use*_*925 5 php mysql sql database salt
在sql中有关于密码的问题:
下面的代码通过随机生成10个字符的字符串来限制特定密码:
Update Teacher
SET TeacherSalt = SUBSTRING(MD5(RAND()), -10),
TeacherPassword = SHA1(CONCAT('009b9b624aaecc4b3217dcd4bfee15ab704745d7',SUBSTRING(MD5(RAND()), -10)))
WHERE TeacherPassword = '009b9b624aaecc4b3217dcd4bfee15ab704745d7'
但我的问题是我想要更改盐,以便它生成的字符串来自所有这些字符:
./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
有63个字符.php的方式如下:
$salt = "";
for ($i = 0; $i < 40; $i++) {
$salt .= substr(
"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
mt_rand(0, 63),
1);
}
但是我怎么能用上面的sql方式写这个呢?
小智 5
可以在MySQL中完成。随机单词的生成不是那么漂亮。关于生成和应用盐,这部分并不难。
使用2条语句首先为每个人生成盐,然后应用它们。(注意:如果您确实只想将其应用于一个帐户,请添加WHERE子句。)
mysql> select * from salty;
+------+------+------+
| id | pw | salt |
+------+------+------+
| 1 | fish | NULL |
| 2 | bird | NULL |
| 3 | fish | NULL |
+------+------+------+
(请注意,用户1和3恰好具有相同的密码。但是,您不希望它们在加盐和散列后变得相同。)
mysql> update salty set salt=SUBSTRING(MD5(RAND()), -10);
mysql> select * from salty;
+------+------+------------+
| id | pw | salt |
+------+------+------------+
| 1 | fish | 00fe747c35 |
| 2 | bird | ee4a049076 |
| 3 | fish | 6a8285f03c |
+------+------+------------+
(注意:我将在稍后显示特定字母的版本)
mysql> update salty set pw=sha1(concat(pw,salt));
mysql> select * from salty;
+------+------------------------------------------+------------+
| id | pw | salt |
+------+------------------------------------------+------------+
| 1 | ac1b74c36b4d2426460562e8710bd467bd034fc8 | 00fe747c35 |
| 2 | d63d035f9cac1ac7c237774613b8b702d8c227df | ee4a049076 |
| 3 | 6a0b1e36f489ef959badf91b3daca87d207fb5de | 6a8285f03c |
+------+------------------------------------------+------------+
那里有两个语句,每行唯一地加盐和散列。
现在,要随机生成指定字母的单词,ELT()有一个丑陋的技巧。对于64个字符的字母的10个字母的单词:
UPDATE salty SET salt=CONCAT(
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9'),
ELT(1+FLOOR(RAND()*64),
'.','/',
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',
'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
'0','1','2','3','4','5','6','7','8','9')
)
mysql> select * from salty;
+------+------+------------+
| id | pw | salt |
+------+------+------------+
| 1 | fish | TzHO0e5I/k |
| 2 | bird | 65xLptoDZ3 |
| 3 | fish | JNok/SfmkG |
+------+------+------------+
吓人的,不是吗?但是,在单个MySQL语句中执行此操作可能比在PHP中循环并每行进行一个(或两个)查询要快得多,尤其是如果您必须将其应用于具有数百万条记录的表时,更是如此。一个丑陋的查询与一次进行数百万个查询的对比。
但是正如其他人所说,SHA1确实已经不够用了。
如果您确实有很多记录,则可以使用几个MySQL查询来更新所有记录,以将SHA2用作临时解决方案,然后使用PHP在一段时间内将其分别更新为更强的哈希值。当然,您需要某种方式来了解给定记录使用的哈希。
附带说明一下,如果仅更新单个行(如您的示例中所示),则可以使用MySQL变量将生成的随机字符串临时保留足够长的时间,以更新该行的两列:
mysql> SET @salt=SUBSTRING(MD5(RAND()), -10); UPDATE salty SET salt=@salt,pw=SHA1(CONCAT(pw,@salt)) WHERE id=2; SET @salt=NULL;
这样,@ salt中的相同值将用于设置盐和pw计算中。但是,它不能用于更新多行(它们都以相同的盐结尾)。
如果你真的想随机加盐,那么只能通过使用 php 生成随机盐并用该盐加密密码并将盐密钥和密码存储在表的两个字段中来完成。表必须有盐字段和密码字段。但是,如果您只想使用 mysql 进行加密,请查看这里http://dev.mysql.com/doc/refman/5.5/en//encryption-functions.html
当我们验证用户的登录凭据时,我们遵循相同的过程,只是这次我们使用数据库中的盐,而不是生成新的随机盐。我们将用户提供的密码添加到其中,运行哈希算法,然后将结果与存储在该用户个人资料中的哈希进行比较。
与 salted SHA512 相比,salted SHA1 有多不安全
我希望你现在明白了。
| 归档时间: |
|
| 查看次数: |
6593 次 |
| 最近记录: |