PHP：在MySQL中替换字符串中的“美元”

Question

I have a serious problem, whole day I been looking for answers but I cannot find anything...

What I Am Doing:

I am trying to make a user login on my site(in php).

The passwords and users are saved in a MySQL database on my server.

For the passwords I am using Bcrypt . The only problem is that I do not have the knowledge to change the Bcrypt code.. I got the class from a free to have site.

Problem

Now for the problem, when I am hashing my passwords there are three $ signs in front.

For example: loltest will become $2y$10$wxadWEbkn..XpJ.C1TmnaeOyneJyQbcAIJ20yBBlBoBr1XDwDkJSq

The hashed password is stored in a table in my database.

Step 1

A user logs in an typs his/her password, the php code then verifies if the password matches the hashed password. The name of a user is $phpro_username and the password is stored in $phpro_password .

But before I call that function I am selecting the hashed password from my table like this:

 $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username,      $mysql_password);    
 $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 $stmt = $dbh->prepare("SELECT phpro_password FROM phpro_users WHERE phpro_username = '$phpro_username'");
 $stmt->execute();
 $hash = $stmt->fetchColumn();

Step 2

I tried to use the function called password_verify , it looks like this:

function password_verify($password, $hash) {
    if (!function_exists('crypt')) {
        trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING);
        return false;
    }
    $ret = crypt($password, $hash);
    if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) {
        return false;
    }

    $status = 0;
    for ($i = 0; $i < strlen($ret); $i++) {
        $status |= (ord($ret[$i]) ^ ord($hash[$i]));
    }

    return $status === 0;
}

How do I do it?

$check = password_verify($phpro_password, $hash);

If the passwords match $check will be 1, else it will be empty.

Normally this should be working but when I am running this code the $check is always empty. If i try to do this without the MySQL there is no problem:

<?php
   include 'password.php';
   $password = "loltest";
   $hash = password_hash($password, PASSWORD_BCRYPT);
   $verify = password_verify("loltest", $hash);
   echo $verify;
?>

If I run the code above for example, $verify is always 1.

After some research:

I think the problem lies with the MySQL, because in my hash are three $ signs, if I store this in MySQL and then get it out the varibles are changed with their values, in this case nothing and the passwords do not match.

Is there a way to solve this? Or is there a way to replace the $ signs in my hash?

Answer 1

Single quote strings are not processed and are taken "as-is". You should always use single quote strings unless you specifically need the $variable.

For example,

$var = "$2y$10$wxadWEbkn..XpJ.C1TmnaeOyneJyQbcAIJ20yBBlBoBr1XDwDkJSq";

should be

$var = '$2y$10$wxadWEbkn..XpJ.C1TmnaeOyneJyQbcAIJ20yBBlBoBr1XDwDkJSq';