php sha256 今天(2019 年 5 月)安全吗? [英] is php sha256 safe today (may 2019)?

问题描述

在我网站的登录页面中使用 sha256 然后通过 base64_encode 对其进行加密是否安全?我需要你的建议.谢谢大家.

Is sha256 secure to use in the login page of my website then encrypt it by base64_encode? I need your recommendations. Thanks from all.

    $username = $_POST['username'];
    $password=  $_POST['password'];
    $sPassword= hash('sha256',$password);
    $ePassword= base64_encode($sPassword);

    $insertSQLQuery = $conn->query("INSERT INTO tbl_users (username,password) 
VALUES ('$username ','$ePassword')");

推荐答案

没有必要使用 hash() 方法，当 PHP 有自己的构建时，创建自己的哈希技术是非常没有意义的在函数中实现这一点.

There is no need to use the hash() method and is extremely pointless creating your own hashing techniques when PHP has its own built in functions to achieve this.

password_hash() 和 password_verify.

暗指@David 的回答.您还应该创建一个盐:它是一个独特的添加"，您在对其进行散列之前将其连接到密码以确保进一步的安全测量和数据完整性.对我们来说幸运的是，当您向 PHP 提供预定义的 PASSWORD_BCRYPT 算法时，PHP 的内置函数 password_hash() 会执行此操作.

Alluding to @David's answer. You should also create a salt: its a unique "addition" you concat to the password before hashing it to ensure further security measurements and data integrity. Luckily enough for us, PHP's built in function password_hash() does this when you provide it with the pre defined PASSWORD_BCRYPT algorithm.

仅供参考:正如@treyBake 所暗示的，您的查询对 SQL 注入是开放的.使用准备好的语句并进行完整性检查！

FYI: As alluded to by @treyBake your query is open to SQL injections. Make use of prepared statements and do sanity checks!

if(
   isset(($username = $_POST['username'])) &&
   isset(($password = $_POST['password']))
) {
    ($con->prepare('INSERT INTO tbl_users (username, password) VALUES (? ,?)'))
         ->execute(array(
             $username,
             password_hash(base64_encode($password), PASSWORD_BCRYPT)
         ));
}

这篇关于php sha256 今天(2019 年 5 月)安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！