使用crypt()和password_hash()函数加密后的密码不匹配 [英] Password does not match after being encrypted using crypt() and password_hash() function

问题描述

我修改了我的旧帖子.我尝试了crypt()函数，现在尝试使用password_hash()和password_verify()来验证来自数据库的加密密码，但是在每次调用时，password_hash()函数都会重新调整一个不同的加密字符串，而password_verify()无法将其匹配.

I modified my old post. I tried the crypt() function and now trying to work with password_hash() and password_verify() to verify the encrypted password coming from database but on each call, password_hash() function retuns a different encrypted string and password_verify() cannot match it.

这就是我的做法.

 //please ignore the syntax error if any

$data = '11';
$dbpass = password_hash($data, PASSWORD_BCRYPT);
echo $dbpass;  // displays the random strings on each page refresh.

在登录过程中，一旦密码保存到数据库中，则密码不匹配.下面是我的实际功能.

Once password is saved into database does not get match during the login process. Below is my actual function.

   private function process_data($password){
    $password = __STR.$password.__STR;
    return  password_hash($password, PASSWORD_BCRYPT);

  }
  private function processed($login_password, $dbpassword){
    $login_password = __STR.$login_password.__STR;
    return password_verify($login_password, $dbpassword);
  }

在每个用于创建密码的哈希字符串的函数调用中，该函数下次均返回不同的字符串.

On each function call for creating a hashed string for password, the function returns the different string next time.

推荐答案

好，让我们一一讲解.

首先，它是散列，而不是加密.加密是双向的，哈希是一种方式.我们想散列.我们永远不想加密.是的，术语很重要.请使用正确的术语.

First, it's hashing, not encryption. Encryption is two-way, hashing is one way. We want to hash. We never want to encrypt. Yes, terminology matters. Please use the correct terminology.

接下来，应该调用每次password_hash，以返回不同的哈希值.那是因为它会产生强烈的随机盐.这就是它的设计方式，以及您真正应该如何使用它.

Next, each call to password_hash is supposed to return a different hash. That's because it's generating a strong random salt. This is how it was designed, and how you really should be using it.

此外，请勿执行在密码之前和之后添加__STR的胡椒"操作.您什么都不做，但是可能会削弱用户密码(这不好).如果您想了解为什么这是个坏主意的更多信息:阅读此答案.

Further, DO NOT do the "pepper" thing of adding __STR before and after the password. You're doing nothing but potentially weakening the users password (which is not good). If you want more information around why that's a bad idea: Read This Answer.

继续，我强烈建议您不要直接使用crypt.实际上，拧紧并生成极弱的哈希很容易.这就是设计password_* api的原因. crypt是一个低级库，您想在代码中使用一个高级库.有关如何破坏bcrypt的更多信息，请访问我的博客:破坏Bcrypt的七种方法.

Continuing, I would highly recommend that you do not use crypt directly. It is actually surprisingly easy to screw up and generate extremely weak hashes. This is why the password_* api was designed. crypt is a low level library, you want to use a high level library in your code. For more information on ways to screw up bcrypt, check out my blog: Seven Ways To Screw Up Bcrypt.

Password API旨在成为一个简单的一站式商店.如果对您不起作用，请检查以下内容:

The Password API was designed to be a simple, one-stop shop. If it's not working for you check the following things:

1. 您是否正在使用PHP> = 5.5.0?还是您将PHP> = 5.3.7与 password_compat 一起使用?

1. 您的数据库列足够宽吗?

1. Is your database column wide enough?

它必须至少个60个字符长.

It needs to be at least 60 characters long.

您是否检查函数的结果是字符串，而不是bool(false)?

Are you checking that the result of the function is a string, and not bool(false)?

如果发生内部错误，它将从password_hash返回一个非字符串.

If there is an internal error, it will return a non-string from password_hash.

您遇到任何错误吗?

您是否已将error_reporting设置为最大设置(我建议使用-1捕获所有内容)并检查代码是否未引发任何错误?

Have you turned on error_reporting to its maximum setting (I recommend -1 to catch everything) and checked that the code isn't throwing any errors?

您确定使用正确吗?

function saveUser($username, $password) {
    $hash = password_hash($password, PASSWORD_BCRYPT);
    // save $username and $hash to db
}
function login($username, $password) {
    // fetch $hash from db
    return password_verify($password, $hash);
}

请注意，每个人只能被调用一次.

Note that each one should be called only once.

您是否正在使用PHP< 5.3.7使用 password_compat ?如果是这样，这是您的问题.您正在不受支持的PHP版本上使用兼容性库.您可能会使其正常工作(某些RedHat发行版已向后移植了必要的修复程序)，但是您使用的是不受支持的版本.请升级到合理的版本.

Are you using PHP < 5.3.7 with password_compat? If so, this is your problem. You are using the compatability library on an unsupported version of PHP. You may get it to work (certain RedHat distributions have backported the necessary fixes), but you are using an unsupported version. Please upgrade to a reasonable release.

如果其他所有方法均失败，请尝试运行此代码并报告输出:

If all else fails, please try running this code and reporting back the output:

$hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';
$test = crypt("password", $hash);
$pass = $test == $hash;

echo "Test for functionality of compat library: " . ($pass ? "Pass" : "Fail");
echo "\n";

如果返回Fail，则说明您正在运行不受支持的PHP版本，应进行升级.如果返回pass，则该错误在您的逻辑中某处(库运行正常).

If that returns Fail, you are running an unsupported version of PHP and should upgrade. If it returns pass, than the error is somewhere in your logic (the library is functioning fine).

这篇关于使用crypt()和password_hash()函数加密后的密码不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！