哈希或加密要在url中发送的变量 [英] Hashing or encrypting variables to be sent in a url
问题描述
我有一个需要生成的链接,可以放在一个电子邮件中。当用户点击此链接时,该系统旨在将电子邮件中发送的代码与用户匹配,以便可以拉出该用户的记录。
I have a link which needs to be generated so that it can be placed in an email. When the user clicks on this link, the system is meant to match the code sent in the email to a user, so it can pull up the records for that user.
但是,我不太确定使用哪种加密/散列方法。对于本网站管理系统的登录,在数据库中使用PBKDF2进行密码(含盐)和AES加密,当它发送到会话变量时,但我不知道PBKDF2& AES是url兼容的。
However, I am not quite sure which encryption/hashing method to use. For the login for the admin system on this site, I use PBKDF2 in the database for the password (with salting) and AES encryption when it is sent to the session variables, but I don't know if the characters used by PBKDF2 & AES are url compatible.
基本上,我需要最好的哈希/生成随机代码来存储数据库和加密方法,以便我可以放置一年和代码(我之前提到的)在一个url。
Basically, I need the best method of hashing/generating a random code for storage in the database and an encryption method so that I can place a year and the code (which I previously mentioned) in a url. I am using PHP and MySQL if that helps.
你有什么想法?
推荐答案
大多数加密(或散列等)例程的输出是任意二进制数据,不能安全地包含在URL中而不进行编码。
The output of most encryption (or hashing, etc.) routines is arbitrary binary data, which cannot be safely included in a URL without encoding it.
作为eggyal notes ,只需在数据上使用 urlencode()即可足够。然而,标准URL编码可能不是编码随机二进制数据的最紧凑的方法。 Base64 编码会更有效率,但不幸的是,由于使用了
As eggyal notes, simply using urlencode() on the data should be enough. However, standard URL-encoding may not be the most compact way to encode random binary data. Base64 encoding would be more efficient, but unfortunately is not completely URL-safe due to its use of the + character.
幸运的是,存在base64编码的标准化URL安全变体,在<一个href =http://tools.ietf.org/html/rfc4648 =nofollow noreferrer> RFC 4648 为base64url。这是一个使用PHP编码和解码数据的功能,基于gutzmer at usa dot net的答案:
Fortunately, there exists a standardized URL-safe variant of the base64 encoding, specified in RFC 4648 as "base64url". Here's a pair of functions for encoding and decoding data using this encoding in PHP, based on this answer by "gutzmer at usa dot net":
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
function base64url_decode($data) {
return base64_decode(strtr($data, '-_', '+/'));
}
(我已经简化了一些解码功能,因为至少现在的版本的PHP显然不需要输入到 base64_decode()中的 = 填充字符。)
(I've simplified the decoding function a bit, since at least current versions of PHP apparently don't require = padding characters in the input to base64_decode().)
Ps。为了安全地生成随机令牌,请参见例如。 此问题。
Ps. For securely generating the random tokens in the first place, see e.g. this question.
这篇关于哈希或加密要在url中发送的变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
