password_hash 的盐存储在哪里? [英] Where is the salt stored for password_hash?

问题描述

根据(相对)新的 PHP 文档:

According to (relatively) new PHP documentation:

password_hash 函数使用随机盐(我们不应该担心.. O_O)，所以如果我理解正确，盐必须存储在某个地方，否则用户在注册网站后将无法登录(不同的盐 => 不同的哈希.)

The password_hash function uses a random salt (which we should not worry about.. O_O), so if I understand correctly the salt has to be stored somewhere, else the user won't be able to login after registering to a website (different salt => different hash.)

函数文档没有说明与数据库交互的任何信息，而且由于我认为存储每个用户的数据只能使用数据库进行扩展，那么该函数存储随机盐的地方到底是什么?一个 txt 文件，比如会话数据?

The function documentation doesn't tell anything about interaction with a DB, and since I think storing per-user data is scalable only with a DB, where the heck does that function store the random salt? A txt file like session data?

推荐答案

让我们从其他人告诉你的例子中学习:

Let's learn by example from what everyone else is telling you:

$options = [
    'cost' => 11,
    'salt' => 'abcdefghijklmnopqrstuv',
];
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT, $options)."\n";

输出:

$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm

$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm

粗体部分是你的成本和盐，分别嵌入到结果哈希中.

The bolded parts are your cost and salt, respectively embedded in the resulting hash.

你可以把这个吐回到password_verify 它将相应地处理它:

You can spit this back into password_verify and it will handle it accordingly:

print_r(password_verify('rasmuslerdorf', '$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm')); // true

这篇关于password_hash 的盐存储在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！