password_verify哈希与密码不匹配 [英] password_verify hash not matching password
问题描述
我已经使用以下代码生成了密码哈希:
I have generated a password hash using the code below:
$hash = password_hash("test", PASSWORD_BCRYPT);
然后我使用255个字符将其存储在数据库中.
I then store it in the database using a 255 char.
然后,我尝试执行比较器来测试登录,但登录失败.它只允许我使用之前刚刚生成的几行哈希(而不是存储在数据库中的一行)登录.
Then I try to do the comparator to test the login and it fails. It only lets me login using a hash I have just generated a few lines before, not one stored in the database.
<?php
//Database connection
require 'database.php';
//Handle logins
if ($_POST['login'])
{
//Receive the login attempt
$login_email = $_POST['login_email'];
$login_password = $_POST['login_password'];
//Get the password hash
if ($statement = $mysqli->prepare("SELECT password FROM accounts WHERE email = ? LIMIT 1"))
{
$statement->bind_param("s", $login_email);
$statement->execute();
$statement->store_result();
//Does the account exist?
if ($statement->num_rows > 0)
{
$statement->bind_result($hash);
$statement->fetch();
//echo $login_password;
echo $hash."<br>";
//$hash = password_hash("test", PASSWORD_BCRYPT);
//echo $hash."<br>";
//Check the password hash
if (password_verify($login_password, $hash))
{
echo '<br>Password is valid!';
//Begin session
session_start();
$_SESSION["favcolor"] = "yellow";
}
else
{
echo '<br>Invalid password.';
}
}
else
{
//Account doesn't exist warning
}
$statement->free_result();
$statement->close();
}
}
//Handle new registrations
if ($_POST['register'])
{
//Receive the register attempt
$register_email = $_POST['register_email'];
$register_password_one = $_POST['register_password_one'];
$register_password_two = $_POST['register_password_two'];
//Check if email is already taken
if ($statement = $mysqli->prepare("SELECT email FROM accounts WHERE email = ? LIMIT 1"))
{
$statement->bind_param("s", $register_email);
$statement->execute();
$statement->store_result();
//Does the account exist?
if ($statement->num_rows > 0)
{
//Account already exists warning
}
else
{
//Create the account
if ($statement = $mysqli->prepare("INSERT INTO accounts (email, password) VALUES (?,?)"))
{
//Create bycrypt hash of password
$hash = password_hash($register_password_one, PASSWORD_BCRYPT);
//Insert new account
$statement->bind_param("ss", $register_email, $hash);
$statement->execute();
$account_id = $statement->insert_id;
$statement->close();
//Begin session
session_start();
$_SESSION["favcolor"] = "yellow";
}
}
$statement->free_result();
$statement->close();
}
}
//Handle logout
if ($_POST['logout'])
{
session_unset();
session_destroy();
}
?>
数据库中的密码哈希:$ 2y $ 10 $ xDnZIjzw8h.9utp3qyRlxezPd8jmK9k6Z5JuoVtooOpkPCBd.n6W6 刚刚生成的密码哈希(有效):$ 2y $ 10 $ tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K
password hash in database: $2y$10$xDnZIjzw8h.9utp3qyRlxezPd8jmK9k6Z5JuoVtooOpkPCBd.n6W6 password hash that is just generated (works): $2y$10$tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K
我不是哈希专家.只是尝试遵循最新的建议.有人可以告诉我为什么哈希值与数据库中的哈希值不同吗?
I am not an expert with hashing. Just trying to follow the latest recommendations. Could someone tell me why the hash is different to the one in the database?
推荐答案
- 每次生成的哈希值都不相同
- 将纯文本传递给password_verify()函数...请参见下文
$originalPassword = password_hash("THE_PASSWORD", PASSWORD_DEFAULT);
// This will produce something like (taken form above)
$2y$10$tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K// When verifying this if(password_verify("THE_PASSWORD", $passwordFromDatabase['password'])){ echo "Success"; }else{ echo "Fail"; }
// When verifying this if(password_verify("THE_PASSWORD", $passwordFromDatabase['password'])){ echo "Success"; }else{ echo "Fail"; }
这篇关于password_verify哈希与密码不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
