[英]How to verify password against database?
I went through many articles related to this topic, such as this: 我浏览了很多与此主题相关的文章,例如:
Using PHP 5.5's password_hash and password_verify function 使用PHP 5.5的password_hash和password_verify函数
Yet, I'm unsure if I'm hashing and salting the correct way or over doing it! 然而,我不确定我是否正在以正确的方式进行哈希和腌制,或者过度使用它!
I want to use my own salt and then hash. 我想用自己的盐然后哈希。 Both salt and hashed password stored in the database in two different fields.
salt和散列密码都存储在数据库的两个不同字段中。
This is how I hash the password before storing into database 这是我在存储到数据库之前散列密码的方式
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;
//shall I remove this line and replace below PASSWORD_DEFAULT with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);
$hash = password_hash($password, PASSWORD_DEFAULT);
Given that, I'm trying to verify the password as below: Somehow I feel that I'm complicating the process. 鉴于此,我正在尝试验证密码如下:不知何故,我觉得我使这个过程变得复杂。
$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
EDITED: 编辑:
Now I store like this: 现在我这样存储:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
But verification confusing: 但验证令人困惑:
$email = "test55@gmail.com";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$row['salt']."<br/><br/>";
echo "hashpassword ".$row['hashpword'];
}
$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";
$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($newhash, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
It echoes "Not Verified" 它回应“未经验证”
The function password_hash() is just a wrapper, internally it generates a cryptographically safe salt and then calls the crypt()
function to calculate the BCrypt hash. 函数password_hash()只是一个包装器,在内部生成一个加密安全的salt,然后调用
crypt()
函数来计算BCrypt哈希。
So there is no reason to do the same steps yourself (do not call crypt() and do not generate a salt). 所以没有理由自己做同样的步骤(不要调用crypt()并且不生成盐)。 Generating your own salt is not recommended, because you cannot do it better than the password_hash function does.
建议不要生成自己的salt,因为你不能比password_hash函数做得更好。 Also there is no reason to store the salt in a separate db column, it is already part of the resulting hash-value.
此外,没有理由将salt存储在单独的db列中,它已经是生成的哈希值的一部分。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
This will verify correctly, as it should. 这将正确验证,因为它应该。
//on creating an account, a user enters a password!
$password="pwtester";//user keyed in password
$newhash = password_hash($password, PASSWORD_DEFAULT);
//#newhash now has the only value that you need to store in the db
//you do not need any more than this value, that you retrieve when you
//want to verify your password!
//this part is only done to verify passwords!
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
So provided you have stored the hash in the db 所以只要你已经在数据库中存储了哈希
$newhash=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
Should work! 应该管用!
Password storage: 密码存储:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
password verify: 密码验证:
<?php
include('config.php');
$email = "test55@gmail.com";
$uid= '555cb0a63f08d';
$sql = "SELECT *FROM authsessions WHERE useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$salt=$row['salt']."<br/><br/>";
echo "hashpassword ".$hashAndSalt=$row['hashpword'];
echo"<br/>";
}
$password="nony";
//$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($password, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
?>
You hash the password 2 times. 您将密码哈希2次。 Leave the crypt function and you should be ok.
保留crypt功能,你应该没问题。
Just take a look at the PHP documentation regarding to password_verify and password_hash. 只需看看有关password_verify和password_hash的PHP文档。
Just save the password with password_hash(). 只需使用password_hash()保存密码即可。 that should store the hash in the DB.
应该将哈希值存储在数据库中。
And to verify, you just compare the hash with the user input with password_verify. 要验证,您只需将hash与用户输入与password_verify进行比较。 Password_verify will do the rest for you :)
Password_verify将为您完成剩下的工作:)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.