Why does getBytes[ ] and insert bytes[ ] give different results ?
为什么getBytes []和insert bytes []给出不同的结果?
Database: Table Definition
CREATE TABLE users (
`username` VARCHAR(15),
`password` VARCHAR(32),
`salt` VARCHAR(32)
);
Whenever I want to make a new user , I produce a random salt (type: bytes[ ]) and then store it on the database along with the other columns .
每当我想创建一个新用户时,我会生成一个随机salt(类型:bytes []),然后将其与其他列一起存储在数据库中。
But , when I try to retrieve the salt from the db using rs.getBytes("Salt") I won't get the same result.
但是,当我尝试使用rs.getBytes(“Salt”)从db中检索salt时,我将得不到相同的结果。
I know that I can retrieve the salt with rs.getString("Salt") BUT I need to get it as byte[] type.
我知道我可以用rs.getString(“Salt”)检索盐但是我需要把它作为byte []类型。
I tried to cast the String to Bytes[] but again not the same results..!!
我试图将字符串转换为Bytes [],但同样的结果不一样.. !!
Code: Insert into Database
String username = "admin";
String password = request.getParameter("password");
byte[] salt = SaltedMD5.getSalt();
password = SaltedMD5.getSecurePassword(password, salt);
stmt.executeUpdate(String.format("INSERT INTO users VALUES('%s', '%s', '%s')", username, password, salt));
Output: Query Result
byte[] DB_salt = rs.getBytes("Salt");
1 个解决方案
#1
4
Do yourself a favor and switch to a secure algorithm. Not only will your passwords be protected properly, you also don't have to care about generation and storage of the salt.
帮自己一个忙,转而使用安全的算法。您的密码不仅可以得到正确的保护,还不必关心盐的生成和储存。
Most BCrypt implementations will include the generated salt as part of the resulting hash, so you need only a single field for password hashes with a minimum length of varchar(60).
大多数BCrypt实现都会将生成的salt包含在生成的哈希中,因此只需要一个字段用于密码哈希,其最小长度为varchar(60)。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
String hashToStoreInDb = BCrypt.hashpw(password, BCrypt.gensalt());
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
Boolean isPasswordCorrect = BCrypt.checkpw(password, existingHashFromDb);
#1
4
Do yourself a favor and switch to a secure algorithm. Not only will your passwords be protected properly, you also don't have to care about generation and storage of the salt.
帮自己一个忙,转而使用安全的算法。您的密码不仅可以得到正确的保护,还不必关心盐的生成和储存。
Most BCrypt implementations will include the generated salt as part of the resulting hash, so you need only a single field for password hashes with a minimum length of varchar(60).
大多数BCrypt实现都会将生成的salt包含在生成的哈希中,因此只需要一个字段用于密码哈希,其最小长度为varchar(60)。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
String hashToStoreInDb = BCrypt.hashpw(password, BCrypt.gensalt());
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
Boolean isPasswordCorrect = BCrypt.checkpw(password, existingHashFromDb);