据我所知,如果你谈论md5
它可以存储32 characters
.我知道,如果超过限制,32 characters
它仍然会凑它完美的罚款,但它实际上可能是相同hash
的md5( 'a' )
,虽然,不可能.
是不是可能是非常危险和不安全然后使用(MD5)salt
中md5
,甚至没有检查的input
的长度password
+ salt
?
例1:
$pass = md5( 'this is a password' ); $salt = md5( 'this is a salt' ); // Will exceed 32 range and might therefore equal md5( 'a' ) - // if so this will pass an authorization such as login md5( $pass . $salt );
例2:
// 32 character password $pass = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'; $salt = 'salt'; // Will also exceed 32 range due to no length check and might equal md5( 'a' ) md5( $pass . $salt );
你不应该这样做:
$pass = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'; $salt = 'salt'; if ( strlen( $pass ) + strlen( $salt ) > 32 ) exit; else md5( $pass . $salt );
另外,限制在sha512
哪里?512 characters
?