php password_verify 不适用于数据库 [英] php password_verify not working with database
问题描述
我正在使用带有向后兼容性脚本的 php 5.4:https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
I am using php 5.4 with this backwards compatibility script: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
但这不重要,因为我可以在我的注册函数中进行散列和验证过程:
that shouldn't matter though, because I can get the hashing and verification process working in my registration function:
$hash = password_hash($pass, PASSWORD_DEFAULT);
echo $pass;
echo $hash;
if( password_verify($pass,$hash) )
echo 'success';
else echo 'failure';
//success is always shown
//EXAMPLE INPUT
$pass = 'password';
//EXAMPLE OUTPUT
password$2y$10$JK1jumvvSIm/gP3fWE3k9O98MzvHKDRYCjRPBniYg9riACyQw7WYSsuccess
但每当我尝试将哈希存储在 MySQL 数据库中,然后为验证函数检索它时,它总是失败.这是我的登录功能:
but whenever I try to store the hash in a MySQL database and then retrieve it for the verify function, it always fails. Here is my login function:
function user_login( $mysqli, $email, $pass ){
$err_msg = 'login: '.$mysqli->error.' | '.$email;
if( $stmt = $mysqli->prepare('SELECT password FROM users WHERE email=?') ) :
if( !$stmt->bind_param('s', $email) ) log_sql_error( $err_msg );
if( !$stmt->execute() ) log_sql_error( $err_msg );
if( !$stmt->bind_result( $hash ) ) log_sql_error( $err_msg );
if( $stmt->fetch() === FALSE ) log_sql_error( $err_msg );
if( !$stmt->close() ) log_sql_error( $err_msg );
//I can see that these values are identical to the ones
//echoed out in the registration function
echo $pass;
echo $hash;
if( password_verify($pass,$hash) )
echo 'success';
else echo 'failure';
else : log_sql_error( $err_msg );
endif;
}
//failure is always shown
//EXAMPLE INPUT
$pass = 'password';
//EXAMPLE OUTPUT
password$2y$10$JK1jumvvSIm/gP3fWE3k9O98MzvHKDRYCjRPBniYg9riACyQw7WYSfailure
我的密码"列具有以下数据类型:VARCHAR(255) NOT NULL
My 'password' column has this datatype: VARCHAR(255) NOT NULL
没有出现 php 错误,所以我唯一能想到的是哈希值从数据库中出来时的格式与进入时的格式不同,但是当我回显这些值时,它们看起来是一样的.
No php errors show up so the only thing I can think of is that the hash value is not formatted in the same way when it comes out of the database as when it went in, but when I echo out the values, they appear to be identical.
我还能如何调试这个/我的代码有什么问题?
How else can I debug this / what is wrong with my code?
谢谢
更新:
这肯定和编码有关:
$hardcode_hash = '$2y$10$JK1jumvvSIm/gP3fWE3k9O98MzvHKDRYCjRPBniYg9riACyQw7WYS';
echo $hash;
echo '<br/>';
echo $hardcode_hash;
echo '<br/>';
if( $hash == $hardcode_hash )
echo 'success';
else echo 'failure';
//OUTPUT
$2y$10$JK1jumvvSIm/gP3fWE3k9O98MzvHKDRYCjRPBniYg9riACyQw7WYS
$2y$10$JK1jumvvSIm/gP3fWE3k9O98MzvHKDRYCjRPBniYg9riACyQw7WYS
failure
如何重新格式化 SQL 值以匹配 password_hash 的输出?这是我尝试过的:
how do I reformat the SQL value to match the output of password_hash? Here's what I've tried:
(string)$hash
utf8_encode($hash)
如果我这样做:
$hash = settype($hash,"string");
if($hash == $hardcode_hash) 返回 true,但 password_verify($pass, $hash) 仍然返回 false
if($hash == $hardcode_hash) returns true, but password_verify($pass, $hash) still returns false
推荐答案
找到问题了.当我这样做时:
Found the problem. when I did this:
echo strlen($hash)
它打印了 90,这很奇怪,因为当我打印出成功/失败消息时,最后肯定没有空格,并且该字段的 varchar 长度为 255
it printed 90, which is strange because there were definitely no spaces at the end when I printed out the success/failure message, and the field has a varchar length of 255
我添加了这一行:
$hash = substr( $hash, 0, 60 );
现在它可以正常工作了.
And now it works fine.
奇怪的是,似乎没有其他人遇到过这个问题.有关于 password_verify 的类似帖子,但没有一个需要这种类型的转换,或任何与此相关的转换:
Its strange that no one else seems to have run into this issue. There are similar posts about password_verify, but none of them required this type of conversion, or any conversion for that matter:
http://forums.phpfreaks.com/topic/283407-need-help-with-password-verify/
使用PHP 5.5 的 password_hash 和 password_verify 函数
困扰我的一件事是这会阻止代码向前兼容.当默认值更改时,我怎么知道哈希是 60 个字符长?
One thing that bothers me is this prevents the code from being forward compatible. How will I know that the hash is 60 characters long when the default changes?
这篇关于php password_verify 不适用于数据库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
