为什么password_verify返回false? [英] Why does password_verify return false?
问题描述
为什么password_verify返回false?
Why does password_verify return false?
该问题旨在规范,仅根据针对该主题提出的问题数量创建.
推荐答案
password_verify 可能返回false,其范围从表的设置到实际的密码比较,以下是导致密码失败的常见原因.
There are a variety of reasons why password_verify could be returning false, it can range from the setup of your table to the actual comparing of the password, below are the common causes of it failing.
-
表中密码列的长度太短:
The length of the password column in your table is too short:
- 如果使用的是
PASSWORD_DEFAULT,则建议将结果存储在数据库列中,该列可以扩展到60个以上的字符(255个字符是一个不错的选择). - 如果使用的是
PASSWORD_BCRYPT,则建议将结果存储在60个字符的数据库列中,因为PASSWORD_BCRYPT总是会导致60个字符串或失败时为FALSE.
- If you are using
PASSWORD_DEFAULTthen it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice). - If you are using
PASSWORD_BCRYPTthen it is recommended to store the result in a database column that is 60 characters becausePASSWORD_BCRYPTwill always result in a 60 character string or FALSE on failure.
另一个常见原因是,开发人员尝试清除"用户密码以防止其受到恶意攻击,结果,这导致输入内容与表中存储的内容不同.甚至没有必要转义输入,您应该改用准备好的语句.您甚至都不应该trim密码,因为那样可能会更改最初提供的密码.
Another common cause is when developers try to "clean" the user's password to prevent it from being malicious, as a result, this causes the input to be different to what is being stored in the table. It is not even necessary to escape the input, you should use prepared statements instead. You shouldn't even trim the passwords as that could change that which was originally provided.
使用password_verify时,您需要将纯文本密码与数据库/文件/其他存储方法中的哈希进行比较,而不是比较哈希(此处的含义是您需要存储以下内容的哈希密码):用户注册时):
When using password_verify you need to compare the plaintext password with the hash from the database/file/some-other-storage-method, not compare hashes (the implication here being that you need to have stored the hashed password of the user when they register):
<?php
$hashed = password_hash('test', PASSWORD_DEFAULT);
$password = 'test';
if (password_verify($password, $hashed)) {
echo 'success';
} else {
echo 'fail';
}
?>
确保您实际上是在将哈希传递给password_verify,而不是通过转储将其传递给其他东西.
Ensure that you are actually passing a hash to password_verify and not something else by dumping it.
在您使用硬编码哈希且遇到问题的情况下,请确保在将值存储在变量中时使用单引号而不是双引号,因为使用双引号时将解释$ :
In the instance that you are using a hardcoded hash and you are facing issues, ensure that you are using single quotes instead of double quotes when storing the value in the variable as the $ will be interpreted in when using double quotes:
<?php
// Undefined variable: QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu :1
$incorrect = "$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu";
$correct = '$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu';
?>
Repl -分别注释掉.
var_dump() 注册权上的哈希密码在将其插入数据库之前,在要password_verify()从数据库中获取它之后再次var_dump().确保两个哈希值相同.如果它们相同,并且明文密码也相同,则没有理由password_verify失败.仅当哈希在遍历数据库的过程中以某种方式被修改,或者纯文本密码不同时,它才会失败.
var_dump() the hashed password on registration right before you insert it into your database, and var_dump() it again after you fetch it from your database when you are about to password_verify() it. Ensure both hashes are identical. If they are, and the plaintext passwords are identical too, there's no reason for password_verify to fail. It only fails if the hash gets modified in some way on its roundtrip through the database, or if the plaintext passwords aren't identical.
确保将正确的算法传递给password_hash具有第二个参数.
Ensure that you are passing a correct algorithm to password_hash has the second parameter.
根据文档:
警告:强烈建议您不要为此功能生成自己的盐.如果您不指定盐,它将自动为您创建安全盐.
Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.
如上所述,在PHP 7.0中提供salt选项将生成弃用警告.将来的PHP版本中可能会删除对手动提供盐的支持.
As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.
这篇关于为什么password_verify返回false?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
