据库:

#

$pw = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);
mysql_query('INSERT INTO passwords (pw) VALUES ('$pw');

1. 客户稍后再回来.他们输入了密码，然后您进行了比较:

#

mysql_query('SELECT pw FROM passwords WHERE user_id = ?');
//$pw = fetch

if ($pw == hash_hmac('sha512', 'salt' . $_REQUEST['password'], $_SERVER['site_key']) {

   echo "Logged in";

}

这篇关于与MySQL数据库之间的密码加密/解密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！