每个Web开发者应该知道加密？ [英] What should every web developer know about encryption?

问题描述

我刚刚登陆了一个PHP5演出。我不会处理涉及超级敏感数据的应用程序的部分，但我仍然对安全和加密方法感到尴尬。我只知道非常基础（不要以明文存储密码，不允许用户使用帖子数据运行代码等）。我需要知道什么才能使我的应用程序安全，我在哪里可以学习？

解决方案

了解哈希和加密。加密通常是字符串的双向解释。我可以加密我的密码，然后再解密为明文。散列的想法是，它们成为单向加密。

在我的网站上，我将密码存储为散列。任何时候用户登录，我重新哈希他们提供的密码，测试它与存储在数据库中的哈希，并批准，如果他们匹配。如果忘记密码，我无法发送他们的密码，因为（一般地）我无法知道这两个字符串可以转换成相同的哈希值，这通常不可能找出原始的字符串。

这是一个很好的一个问题，以了解和了解何时使用加密与散列。

I've just landed a PHP5 gig. I won't be handling the parts of the application that involve super sensitive data, but I still know embarrassingly little about security and encryption methods. I only know the very basics (don't store passwords in plaintext, don't allow users to run code using post data, etc). What do I need to know to keep my applications secure, and where can I learn it?

解决方案

Learn the difference between hashes and encryption. Encryptions are generally two-way interpretations of a string. I can encrypt my password, and then decrypt it to plaintext again. The idea behind hashes are that they become a one-way 'encryption.'

On my sites I store passwords as hashes. Anytime a user signs on, I re-hash their provided password, test it against the hash stored in the database and approve if they match. I cannot send them their password if they forget it, since (generally) there is no way for me to know.Two different strings can translate into the same hash, which makes it (generally) impossible to find out what the original string was.

This is one issue that is good to get a firm understanding of, and discern when to use encryption vs. hashes.

这篇关于每个Web开发者应该知道加密？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！