如何使用PHP對MD5加密此密碼？

Question

下面的代碼來自用PHP編寫的登錄腳本。它檢查密碼的數據庫使用MD5加密密碼，但是當登錄腳本針對數據庫檢查密碼時，它將檢查未加密的原始密碼。我熟悉的MD5（）函數，但我會如何將此主題融入如下：

<?php 
session_start(); 

$username = $_POST['username']; 
$password = $_POST['password']; 

if ($username && $password) { 
    $connect = mysql_connect("host", "user", "password") or die("Couldn't connect"); 
    mysql_select_db("dbname") or die("Couldn't find the database"); 

    $query = mysql_query("SELECT * FROM users WHERE username='$username'"); 
    $numrows = mysql_num_rows($query); 

    if ($numrows != 0) { 
     while ($row = mysql_fetch_assoc($query)) { 
      $dbusername = $row['username']; 
      $dbpassword = $row['password']; 
     } 

     if ($username == $dbusername && $password == $dbpassword) { 
      echo "You're in! Click <a href='../member.php'>here</a> to enter the member page."; 
      $_SESSION['username'] = $username; 
     }else{ 
      echo "Incorrect password"; 
     } 
    }else{ 
     die("That username does not exist."); 
    } 
}else{ 
    die("Please enter a valid username and password."); 
} 
?> 

Answer 1

你應該檢查和查詢數據庫進行匹配，而不是把結果下來並在本地檢測它們。隨着中說：

$password = md5($_POST['password']); 

隨後還更改：

SELECT * FROM users WHERE username='$username' AND password='$password' 

但我也想看看用PDO，而不是直接在SQL查詢中放置值。至少你應該使用mysql_real_escape_string來避免注入攻擊。

Answer 2

$salt=sha1($postpassword); 
    $arr= strlen($postpassword); 
    $count=ceil($arr/2); 
    $stringarr=str_split($postpassword,$count); 
    $password1=hash("sha512", $stringarr['0']); 

    $password2=$salt . (hash('whirlpool', $salt . $stringarr['1'])); 
    return $password1.$password2;