问题
Is sha256 secure to use in the login page of my website then encrypt it by base64_encode? I need your recommendations. Thanks from all.
$username = $_POST['username'];
$password= $_POST['password'];
$sPassword= hash('sha256',$password);
$ePassword= base64_encode($sPassword);
$insertSQLQuery = $conn->query("INSERT INTO tbl_users (username,password)
VALUES ('$username ','$ePassword')");
回答1:
There is no need to use the hash() method and is extremely pointless creating your own hashing techniques when PHP has its own built in functions to achieve this.
password_hash() and password_verify.
Alluding to @David's answer. You should also create a salt: its a unique "addition" you concat to the password before hashing it to ensure further security measurements and data integrity. Luckily enough for us, PHP's built in function password_hash() does this when you provide it with the pre defined PASSWORD_BCRYPT algorithm.
FYI: As alluded to by @treyBake your query is open to SQL injections. Make use of prepared statements and do sanity checks!
if(
isset(($username = $_POST['username'])) &&
isset(($password = $_POST['password']))
) {
($con->prepare('INSERT INTO tbl_users (username, password) VALUES (? ,?)'))
->execute(array(
$username,
password_hash(base64_encode($password), PASSWORD_BCRYPT)
));
}
回答2:
It is if you use a salt. sha256 uses an algorithm that is only in one way, you can cipher a string but you cannot revert the operation. The problem is that it exists databases with tons of data of every possible string up to around 12 characters ciphered to the different cipher systems and you can get the original string by querying the database in a matter of seconds. That's why you should use a salt.
A salt is a predefined long string used as a key joined to your password before the encrypting. As @Jaquarh comments you should create and store a different salt for each user. You can for example generate a random string. Also you should use data binding to your query to prevent sql injections.
In your code you can make it much more secured the following way:
$salt = substr(md5(rand()), 0, 20) //this will generate a 20 characters random string
$username = $_POST['username'];
$password= $_POST['password'].$salt;
$sPassword= hash('sha256',$password);
$ePassword= base64_encode($sPassword);
$insertSQLQuery = $conn->prepare("INSERT INTO tbl_users (username,password)
VALUES ('?','?')");
//You may want to validate your $username and $ePassword here
$insertSQLQuery->execute(array($username, $ePassword));
PD: remember that you will need to store that salt to check the password later when the user logs in for example, you will need to add the salt to the password that the user has introduced in the log in form before encrypting and querying the database
回答3:
To large for a comment! About:
$sPassword= hash('sha256',$password);
$ePassword= base64_encode($sPassword);
This construct makes no sense. hash('sha256',$password) returns a string of 64 hex digits. base64_encode() blow it up to 88 chars. Both are human readable and so it is useless.
My recommendation: Either you use $sPassword (and skip the second step) or you change your code to:
$sPassword= hash('sha256',$password,true);
// ^^^^^
$ePassword= base64_encode($sPassword);
In this case, hash() returns a string with 32 binary chars and base64_encode() blows it up to 44 chars. And this is smaller than 64 hex digits.
Anyway: Remove the possible SQL injection for $username.
回答4:
I am using these methods. Also, you can change the $key value for your favorite value. like me. For preventing from Injection use PDO
https://phpdelusions.net/pdo
function HeratHostEn( $q ) {
$key = "NazirAhmadHeratHost";
$cryptKey = 'qJB0rGtIn5UB1xG03efyCp'.$key;
$qEncoded = base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, md5($cryptKey), $q, MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ) );
return( $qEncoded );
}
function HeratHostDe( $q ) {
$key = "NazirAhmadHeratHost";
$cryptKey = 'qJB0rGtIn5UB1xG03efyCp'.$key;
$qDecoded = rtrim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), base64_decode( $q ), MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ), "\0");
return( $qDecoded );
}
来源:https://stackoverflow.com/questions/56128055/is-php-sha256-safe-today-may-2019