第二个 cookie 的具体用途是什么?
What exactly is the purpose of a second cookie?
我想请教一个关于吃两块饼干的智慧问题。在一个PHP文件中,可以找到以下代码:
//dbconn establishes connection to database and is not shown here
$salt = hash("sha512", rand().rand().rand());
mysqli_query($dbconn, "INSERT into `members` (`membername`, `password`,
`salt`) VALUES ('$membername', '$password', '$salt')");
setcookie("cookiemember", hash("sha512", $membername,
time() + 24*60*60, "/");
setcookie("cookiesalt", $salt, time() + 24*60*60, "/");
mysqli_close($dbconn)
在第二个 PHP 文件中,找到以下代码行:
if (isset($_COOKIE['cookiemember']) &&
isset($_COOKIE['cookiesalt'])) {
$cookymem = mysqli_real_escape_string($dbconn,
$_COOKIE['cookiemember']);
$cookysalty = mysqli_real_escape_string($dbconn,
$_COOKIE['cookiesalt']);
$result = mysqli_query($dbconn, "SELECT * FROM `members`
where `salt` = '$cookysalty'");
我不明白变量$salt 的用途。您获取三个随机生成的数字,将它们连接起来,对这个连接后的数字应用安全哈希算法,然后将输出放入名为 members 的 table 中。然后,您可以将此 $salt 变量用作 cookie 的值,但在从中转义特殊字符之前不要使用。当您已经通过哈希加密字段名称 membername 时,为什么还要经历所有这些麻烦呢?为什么最后一行代码不能简单的写成:
$result = mysqli_query($dbconn, "SELECT * FROM `members`
where `membername` = '$cookymem'");
有包含编码单词列表的大型数据库。例如 this site. SALTs are for making it impossible to simply enter the HASH into a textbox, and hope that its decoded. Ofcourse there are workarounds, but SALTS make attacker's job much harder, possibly forcing him to not use it. As specified in comments by Vladimir, please read this 这样您就可以了解 SALT 是什么。
我想请教一个关于吃两块饼干的智慧问题。在一个PHP文件中,可以找到以下代码:
//dbconn establishes connection to database and is not shown here
$salt = hash("sha512", rand().rand().rand());
mysqli_query($dbconn, "INSERT into `members` (`membername`, `password`,
`salt`) VALUES ('$membername', '$password', '$salt')");
setcookie("cookiemember", hash("sha512", $membername,
time() + 24*60*60, "/");
setcookie("cookiesalt", $salt, time() + 24*60*60, "/");
mysqli_close($dbconn)
在第二个 PHP 文件中,找到以下代码行:
if (isset($_COOKIE['cookiemember']) &&
isset($_COOKIE['cookiesalt'])) {
$cookymem = mysqli_real_escape_string($dbconn,
$_COOKIE['cookiemember']);
$cookysalty = mysqli_real_escape_string($dbconn,
$_COOKIE['cookiesalt']);
$result = mysqli_query($dbconn, "SELECT * FROM `members`
where `salt` = '$cookysalty'");
我不明白变量$salt 的用途。您获取三个随机生成的数字,将它们连接起来,对这个连接后的数字应用安全哈希算法,然后将输出放入名为 members 的 table 中。然后,您可以将此 $salt 变量用作 cookie 的值,但在从中转义特殊字符之前不要使用。当您已经通过哈希加密字段名称 membername 时,为什么还要经历所有这些麻烦呢?为什么最后一行代码不能简单的写成:
$result = mysqli_query($dbconn, "SELECT * FROM `members`
where `membername` = '$cookymem'");
有包含编码单词列表的大型数据库。例如 this site. SALTs are for making it impossible to simply enter the HASH into a textbox, and hope that its decoded. Ofcourse there are workarounds, but SALTS make attacker's job much harder, possibly forcing him to not use it. As specified in comments by Vladimir, please read this 这样您就可以了解 SALT 是什么。