使用password_hash和password_verify [英] Using password_hash and password_verify

问题描述

在我的登录PHP文件中，有这些

In my Login PHP file I have these

$passwordInput = password_hash($passInput, PASSWORD_BCRYPT);
$passwordVerify = password_verify($userInput, $passwordInput);

在我的PHP注册文件中，有这个文件.

And in my Register PHP file I have this.

$passwordSign = password_hash($passSign, PASSWORD_BCRYPT);

现在，从本质上讲，我做到了，因此它会散列密码，并在注册时将其自身插入数据库中.这样做.

Now, essentially I make it so it hashes the password and inserts itself into the database on signup. WHICH IT DOES.

但是，它无法验证它.两种结果都给出2个不同的哈希值，我不知道自己可能做错了什么.我还尝试过使其再次对输入进行哈希处理，并检查数据库中的password_hash，但这无效.

However, it cannot verify it. Both results give 2 different hashes and I don't know what I'm possibly doing wrong. I also tried just making it hash the input again and checking the password_hash in the database but that didn't work..

使用它们的正确方法是什么?

What is the proper way of using these?

(另外，$ passSign和$ userInput是输入字段，它确实获取用户名/密码)

( Also, $passSign and $userInput are the input fields and it does get the username/password )

推荐答案

在注册时，您可以从用户输入中获取密码，并使用

On signup you get the password from the user input and generate its has using password_hash():

$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);

您可以在第三个参数中为其提供自定义盐，以供使用，但是文档

You can provide it a custom salt to use, in a third parameter, but the documentation recommends to not do this:

警告:强烈建议您不要为此功能生成自己的盐.如果您不指定盐，它将自动为您创建安全盐.

Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

您将此哈希保存在数据库中.确保将其放在CHAR/VARCHAR 包含60个字符或更多字符的字段中.

You save this hash in the database. Make sure you put it in a CHAR/VARCHAR field of 60 characters or longer.

当用户要登录时，请使用先前使用 password_verify() :

When the user wants to log in you check the password they input against the hash previously saved using password_verify():

$auth = password_verify($_POST['password'], $hash);

当然，您可以从数据库中获取正确的$hash值，并按提供的用户名进行搜索.

Of course, you get the correct value of $hash from the database, searching by the provided username.

如果$auth为TRUE，则提供的密码与在注册时计算出的哈希值匹配，并且用户通过了身份验证.

If $auth is TRUE then the provided password matches its hash computed on the registration and the user is authenticated.

这篇关于使用password_hash和password_verify的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！