使用password_hash和password_verify [英] Using password_hash and password_verify
问题描述
在我的登录PHP文件中,有这些
In my Login PHP file I have these
$passwordInput = password_hash($passInput, PASSWORD_BCRYPT);
$passwordVerify = password_verify($userInput, $passwordInput);
在我的PHP注册文件中,有这个文件.
And in my Register PHP file I have this.
$passwordSign = password_hash($passSign, PASSWORD_BCRYPT);
现在,从本质上讲,我做到了,因此它会散列密码,并在注册时将其自身插入数据库中.这样做.
Now, essentially I make it so it hashes the password and inserts itself into the database on signup. WHICH IT DOES.
但是,它无法验证它.两种结果都给出2个不同的哈希值,我不知道自己可能做错了什么.我还尝试过使其再次对输入进行哈希处理,并检查数据库中的password_hash,但这无效.
However, it cannot verify it. Both results give 2 different hashes and I don't know what I'm possibly doing wrong. I also tried just making it hash the input again and checking the password_hash in the database but that didn't work..
使用它们的正确方法是什么?
What is the proper way of using these?
(另外,$ passSign和$ userInput是输入字段,它确实获取用户名/密码)
( Also, $passSign and $userInput are the input fields and it does get the username/password )
推荐答案
On signup you get the password from the user input and generate its has using password_hash()
:
$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
You can provide it a custom salt to use, in a third parameter, but the documentation recommends to not do this:
警告:强烈建议您不要为此功能生成自己的盐.如果您不指定盐,它将自动为您创建安全盐.
Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.
您将此哈希保存在数据库中.确保将其放在CHAR
/VARCHAR
包含60个字符或更多字符的字段中.
You save this hash in the database. Make sure you put it in a CHAR
/VARCHAR
field of 60 characters or longer.
当用户要登录时,请使用先前使用 password_verify()
:
When the user wants to log in you check the password they input against the hash previously saved using password_verify()
:
$auth = password_verify($_POST['password'], $hash);
当然,您可以从数据库中获取正确的$hash
值,并按提供的用户名进行搜索.
Of course, you get the correct value of $hash
from the database, searching by the provided username.
如果$auth
为TRUE
,则提供的密码与在注册时计算出的哈希值匹配,并且用户通过了身份验证.
If $auth
is TRUE
then the provided password matches its hash computed on the registration and the user is authenticated.
这篇关于使用password_hash和password_verify的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!