I checked the passwords for the users against the DB.
我根据数据库检查了用户的密码。
What is faster, the MySQL MD5 function
什么是更快的,MySQL MD5函数
... pwd = MD5('.$pwd.')
OR the PHP MD5 function
或者PHP MD5函数
... pwd = '.md5($pwd).'
What is the right way between the two options?
这两个选项之间的正确方式是什么?
5 个解决方案
#1
24
If your application is only calcullating md5 when someone registers on your site, or is logging in, own many calls to md5 will you do per hour ? Couple of hundreds ? If so, I don't think the really small difference between PHP and MySQL will be significant at all.
如果您的应用程序只在有人在您的站点上注册或正在登录时计算md5,那么拥有许多对md5的调用,您将每小时执行一次吗?两个几百?如果是这样的话,我不认为PHP和MySQL之间的细微差别有多大。
The question should be more like "where do I put the fact that password are stored using md5" than "what makes me win almost nothing".
问题应该更像“我把密码存储在md5上的地方放在哪里”,而不是“什么让我几乎什么都不赢”。
And, as a sidenote, another question could be : where can you afford to spend resources for that kind of calculations ? If you have 10 PHP servers and one DB server already under heavy load, you get your answer ;-)
而且,作为一个旁注,另一个问题可能是:你可以在哪里花费资源来进行这种计算?如果你有10个PHP服务器和一个DB服务器已经在重负下,你得到你的答案;
But, just for fun :
但是,只是为了好玩:
mysql> select benchmark(1000000, md5('test'));
+---------------------------------+
| benchmark(1000000, md5('test')) |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (2.24 sec)
And in PHP :
在PHP中:
$before = microtime(true);
for ($i=0 ; $i<1000000 ; $i++) {
$a = md5('test');
}
$after = microtime(true);
echo ($after-$before) . "\n";
gives :
给:
$ php ~/developpement/tests/temp/temp.php
3.3341760635376
But you probably won't be calculating a million md5 like this, will you ?
但是你可能不会像这样计算一百万md5,对吗?
(And this has nothing to do with preventing SQL injections : just escape/quote your data ! always ! or use prepared statements)
(这与防止SQL注入没有任何关系:只是转义/引用您的数据!永远!或者使用预处理语句)
#2
4
I don't know which is faster, but if you do it in PHP you avoid the possibility of SQL injection.
我不知道哪个更快,但是如果用PHP,就可以避免SQL注入的可能性。
#3
3
Is performance really an issue here? It's likely to be marginal.
性能真的是一个问题吗?它可能是边际的。
- Doing it in MySQL makes the DB do more work, which is a good thing
- 在MySQL中这样做可以让DB做更多的工作,这是一件好事
- Doing it in MySQL means the cleartext password gets passed further along (and the DB connection is often unencrypted).
- 在MySQL中这样做意味着cleartext密码会被进一步传递(而DB连接通常是不加密的)。
- This has nothing to do with SQL injection. You could fix the first version without moving the MD5 function. Also if there was a bug in PHP's MD5 function there's still a possibility of an injection attack.
- 这与SQL注入无关。您可以在不移动MD5函数的情况下修复第一个版本。另外,如果PHP的MD5函数中有错误,仍然存在注入攻击的可能性。
#4
0
Measure it, it's the only way to be certain.
测量一下,这是唯一确定的方法。
#5
0
I would say, read the column value out of mysql, then compare the result with the computed hash in your client code (e.g. php).
我会说,从mysql中读取列值,然后将结果与客户端代码中的计算散列(例如php)进行比较。
The main reason for doing this is that it avoids stupid things such as the database collating the column in a non-binary fashion (e.g. case-insensitive etc), which is generally undesirable for a hash.
这样做的主要原因是它避免了一些愚蠢的事情,比如数据库以非二进制的方式对列进行排序(例如不区分大小写等),这通常不适合散列。
#1
24
If your application is only calcullating md5 when someone registers on your site, or is logging in, own many calls to md5 will you do per hour ? Couple of hundreds ? If so, I don't think the really small difference between PHP and MySQL will be significant at all.
如果您的应用程序只在有人在您的站点上注册或正在登录时计算md5,那么拥有许多对md5的调用,您将每小时执行一次吗?两个几百?如果是这样的话,我不认为PHP和MySQL之间的细微差别有多大。
The question should be more like "where do I put the fact that password are stored using md5" than "what makes me win almost nothing".
问题应该更像“我把密码存储在md5上的地方放在哪里”,而不是“什么让我几乎什么都不赢”。
And, as a sidenote, another question could be : where can you afford to spend resources for that kind of calculations ? If you have 10 PHP servers and one DB server already under heavy load, you get your answer ;-)
而且,作为一个旁注,另一个问题可能是:你可以在哪里花费资源来进行这种计算?如果你有10个PHP服务器和一个DB服务器已经在重负下,你得到你的答案;
But, just for fun :
但是,只是为了好玩:
mysql> select benchmark(1000000, md5('test'));
+---------------------------------+
| benchmark(1000000, md5('test')) |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (2.24 sec)
And in PHP :
在PHP中:
$before = microtime(true);
for ($i=0 ; $i<1000000 ; $i++) {
$a = md5('test');
}
$after = microtime(true);
echo ($after-$before) . "\n";
gives :
给:
$ php ~/developpement/tests/temp/temp.php
3.3341760635376
But you probably won't be calculating a million md5 like this, will you ?
但是你可能不会像这样计算一百万md5,对吗?
(And this has nothing to do with preventing SQL injections : just escape/quote your data ! always ! or use prepared statements)
(这与防止SQL注入没有任何关系:只是转义/引用您的数据!永远!或者使用预处理语句)
#2
4
I don't know which is faster, but if you do it in PHP you avoid the possibility of SQL injection.
我不知道哪个更快,但是如果用PHP,就可以避免SQL注入的可能性。
#3
3
Is performance really an issue here? It's likely to be marginal.
性能真的是一个问题吗?它可能是边际的。
- Doing it in MySQL makes the DB do more work, which is a good thing
- 在MySQL中这样做可以让DB做更多的工作,这是一件好事
- Doing it in MySQL means the cleartext password gets passed further along (and the DB connection is often unencrypted).
- 在MySQL中这样做意味着cleartext密码会被进一步传递(而DB连接通常是不加密的)。
- This has nothing to do with SQL injection. You could fix the first version without moving the MD5 function. Also if there was a bug in PHP's MD5 function there's still a possibility of an injection attack.
- 这与SQL注入无关。您可以在不移动MD5函数的情况下修复第一个版本。另外,如果PHP的MD5函数中有错误,仍然存在注入攻击的可能性。
#4
0
Measure it, it's the only way to be certain.
测量一下,这是唯一确定的方法。
#5
0
I would say, read the column value out of mysql, then compare the result with the computed hash in your client code (e.g. php).
我会说,从mysql中读取列值,然后将结果与客户端代码中的计算散列(例如php)进行比较。
The main reason for doing this is that it avoids stupid things such as the database collating the column in a non-binary fashion (e.g. case-insensitive etc), which is generally undesirable for a hash.
这样做的主要原因是它避免了一些愚蠢的事情,比如数据库以非二进制的方式对列进行排序(例如不区分大小写等),这通常不适合散列。