我有一个包含用户名和加密密码的表。
密码通过 MySQL encrypt() 和 salt(密码的前两个字符)一起加密。
最近我注意到 MySQL 接受密码,即使它们最后包含随机字符。
假设我们有这样的表:
SET NAMES utf8;
SET foreign_key_checks = 0;
SET time_zone = 'SYSTEM';
SET sql_mode = 'NO_AUTO_VALUE_ON_ZERO';
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(255) DEFAULT NULL,
`password` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
INSERT INTO `user` (`id`, `username`, `password`) VALUES
(11, 'ricardomontalban', ENCRYPT(11111111,11));
现在我查询我的用户:
-- The following shows the appropriate response --
SELECT * FROM user WHERE username = "ricardomontalban" AND password = ENCRYPT(11111111,11);
-- HOWEVER, the following query also shows a result, even with random characters appended!!! --
SELECT * FROM user WHERE username = "ricardomontalban" AND password = ENCRYPT("11111111-55669964s5465sqsfqsdf",11);
-- No problem with prepended random characters though --
SELECT * FROM user WHERE username = "ricardomontalban" AND password = ENCRYPT("smlkfjmlsdkfjslqf-11111111",11);
我创建了一个 SQL Fiddle 来实时显示这个例子: http ://sqlfiddle.com/#!2/898d5/9
我究竟做错了什么?我什至应该使用这种加密方法吗?非常感谢任何建议。