php password_hash和password_verify看起来仍然不起作用 [英] php password_hash and password_verify looked all over still doesn't work

问题描述

更新 因此，这是一个尴尬而愚蠢的承认，但问题是我存储在数据库中的哈希是"password"(包含引号)的哈希，包括引号，我编写的查询没有问题，问题出在椅子和键盘之间.

UPDATE So this is an embarrassingly stupid admission, but the issue was that the hash I had stored in the database was a hash of 'password' including the quotes, there was no issue with the queries I wrote, the issue was between the chair and the keyboard.

所以这是一个经常被问到的问题，我在stackoverflow上和google上一直试图找出答案，而且票价一直没有成功.

So this is an often asked question, and I've looked all over stackoverflow and google trying to find out the answer, and have so fare been unsuccessful.

我有一个代理"表，其中已为每个代理分配了登录名和密码.密码字段是长度为255的varchar.

I have a table of "agents" with logins and password assigned to each agent. The password field is a varchar with a length of 255.

这是我的php代码:

     $conn = new mysqli( "localhost", "VABEN", "**********", "VABen" );
     if( $conn->connect_error )
     {
        die( "Connection failed!" . $conn->connect_error );
     }
     $username = $_POST["username"];
     $password = $_POST["password"];

     $s = $conn->prepare( "SELECT `agent_password` FROM `VABen`.`agents` WHERE `agent_login`=?" );
     $s->bind_param( "s", $username );
     $s->execute();

     $hash = $s->get_result();
     $hash = $hash->fetch_array( MYSQLI_ASSOC );

     $testpw = password_hash( 'password', PASSWORD_DEFAULT );
     echo "Comparing submitted password to locally created hash $testpw which has a length of " . strlen($testpw) . "<br>";
     if( password_verify( $password, $testpw ) )
     {
        echo "Password '$password' matches with hash $testpw<br>";
     }
     else
     {
        echo "Password '$password' does not match with hash $testpw<br>";
     }
     echo "<br>";

     echo "Supplied Password: '$password'<br>";
     echo "Queried Hash: " . $hash['agent_password'] . " which has a length of " . strlen( $hash['agent_password'] ) . "<br>";
     echo "Result of password_verify: ";
     if( password_verify( $password, $hash['agent_password'] ) )
        echo "true<br>";
     else
        echo "false<br>";

我很茫然.仅当我提供本地创建的password_hash副本时，它才似乎起作用，然后如果我在MySQL数据库中使用该本地创建的副本，它将失败.

I am at a loss. It only seems to work when I supply a locally created copy of password_hash, and if I then use that locally created copy in the MySQL database, it fails.

有什么想法吗?

推荐答案

存储哈希值

您是否已检查agent_password正在存储由以下项生成的哈希:

Store the hash

Have you checked that agent_password is storing a hash generated by:

password_hash( $password, PASSWORD_DEFAULT );

检查PDO标准

可能没有效果，但是值得遵循bindParam的不同实现的标准.如果您使用的是?方法，则:

Check PDO standards

Probably has no effect, but it is worth following standards for the differnt implementations of bindParam. If you're using the ? method, then:

 $s->bind_param( 1, $username );

您的脚本中有几种奇怪的PDO实现，请尝试调整:

There are several odd implementations of PDO in your script, try adjusting:

 $s->execute();

 //$hash = $s->get_result();
 //$hash = $hash->fetch_array( MYSQLI_ASSOC );
 $hash = $s->fetchColumn();

将随后对$hash['agent_password']的调用更改为仅$hash.

Change subsequent calls of $hash['agent_password'] to just $hash instead.

测试以下内容:

// $password = $_POST["password"];
$password = "password";

然后，还尝试存储该哈希，然后在最后的验证步骤之前从mysql再次检索它.

Then, also try storing that hash, and retrieving it again, from mysql, prior to the final verify step.

我非常怀疑agent_password中存储的内容实际上不是用password_hash散列的密码.

I deeply suspect that what is stored in agent_password is not in fact a password hashed with password_hash.

这篇关于php password_hash和password_verify看起来仍然不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！