堆栈内存溢出
  简体   繁体   English

密码验证不适用于密码哈希 BCRYPT

[英]Password verify not working with password hash BCRYPT

 原文  2015-11-03 18:03:43       php/ mysql/ password-hash

问题描述

I'm currently working on a PHP login, the password is encrypted on another file using password_hash('password',PASSWORD_BCRYPT) , I'm actually retrieving data from mySQL, and getting data from a AJAX call, but I have declared variables for showing my problem:我目前正在使用 PHP 登录,密码使用password_hash('password',PASSWORD_BCRYPT)在另一个文件上加密,我实际上是从 mySQL 检索数据,并从 AJAX 调用获取数据,但我已经声明了变量显示我的问题:

<?php
require "modulos/conexion.php";
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['userid'])) {
    $usuario = "mariano overs";
    $pass = "1234";
    $passdb = '$2y$10$A1nr4od4OjP0N1hNoB9Seur3OsWzU3ufT4G82XNTLV3'; // equivalent of password_hash('1234',PASSWORD_BCRYPT), this is value from DB
    $sql = 'SELECT id_usua, co_usua, ds_pass FROM dbfar_cabusuarios WHERE co_usua="' . $usuario . '" LIMIT 1';
    if ($res = mysqli_query($GLOBALS['conexion'],$sql)) {
        if (mysqli_num_rows($res) == 1) {
            $usuario = mysqli_fetch_array($res, MYSQLI_ASSOC);
            echo "Contrasena guardada: ". $pass . "<br />Contrasena de la base: " . $usuario['ds_pass'] . "<br />";
            if (password_verify($pass, $passdb)){
                $_SESSION['username'] = $usuario['co_usua'];
                $_SESSION['userid'] = $usuario['id_usua'];
                echo "INICIO SESION CORRECTAMENTE";
            }
            else{
                echo "INICIO SESION NO CORRECTO";
            }

        } else {
            echo "REGISTROS NO CORRECTOS";
        }
    } else {
        echo "USUARIO NO EXISTE";
    }
}

Since I know I get the right value from database, is not the problem there, but on the password_verify function.因为我知道我从数据库中获得了正确的值,所以问题不在那里,而是在 password_verify 函数上。 They are not correctly validated.它们没有被正确验证。 Is there an additional value I need to include on the password_verify ?我需要在password_verify包含其他值吗?

1 个解决方案

解决方案1
 1 已采纳  2015-11-03 18:28:22

The hashed password holds a 60-72 character long string.散列密码包含 60-72 个字符的长字符串。

The column needs to be long enough in order to accomodate the hash.该列需要足够长以容纳散列。

The manual suggests 255 in order to accomodate for the future.手册建议 255 以适应未来。

You will need to start over and alter your column so that it is long enough.您将需要重新开始并更改您的列,以使其足够长。

Do that, store a new hash and start over.这样做,存储一个新的哈希值并重新开始。

60 characters: (from the manual) 60 个字符:(来自手册)
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

and you have a 50 long: (there you go; too short)你有一个 50 长的:(你去了;太短了)

$2y$10$A1nr4od4OjP0N1hNoB9Seur3OsWzU3ufT4G82XNTLV3

that tells me that it's been truncated.这告诉我它已被截断。

The manual states:该手册指出:

Caution警告

Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.使用PASSWORD_BCRYPT作为算法,将导致密码参数被截断为 72 个字符的最大长度。

Reference:参考:

As an added bonus:作为额外奖励:

Your code is prone to an SQL injection.您的代码容易受到 SQL 注入。 Best to use a prepared statement.最好使用准备好的语句。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Password_verify bcrypt无法正常工作 - Password_verify bcrypt not working password_verify无法使用Bcrypt验证password_hash - password_verify can't verify password_hash with Bcrypt 在PHP中哈希密码并使用Java进行验证(PASSWORD_BCRYPT和jBcrypt) - Hash password in PHP and verify with Java (PASSWORD_BCRYPT & jBcrypt) 使用Bcrypt密码验证登录 - Verify Login with Bcrypt Password Symfony 3 bcrypt密码无法验证 - Symfony 3 bcrypt password does not verify PHP的BCrypt无法验证密码 - BCrypt of PHP cannot verify the password PHP password_hash()/ bcrypt - PHP password_hash() / bcrypt 类使用bcrypt哈希密码 - Class to hash password using bcrypt 将password_hash更改为bcrypt - Change password_hash to bcrypt PHP password_hash 和 password_verify 不适用于 MySQL - PHP password_hash and password_verify Not Working with MySQL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM