如何将散列密码上传到我的数据库? [英] How do I upload a hashed password to my database?

问题描述

我有一个基本的登录页面，它使用此 PHP 代码直接上传到我的数据库.当我使用此代码时，它工作正常，并将所有内容上传到我的表:

 $fname = $_POST['fname'];$lname = $_POST['lname'];$Email = $_POST['Email'];$用户名 = $_POST['用户名'];$password = ($_POST['password']);$PhoneNumber = ($_POST['PhoneNumber']);$query = $con->准备("插入用户(fName、lName、Email、用户名、密码、电话号码)值 (:fname, :lname, :Email, :username,:password, :PhoneNumber)");$success = $query->执行 (['fname' =>$fname,'lname' =>$lname,'电子邮件' =>$电子邮件，'用户名' =>$用户名，'密码' =>$密码，'电话号码' =>$电话号码]);

但是当我添加哈希密码功能时，它根本没有将任何内容上传到数据库.

 $fname = $_POST['fname'];$lname = $_POST['lname'];$Email = $_POST['Email'];$用户名 = $_POST['用户名'];$password = ($_POST['password']);$PhoneNumber = ($_POST['PhoneNumber']);$hashed_pa​​ssword = password_hash($password, PASSWORD_DEFAULT);$query = $con->准备("插入用户(fName、lName、Email、用户名、密码、电话号码)值 (:fname, :lname, :Email, :username,:password, :PhoneNumber)");$success = $query->执行 (['fname' =>$fname,'lname' =>$lname,'电子邮件' =>$电子邮件，'用户名' =>$用户名，'密码' =>$hashed_pa​​ssword,'电话号码' =>$电话号码]);

更新:我做了建议的更改，但我仍然遇到同样的问题.这是我更新的代码:

$password = $_POST['password'];$hashed_pa​​ssword = password_hash($_POST['password'], PASSWORD_BCRYPT, ['cost' => 15]);$query = $con->准备("插入用户(fName、lName、Email、用户名、密码、电话号码)值 (:fname, :lname, :Email, :username,:password, :PhoneNumber)");$success = $query->执行 (['fname' =>$fname,'lname' =>$lname,'电子邮件' =>$电子邮件，'用户名' =>$用户名，'密码' =>$hashed_pa​​ssword,'电话号码' =>$电话号码]);

解决方案

1:

<块引用>

 $hashed_pa​​ssword = password_hash($hashed_pa​​ssword, PASSWORD_DEFAULT);

您正在散列一个空字符串.

您应该散列包含密码的变量:

 $hashed_pa​​ssword = password_hash($_POST['password'], PASSWORD_DEFAULT);

2:

您的 SQL 查询应该不包含任何变量，这是不好的做法并且可能不安全(对于其他非散列变量).

<块引用>

VALUES (:fname, :lname, :Email, :username,$hashed_pa​​ssword, :PhoneNumber)

但是您将 $hashed_pa​​ssword 作为硬编码变量.这在语法级别上是不正确的，并且会导致 SQL 错误，因为它是 未用引号括起来.

您需要在 ->execute 中设置此值，就像处理所有其他变量一样:

 $query = $con->准备("插入用户(fName、lName、Email、用户名、密码、电话号码)值 (:fname, :lname, :Email, :username, :pwd, :PhoneNumber)");$success = $query->执行 (['fname' =>$fname,'lname' =>$lname,'电子邮件' =>$电子邮件，'用户名' =>$用户名，'密码' =>$hashed_pa​​ssword,'电话号码' =>$电话号码]);

安全注意事项:

答:

您没有在 PASSWORD_DEFAULT(在撰写本文时这是 BCRYPT)散列机制上设置 cost 值.强烈鼓励将此成本值设置得尽可能高，而不是默认值 10.

我建议将成本值设置为至少 15，并阅读PHP 手册页，其中还介绍了如何找到您服务器的理想成本值.

 $hashed_pa​​ssword = password_hash($password, PASSWORD_BCRYPT, ['cost' => 15]);

乙:

我还强烈建议使用 ARGON 密码散列机制之一.您需要启用此功能重新编译PHP.我相信在未来的 PHP 版本中这会变得更容易.

C:

我还强烈建议确保您的 MySQL 排序规则和字符集是 UTF8mb4_ 前缀的 unicode:UTF8mb4_unicode_ci 相对于您的密码存储列/表(同时确保您的列是足够长*).

* 她就是这么说的！

I have a basic login page that uses this PHP code to upload directly to my database. When I use this code it works fine and it uploads everything to my table:

    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $Email = $_POST['Email'];
    $username = $_POST['username'];
    $password = ($_POST['password']);
    $PhoneNumber = ($_POST['PhoneNumber']);
    $query = $con-> prepare("
    INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
    VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

    ");
    $success = $query-> execute ([
        'fname' => $fname,
        'lname' => $lname,
        'Email' => $Email,
        'username' => $username,
        'password' => $password,
        'PhoneNumber' => $PhoneNumber
    ]);

But when i add the hash password function it just doesnt upload anything to the database at all.

        $fname = $_POST['fname'];
        $lname = $_POST['lname'];
        $Email = $_POST['Email'];
        $username = $_POST['username'];         
        $password = ($_POST['password']);
        $PhoneNumber = ($_POST['PhoneNumber']);
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);
        $query = $con-> prepare("
        INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
        VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

        ");
    $success = $query-> execute ([
            'fname' => $fname,
            'lname' => $lname,
            'Email' => $Email,
            'username' => $username,
            'password' => $hashed_password,
            'PhoneNumber' => $PhoneNumber
        ]);

Update: I made the changes that were suggested but I am still having the same issue. This is my updated code:

$password = $_POST['password'];


    $hashed_password = password_hash($_POST['password'], PASSWORD_BCRYPT, ['cost' => 15]);

    $query = $con-> prepare("
        INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
        VALUES (:fname, :lname, :Email, :username,:password, :PhoneNumber)

        ");
    $success = $query-> execute ([
            'fname' => $fname,
            'lname' => $lname,
            'Email' => $Email,
            'username' => $username,
            'password' => $hashed_password,
            'PhoneNumber' => $PhoneNumber
        ]);

解决方案

1:

 $hashed_password = password_hash($hashed_password, PASSWORD_DEFAULT);

You are hashing an empty string.

You should be hashing the variable containing the password:

 $hashed_password = password_hash($_POST['password'], PASSWORD_DEFAULT);

2:

Your SQL query should not contain any variables, this is bad practise and potentially unsafe (for other non-hashed variables).

VALUES (:fname, :lname, :Email, :username,$hashed_password, :PhoneNumber) 

But you have $hashed_password as a hardcoded variable. This is incorrect on a syntax level and will cause SQL errors as it's not encased in quotes.

You need to set this value in the ->execute as you do with all the other variables:

    $query = $con-> prepare("
    INSERT INTO Users (fName, lName,Email, username, pass_word,PhoneNumber)
    VALUES (:fname, :lname, :Email, :username, :pwd, :PhoneNumber)

    ");
$success = $query-> execute ([
        'fname' => $fname,
        'lname' => $lname,
        'Email' => $Email,
        'username' => $username,
        'pwd' => $hashed_password,
        'PhoneNumber' => $PhoneNumber
    ]);

SECURITY NOTES:

A:

You are not setting a cost value on your PASSWORD_DEFAULT (at time of writing this is BCRYPT) hashing mechanism. It is STRONGLY ENCOURAGED that you set this cost value to as high as possible, rather than the default of 10.

I would suggest setting the cost value to at least 15, and reading the PHP Manual Page, which also sets out how to find the ideal cost value of your server.

 $hashed_password = password_hash($password, PASSWORD_BCRYPT, ['cost' => 15]);

B:

I would also highly recommend using one of the ARGON password hashing mechanisms. You will need to recompile PHP with this enabled. I'm sure this will be made easier in coming PHP versions.

C:

I would also highly recommend ensuring your MySQL collations and character sets are UTF8mb4_ prefixed unicode: UTF8mb4_unicode_ci with respect to your password storage column/table (Also ensure your column is long enough*).

* that's what she said!

这篇关于如何将散列密码上传到我的数据库?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！