password_verify哈希与密码不匹配

debugcn 发表于 Dev

艾米·内维尔（Amy Neville）

我已经使用以下代码生成了密码哈希：

$hash = password_hash("test", PASSWORD_BCRYPT);

然后，我使用255个字符将其存储在数据库中。

然后，我尝试执行比较器来测试登录，但登录失败。它只允许我使用之前刚刚生成的几行哈希（而不是存储在数据库中的一行）登录。

<?php 

//Database connection
require 'database.php';

//Handle logins
if ($_POST['login'])
{
    //Receive the login attempt
    $login_email = $_POST['login_email'];
    $login_password = $_POST['login_password'];

    //Get the password hash
    if ($statement = $mysqli->prepare("SELECT password FROM accounts WHERE email = ? LIMIT 1"))
    {
        $statement->bind_param("s", $login_email);
        $statement->execute();
        $statement->store_result();

        //Does the account exist?
        if ($statement->num_rows > 0)
        {
            $statement->bind_result($hash);
            $statement->fetch();

            //echo $login_password;
            echo $hash."<br>";
            //$hash = password_hash("test", PASSWORD_BCRYPT);
            //echo $hash."<br>";

            //Check the password hash
            if (password_verify($login_password, $hash))
            {
                echo '<br>Password is valid!';

                //Begin session
                session_start();
                $_SESSION["favcolor"] = "yellow";
            } 
            else 
            {
                echo '<br>Invalid password.';
            }
        }
        else
        {
            //Account doesn't exist warning
        }

        $statement->free_result();
        $statement->close();
    }
}

//Handle new registrations
if ($_POST['register'])
{
    //Receive the register attempt
    $register_email = $_POST['register_email'];
    $register_password_one = $_POST['register_password_one'];
    $register_password_two = $_POST['register_password_two'];

    //Check if email is already taken
    if ($statement = $mysqli->prepare("SELECT email FROM accounts WHERE email = ? LIMIT 1"))
    {
        $statement->bind_param("s", $register_email);
        $statement->execute();
        $statement->store_result();

        //Does the account exist?
        if ($statement->num_rows > 0)
        {
            //Account already exists warning
        }
        else
        {
            //Create the account
            if ($statement = $mysqli->prepare("INSERT INTO accounts (email, password) VALUES (?,?)"))
            {
                //Create bycrypt hash of password
                $hash = password_hash($register_password_one, PASSWORD_BCRYPT);

                //Insert new account
                $statement->bind_param("ss", $register_email, $hash);
                $statement->execute();
                $account_id = $statement->insert_id;
                $statement->close();

                //Begin session
                session_start();
                $_SESSION["favcolor"] = "yellow";
            }
        }
        $statement->free_result();
        $statement->close();
    }
}

//Handle logout
if ($_POST['logout'])
{
    session_unset();
    session_destroy();
}

?>

数据库中的密码哈希值：$ 2y $ 10 $ xDnZIjzw8h.9utp3qyRlxezPd8jmK9k6Z5JuoVtooOpkPCBd.n6W6刚生成的密码哈希值（有效）：$ 2y $ 10 $ tolDQdeTQrTio8IJ0Wi9AuHN5KdK1KH5K1

我不是哈希专家。只是尝试遵循最新的建议。有人可以告诉我为什么哈希值与数据库中的哈希值不同吗？

普纳

每次生成的哈希都是不同的
将纯文本传递给password_verify（）函数...请参见下文

$originalPassword = password_hash("THE_PASSWORD", PASSWORD_DEFAULT);
// This will produce something like (taken form above) 
$2y$10$tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K

// When verifying this
if(password_verify("THE_PASSWORD", $passwordFromDatabase['password'])){
echo "Success";
}else{
echo "Fail";
}

本文收集自互联网，转载请注明来源。

如有侵权，请联系[email protected] 删除。